The cyber security challenges facing CIOs/CTOs in the UK today have been neatly summarised in CIO Insights – Key issues affecting today’s technology leaders produced by Robert Half Technology and Protiviti. Summarising the views of 100 senior IT directors from private- and public-sector organisations, the report contains the usual (but still relevant) stats about cyber risks but also manages in a few words to distil the essence of the requirements of an effective cyber security strategy.
The take-home messages are summarised as:
One size does not fit all
Traditional approaches are not working, and organisations need to stop thinking that they can plug every security gap. Instead, they need to prioritise the assets that they need to protect and make sure that data is safe. A risk-based approach needs to be applied, and this should include identifying sensitive data, assessing threats, capturing risk appetite and mitigating risks.
People are the weakest link
Cyber attacks have moved on from being simple attacks on IT systems and now include social engineering, which targets people to gain access to data. Cyber security strategy needs to change to reflect that shift in emphasis, and all staff need to be trained to adjust their behaviour accordingly. Qualified information security staff are essential, but they need to be supported by aware, ‘security-savvy’ members of staff.
The disparity between the technical knowledge of IT security and business risk managed by the board is a major problem that needs to be addressed. The danger is that boards with ‘FUD (fear, uncertainty, doubt) fatigue’ lose sight of the reputational and financial impact of cyber attacks, which continue to grow exponentially in complexity and scale. Effective information security teams may require a different mix of skills than teams have traditionally had available to them.
As with many reports of this nature, there is no explicit mention of how to devise a cyber security strategy that can accommodate the recommendations above and provide the flexibility to meet the daunting challenges of the future. Robert Half Technology provides international professional staffing services and, doubtless, with the report’s emphasis on people, they would recommend recruiting qualified cyber security professionals.
You will be unsurprised to hear me recommend the implementation of the ISO27001 standard. While ISO 27001 is a fine place to start, I would advise that all senior IT/IS managers take a broader approach and first review all of the cyber security and cyber resilience best practices and industry wisdom available. These include ISO 27001, ISO 22301, ITIL and COBIT 5. They will find that risk management is a key requirement together with the importance of people, processes and technology.
Our three-day Managing Cyber Security Risk training course provides this review and is designed to provide senior managers with the knowledge and practical skills to develop and deploy effective cyber security risk management strategies. The next classroom session is running in London, 23-25 September.