Six steps to achieving cyber resilience through better cyber security
Security should be the enabler of the digital world. The ability to detect, protect, remediate and recover from a cyber threat is critical. Cyber resilience has become an elevated topic of discussion at board level. This has received further attention as a result of the recent WannaCry ransomware global attack.
Speaking at an event focusing on cyber resilience, hosted by ContinuitySA, Sean Duffy, Executive: Cybersecurity at Dimension Data Middle East and Africa, stated: "Organisations should adopt a risk-based approach to cyber security that is aligned to each organisation's business objectives."
Cyber security risks should be elevated and managed in line with an organisation's enterprise risk programme. Cyber risk is a business responsibility and not only that of the IT department.
Furthermore, Duffy stated: "Cyber security incidents will happen and organisations need to improve the security posture from a reactive to a predictive state, thus building cyber resilience."
Duffy contends that in order to achieve a business-driven, risk-aware approach to cyber security, organisations have to begin with the business itself: understand the organisation's objectives and the aligned organisational risk appetite.
Only once this is understood, can the non-technical and technical security controls be implemented. All controls that are defined need to be measurable and aligned to an industry security framework. Through this approach, organisations will be better suited to meet their operational continuity requirements.
To achieve cyber resilience, the following should be considered:
* Align IT and business to a cyber resilience strategy;
* Use a common language to enable alignment;
* Ensure board-level accountability for cyber risk and drive responsibility to C-level executives;
* IT and business must collaborate in establishing the correct balance between the organisation's risk appetite and need to be resilient;
* IT security should move from a controlling mind-set focused on control, to promoting an integrated, comprehensive cyber strategy powered by people, processes and technology; and
* Organisations need to adopt a culture of preparation, prevention, detection, response and recovery.
"To align cyber security and business strategies to build overall cyber resilience, but without compromising operational effectiveness, is complex, and needs to be done within the overarching business resilience strategy," adds Jeremy Capell, GM: Advisory Services at ContinuitySA. "In this context, investing in specialist business resilience consulting makes excellent sense."