Integration and alignment of Cyber Security strategy with the business is no longer a matter of choice– it is instead a resounding reality that in the wake of recent and ever-growing number of breach incidents is being taken very seriously by organizations of all sizes – this has now become one of the core drivers of their ability to continue to do business.
The latest survey carried out by PWC on behalf of the Department of Business Innovation and Skills (BIS) reveals 93% of large organizations and 87% of small businesses in the UK have been a victim of information security breaches in the last year. These numbers on average reflect roughly 50% more breaches than a year ago. While the individual costs of each of these breaches vary, they have never been higher with large business averaging £450K – £850K in costs as compared to £35 – £65K for the smaller businesses.
It is human nature to return with a renewed resolve in the face of calamity. In case of a cyber-security breach, it is then common sense to translate these lessons learned into a reassessment of overall security posture and filling of any gaps through introduction and/or enhancement of cyber security defenses that are aligned to your budget and your risk appetite. This is further augmented by defining and agreeing success metrics with the business (a separate debate in its own right) to measure and report on on-going performance.
While this provides a sense of confidence that comes with an improved security posture and offer proactive defense and resilience, what is often missed from these security initiatives is a recurring review and realignment exercise to ensure these defenses are also kept current and up to date. A viable security posture is always founded upon three core pillars – Technology, People and Processes. As the threat landscape continues to evolve at a tremendous pace, smart Technology (e.g. intelligence and analytics based solutions) seem to catch-up and deliver on their promise of resilience and currency; however gaps start to appear in the People and Processes equation.
If for any true defense to prove its worth the criterion is to stand the test of time, then it is only logical to expect from all effective security programs to have an element of continuous improvement integrated at its core. For organizations to achieve this synergy, it is wiser and also cost-effective to utilize an already established standard compared to creating one of their own. These standards can be implemented and audited either in-house or through utilizing services from third parties based on the organizational resource profile. ISO 27001 is one such standard, for example, that defines its objective as,
“to provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS)”.
Evidently its adoption, or of any other standard for this matter, should be a strategic decision and ISO 27001 goes on to elaborate this philosophy as,
“the design and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization”.
Implementation of any such standards equips the organization with the necessary tools for regular audits of People (skills), Processes (operations) and Technology (tools). If the focus is kept at benchmarking resource skills level and operational processes against the evolving threats landscape and corresponding enhancements to technology, these exercises will highlight any gaps and help formulate a corresponding course of action to overcome any deficiencies.
These simple controls will help businesses to ensure the core building blocks of their cyber security program are always kept in sync with the latest threat landscape. These regular checkpoints will also serve as an opportunity to maintain continuous business involvement in their cyber security strategy translating into maximum return on investment.