Is cyber resilience the new objective for modern boardrooms?

Highlights from the international cyber summit ‘New Standards in the Global Cyber War’ hosted by IT Governance in London on 8 May 2014.

Churchill War Rooms_Conference_080514 (4)

On 8 May 2014 IT Governance brought together a host of high-calibre industry leaders to discuss the role of cyber security frameworks notably ISO27001, PCI DSS and the UK Government’s Cyber Essential Scheme as weapons in the cyber war. Symbolically held at the Churchill War Rooms in London, the event attracted an impressive mixture of organisations eager to hear what leading experts and the government have to say on the newest strategies to deal with the increasing cyber threat.

The event was packed with informative and insightful presentations by IT Governance, BSI, AXELOS, ISACA, BIS and other guest speakers. I have no doubt that the industry insights gained and concepts discussed at the event will be useful not only to those who attended, but to our broader audience. Therefore, I have attempted to provide a concise but useful summary of the event highlights below.

Cyber resilience – the new objective for modern boardrooms

One key message I took away, which underpinned most presentations, was that around the importance of cyber resilience. Cyber resilience is increasingly critical and is seen as the new objective for modern boardrooms.

But what it is and how can it be achieved?

In recognition of the fact that cyber security is no longer sufficient to ensure business sustainability, organisations must put measures in place to respond and recover from cyber attacks. While cyber security can help defend against any potential attack, the board must accept that an attack will inevitably succeed. An organisation’s resilience will become key to its survival in the future. It can be achieved using best practice guidance provided by the international information security standard, ISO27001, and the business continuity standard, ISO22301.

Alan Calder (2)Alan Calder, Founder and Executive Chairman of IT Governance, highlighted the lack of prioritisation of cyber security at board level. He stressed the importance of reviewing how an organisation plans and spends its security budget, stating that 10% of the overall IT budget is no longer sufficient. He added that effective cyber security expenditure is crucial in order to be cyber secure.  He also stressed the importance of governance in cyber security, and the increasing need to improve resilience, rather than security alone.  Calder discussed the importance of international standards, and how standards can play a key role in maintaining cyber resilience in the future.

Neira-jonesNeira Jones, an information security expert, and ISO27001 and PCI DSS champion, provided an interactive presentation about the Target data breach and unpacked the devastating repercussions, as well as explaining why the breach occurred if, as the company claims, it was PCI-compliant at the time.  She explained that the Verizon Data Breach Report has revealed that there are only nine attack patterns in which data breaches take place. She drew parallels between the PCI DSS and ISO27001, and explained the importance of understanding your organisation’s information security needs, its risk and threat profile, its supply chain and information assets, in order to take appropriate measures to protect the  business from future threats.

Mark EdwardsMike Edwards, Management System Tutor at BSI, explained that with the launch of the international business continuity standard ISO22301, there is now a great deal of synergy between management system standards. The high-level structure is the same for ISO27001 and ISO22301, facilitating their holistic implementation at the organisational level.

Nick Wilding, Head of Cyber Resilience at AXELOS, stressed that “it is in our interest to increase organisational resilience.” He pointed out that cyber risk should be at the top of any company’s risk list. Companies should be aware that exploiting the benefits of the digital age comes with significant risk from cyber criminals. The market is looking for protection, guidance, alignment, clarity, prioritisation and confidence.

To meet these needs, AXELOS is creating a cyber resilience best practice assessment tool , which is part of its new cybersecurity best practice portfolio aiming to help organisations to better prepare themselves to deal with an increasing range of threats.

Sarb Sembi, Chair of Government and Regulatory Advocacy Regional Subcommittee for the Area of Europe and Africa at ISACA, reiterated the benefits of aligning management system standards – a high-level process enabled by the COBIT®5 framework. In particular, there has been a lot of consolidation between COBIT 5 and ISO27001. He mentioned that, although there is no official mapping between ISO27001 and COBIT, there are plans to produce an official mapping document between these two standards some time in the future.

Information security needs a structure

Bridget Kenyon (5)Bridget Kenyon, Head of Information Security at University College London (UCL), highlighted the importance of structure in order to deal with information security. According to Kenyon, ISO27001 gives you the structure as it provides:

  • A framework for managing external requirements for information security.
  • A way to combine this with local risk appetite.
  • A blueprint for decisions about handling risk.
  • Instructions for creating business processes.
  • The ability to discuss this with other countries, i.e. to go global.

Bridget Kenyon also pointed out that one of the biggest benefits of ISO27001 is that “it doesn’t require you to merge standards, it allows you to integrate them,” using common text and approaches. Still, Kenyon admitted that implementation of one or more information security management systems (ISMSs) in an organisation can be challenging, especially as far as scope is concerned. The benefits related to improving awareness and confidence, however, and the positive impact on the organisation’s governance objectives make implementation worthwhile. She recommended that anyone embarking on an ISMS project should get some information security training and consider professional assistance. It is important to agree a scope, carry out gap analysis and do an internal audit by parts.

Kenyon also stressed that certification is recommended as it gives you a “different level of rigour between conforming to a standard and certifying to it.”

UK Cyber Essentials Scheme – a step change in behaviours

Richard Bach (3)Richard Bach, Assistant Director – Cyber Security at the Department for Business Innovation and Skills (BIS), stressed the importance of the UK Government’s Cyber Essentials Scheme: “The Scheme gives testable guidance on five areas of basic technical controls. When implemented, it will help organisations protect themselves from online cyber threats. Its principles apply to organisations of all sizes, from micro enterprises to large corporates.”

Bach said that a main objective is to see adoption of the Cyber Essentials Scheme. The government also wants “to see a step change in organisational cyber security behaviours.”

Alan Calder, Founder of IT Governance, added that this change has to come from top management: CEOs and board directors. He also said that the Cyber Essentials Scheme helps reduce the number of data breaches, but it doesn’t tackle cyber resilience. Cyber resilience needs to become a top priority on every company’s agenda.

To keep up to date with the latest news on the above topics, subscribe to the IT Governance newsletter.