Cyber Security: Answering Tomorrow’s Problems Today
In 2014 cyber security challenges will be the scourge of international business and its boardrooms. As businesses struggle to grow and prosper, their risk agenda remains in a constant flux caused by the rapid pace of technological innovation.
So how should UK companies respond to cybercrime?
1. Improve their defences and protect their ‘crown jewels’
Many organisations have made substantial progress in improving their defences. In our most recent Global Information Security Survey (2013) survey, 60% of respondents believe that their security operations are mature. Point solutions, in particular — antivirus, intrusion detection systems, intrusion prevention systems, patching and encryption — all show levels of maturity. These solutions remain a key control for combating today’s known attacks. However, they become less effective over time as hackers find new ways to circumvent controls and this is one of the major challenges businesses face.
2. Invest, invest, invest
Vendor-supported solutions are easy to use but come with expensive licensing and support fees. In the continued climate of constrained investment funds as the economy rises from a recession, it is therefore essential for those investing in security solutions to optimise the efficiency of spend and find the right balance of technical solution spend versus implementation of governance and process. Therefore whilst 52% of companies surveyed intend to increase spend on security over the next 12 months, they should ensure that they allocate resources to secure some quick wins and demonstrate value to the business: this will lay the groundwork for increased investment in the future.
3. Put in place a strategy to gain boardroom support
Companies must develop a governance framework for elevating security issues and evaluating their impact to the business so that appropriate risk handling can be applied. A major weakness in the approach to cyber risk and cyber security to date has been the tendency to isolate it as a specific threat involving IT. This creates a vacuum in an essential chain of necessary response – as cyber risk has become equated with operational risk rather than strategic risk – that involves the entire business in a holistic manner.
Leadership must be on-board. Bottom-up or grassroots approach to security has a minimal chance of survival and an even smaller chance of success. Without clear executive support, a Security Operations Centre (SOC) may be ineffective, and its value will not be realised. Creating an effective SOC requires support to establish a clear charter for the SOC and a long-term strategy, and also a strong SOC leader to drive organisational change and develop a culture of security.
It is therefore heartening that more recently we have seen a trend towards board level ownership of cyber security with 20% of CEOs and 28% of CFOs across the FTSE 350 now having ultimate accountability for cyber security in the recent UK Government Cyber Security Healthcheck.
This trend enables overarching business risks rather than technical risks to be managed; it requires cyber security functions to both align their efforts to the wider business strategy and also understand the impacts of cyber security breaches in a business context.
The new lingua franca of the modern cyber security professional is that of risk management rather than policy compliance, however this represents a challenge to the profession who for years have traditionally focused on ensuring risks are nullified through policy-based controls and will require a new modus operandi to be adopted.
What are the challenges that lie ahead for business in the fight against cybercrime?
1. There needs to be far greater collaboration on an international scale.
One of the major challenges associated with cyber security is its global nature. The majority of companies responding to the UK Government FTSE 360 Cyber Governance Healthcheck Tracker Report 2013 generate over half their sales outside the UK, revealing their market globalisation and – more importantly – their exposure to international threats.
In the UK, it remains a concern that very few respondents have signed up to the World Economic Forum’s Partnering for Cyber Resilience principles. Looking beyond our shores, this figure drops to a mere 100 companies globally from 25 countries. In order for UK plc to protect itself it needs to ensure its partners and those involved further down the supply chain are adequately protected as well.
To tackle this challenge we need new ways of thinking and different modes of operation. Collaboration, including cross borders, is essential on many levels to design future capabilities in order to ensure cyber resilience.
2. Ensuring we have the necessary talent to draw upon
Crossing the existing boundaries of perspective and approach to cyber security also demands a different approach to education. As part of its Cyber Security Challenge, the UK government is reaching out to school children to give them an opportunity to develop cyber skills and demonstrate them in a competitive environment.
The Open University will also offer, by summer 2014, a Massive Open Online Course (MOOC) in cyber security, with a capacity to reach 200,000 (both domestic and overseas students). However much more can be done, for example, MBA programmes urgently need to consider the integration of cyber risk from a commercial perspective.
3. New research
It is essential that research is conducted into enabling new business through the safe adoption of cyberspace rather than solely pursuing a risk management agenda. Such research will ensure that cyber security professionals are provided with guidance in their transition from policy and compliance managers to business risk leaders, able to align strategies to the business and provide opportunities for their businesses to reap the true benefits from the investment in traditionally defensive solutions.
Final words on cyber security
The blistering pace of technology change and the cyber threats that come with it are only going to accelerate. However, there is a tremendous opportunity for businesses to turn the challenge around. The risks associated with it must not be viewed solely as risks, but more innovatively, as opportunities for business to benefit by leveraging technology better. Cyber security can make good business sense and those businesses embracing cyber opportunities stand to gain significant advantage in an ever more competitive global marketplace.