In my previous posts — Cybersecurity Strategy Series – Part 1: Setting the Context and Cybersecurity Strategy Series – Part 2: Options for an Effective Cybersecurity Strategy — I observed how current models for protecting organisations from cyber-attacks are less and less apt to do their part. If cybersecurity is to become a pervasive component of each organisation dealing with digital business, it must be interwoven by design in its very fabric. It is too often considered a mere bolt-on capability, steered by compliance and handled by IT, with special focus on technology. As such, it is generally perceived as a technicality, an unpleasant “must-have” and an extra cost to minimise, aggravated by the fact that since special competence is required, applicability and scalability become serious issues.
The examples I proposed in my previous post point to one direction, which represents a new state of awareness from part of the organisation’s senior management – commencing with the Board of Directors – about the concept of digital assets, their varied relevance and value for the organisation and possible attackers alike. Below, a checklist is provided to set the road-map towards a cyber-resilient organisation:
Know your most valuable jewels, and act accordingly.
Actual knowledge about one organisation’s relevant data and associated business risk-levels is generally scarce, if existing at all. Data ownership is not a widespread concept among business organisations; less still, it is not a well-understood concept that management at all levels should feel and take responsibility for the integrity and protection of relevant data across the entire value chain.
Data protection, well before becoming a technical issue, is a management issue, and a most relevant one. Focusing primarily on data that is truly important for the organisation allows avoiding the mistake of “flattening” the view, i.e. apply indiscriminately organisation-wide rules and actions, which are worthless before being exceedingly expensive and oftentimes ineffective. This approach, however, commands a newly co-operative approach among all levels of management, operations and those who are on the frontline. Each category and single actor must share a common view, partake of a common objective and be educated in function of these objectives. This is clearly not the bread and butter of traditional IT professionals, and must be initiated by the CEO him- or herself.
Cybersecurity is no technology whim, but effective business risk; appreciate this fact, and act accordingly.
Assessing the likelihood of cyber-attacks, their impact on the diverse business components and possible implications across the organisation should be integrated with other risk analysis and regularly disclosed to senior management for review and discussion. Improving the cyber-resilience of one organisation is not a simple, clean-cut action. There is no silver bullet, nor shortcut. It is a never-ending story, in fact.
So, the deeper the integration of all elements that make the recipe palatable for one organisation, the better off it will be. This implies tight integration and collaboration across a broad array of business actors and functions, whether internal to the organisation or within the broader ecosystem of business partners, suppliers and – last, but not quite the least – customers.
How you provide the stimulus to comply with new practices to those whom you do not control?
Although senior management has a say and the means, through education and the levers to enforce policies on the organisation’s employees, its actions should not be restrained to the limited boundaries of what is perceived as the natural perimeter of the organisation. Outside that fictitious confine, risks remain unresolved and – worse still – unknown.
So, co-operation with other organisations and entities becomes necessary. The drivers and benefits to lure business partners to knowingly and actively participate to a common effort, which might have differently valued returns for the various partners, are not exactly easy to define and gauge. A common understanding of the relevance of the issue, however, is always pre-requisite and a solid starting point. For instance, co-operating with ISO 27001-certified organisations should in principle provide a common starting ground, shared and understood by all covenants, which allows you to build a higher-level and co-operative cyber-defence strategy, to the mutual advantage and support.
What about the consumer?
Well, the last mile is always the trickiest element in every big picture, and in this case it is commercially advisable – if not mandatory – to consider different competing elements, like appeal and ease-of-use of the application, which push cyber-security considerations to an ancillary role.
Educating thousands or millions of consumers is neither a practical process, nor an affordable practice. In this perspective, the organisation should consider reaching out to the consumer, wrapping him or her within its own Linus’ cyber-security blanket. In several situations, where the risk levels justify the approach, this choice may represent a competitive advantage if done and proposed properly.
Cyber-resilience does not come for free, nor can be purchased as an out-of-the-box product. It is a characteristic of the organisation, the end result of investment in education, best practices and technology across the organisation and out within the organisation’s ecosystem. Only the board and senior management can solve the problem, co-operatively, because of the relevance and pervasive issues the organisation must face.
Interestingly, for good and bad, cyberspace resembles the Old Wild West. So, beware of bandits and those who sell bottles promising immediate, miraculous effects!