Times are unsteady. Corporate budgets are stretched, but there’s major pressure to adopt technological innovation and harvest the potential benefits of digital transformation. This ambition sits uneasily against a backdrop of disruption caused by the pandemic, shifting geopolitical relations, and an increasingly challenging regulatory burden. A fresh approach is needed to navigate this uncertain environment.
We delve into some of the main cyber challenges facing business leaders today and ask Steve Durbin, Managing Director of the Information Security Forum (ISF), for practical advice on how to overcome them.
How can organisations best prioritise their available funds?
Steve Durbin: Corporate budgets are under exceptional strain right now, and that can impact heavily on cybersecurity budgets. To get maximum value from the money that you do have, start by carrying out information risk assessments, so you can create a list of prioritised risks and then investigate the most effective ways to mitigate them. An in-depth assessment that highlights the most damaging threats will arm you with the facts you need to present a compelling business case to upper management and secure the investment that is required.
How can management build business resilience?
Begin by assessing where your business is in terms of cyber resilience. Are your current security standards commensurate with your level of acceptable risk? Model potential crises, starting with the most catastrophic possible events. Build clear plans to minimise disruption and get your business back to normal operation as swiftly as possible.
Ensure that your crisis management and business continuity plans are fit for purpose by testing them regularly. Running through different scenarios will reveal any gaps that need to be addressed. To ensure resilience, you also need to continually update and improve your policies based on new information, factoring in any changes in the business and learning from any security incidents that do occur.
What is the best approach to compliance?
Failure to comply fully with regulations could prove very costly. The ability to demonstrate your level of compliance is also essential nowadays. Instead of retrofitting and box-ticking, be proactive in identifying cyber risk as it emerges by focusing on the protection of business-critical data and systems. Simply reacting to meet the latest requirements is short-term thinking when a risk-based approach to compliance will serve you best.
How can organisations best adapt to remote working?
Working from home is the new reality. As people adjust to unfamiliar technologies and working practices, cyber criminals are trying to take advantage of the uncertainty and exploiting worker’s insecurities. A comprehensive approach to remote working will blend technical controls and clear processes with consideration of the human element. It’s vital to support and educate people. Listen to their concerns and try to strike the right balance between convenience and security. You also need some form of continuous monitoring in place so you can effectively assess remote working environments.
As supply chains inevitably change, how should organisations maintain security standards?
Supply chain management is challenging. You always need to consider how to protect critical information and manage third-party relationships securely. Flexibility in the modern supply chain is essential, but it means collaborating with an ever-changing cast of partner organisations. There is also a need to innovate and seize new opportunities, which can be at odds with maintaining a strong secure posture.
Draft a set of security controls and mechanisms that you can use during the procurement process, so you can establish secure relationships with new partners from the outset. Consider how to track and continually assess your supplier’s performance. Take the time to understand what contractual obligations exist should you decide to switch suppliers or terminate a relationship.
How can in-house security teams make the most of available budgets?
Where many security teams may have sought external assistance in the past, there’s now a need to handle more in-house. Research best practices and guidelines, adapt and deploy frameworks for identifying information risk in critical systems, and seek out effective tools to monitor and measure your progress over time. Employ automation where possible to free up skilled staff so they can focus on more complex tasks. Set aside time and money for training and development to improve your security team.
How do organisations focus on core, critical systems, and capabilities?
Faced with the prospect of doing more with less, it’s crucial that organisations are laser-focused on their core capabilities and services. To start this process, you must identify precisely what those are. Agree on business-critical systems with key stakeholders across the enterprise and rank them, so you can focus your security efforts where they add the most value.
How can organisations innovate without introducing security weaknesses?
The pressure to innovate is immense, but that rush to market as businesses strive to remain a step ahead of the competition often introduces cyber security weaknesses. It’s vital not to forget or sidestep your security policies. Adhere to principles, keep trying to identify and address potential exposures, and continually monitor the effectiveness of your cyber security controls.
The ISF offers a set of tools and services that can help organisations address these challenges.