The cyber security challenges facing CIOs/CTOs in the UK today have been neatly summarised in CIO Insights – Managing a business-led cybersecurity strategy, produced by Robert Half Technology and Protiviti. Summarising the views of 100 senior IT directors from private- and public-sector organisations, the report contains the usual (but still relevant) stats about cyber risks but also manages, in a few words, to distil the essence of the requirements of an effective cyber security strategy.
The take-home messages of this report are:
One size does not fit all
Traditional approaches are not working, and organisations need to stop thinking that they can plug every security gap. Instead, they need to prioritise the assets they need to protect and make sure that data is safe. A risk-based approach needs to be applied, and this should include identifying sensitive data, assessing threats, capturing risk appetite and mitigating risks.
People are the weakest link
Cyber attacks have moved on from being simple attacks on IT systems and now include social engineering, which targets people to gain access to data. Cyber security strategy needs to change to reflect that shift in emphasis, and all staff need to be trained to adjust their behaviour accordingly. Qualified information security staff are essential, but they need to be supported by aware, ‘security-savvy’ members of staff.
The disparity between the technical knowledge of IT security and business risk managed by the board is a major problem that needs to be addressed. The danger is that boards with ‘FUD (fear, uncertainty, doubt) fatigue’ lose sight of the reputational and financial impact of cyber attacks, which continue to grow exponentially in complexity and scale. Effective information security teams may require a different mix of skills than teams have traditionally had available to them.
As with many reports of this nature, there is no explicit explanation of how to devise a cyber security strategy that can accommodate the recommendations above and provide the flexibility to meet the daunting challenges of the future. Robert Half Technology provides international professional staffing services and, doubtless, with the report’s emphasis on people, they would recommend recruiting qualified cyber security professionals.
Managing cyber security risk
As I work for a company dedicated to proliferating ISO 27001 information security management best practice, you would be unsurprised to see me recommend the implementation of this standard. While ISO 27001 is a fine place to start, I would advise that all senior IT/IS managers take a broader approach and first review all of the cyber security and cyber resilience best practices and industry wisdom available. These include ISO 27001, ISO 22301, ITIL® and COBIT 5®. They will find that risk management is a key requirement, and that there is an emphasis on the importance of people, processes and technology.
Our three-day Managing Cyber Security Risk training course provides this review and is designed to provide senior managers with the knowledge and practical skills to develop and deploy effective cyber security risk management strategies. The next classroom session is running in London, 22-24 March.