Cyber Essentials implementation needs complementary standards,
delegates are told.
Traditional cyber security is now inadequate for today’s threat landscape and must be superseded by ‘cyber resilience’, demanding more vigorous action from company boardrooms.
This was the main message of a panel of industry experts at the international cyber summit hosted by IT Governance in London on 8 May. The event, ‘New Standards in the Global Cyber War’, was symbolically held at the Churchill War Rooms. It included speakers from the Department for Business, Innovation and Skills, British Standards Institution (BSI), international professional organisation ISACA, and AXELOS, a joint venture between the Cabinet Office and services group Capita plc that runs the Best Management Practice portfolio. The conference attracted more than 60 delegates from across the UK.
Alan Calder, Executive Chairman of IT Governance and conference chair, told delegates: “Cyber security is no longer sufficient to ensure business sustainability. Yes, organisations need to defend themselves against potential attack, but they must accept that some attacks will inevitably succeed. Therefore, an organisation’s cyber resilience is now the critical survival factor – its ability to recover quickly once an attack has taken place.
“Business continuity is unequivocally a boardroom responsibility, so directors will have to increase the attention and resources they devote to information security and resilience. For example, spending just 10% of the IT budget on security is no longer adequate to keep your organisation in business.”
Mike Edwards, management systems tutor at BSI, continued: “Organisations need to converge their management of information security and business continuity. The good news is the best practice standards in each area – ISO27001 for information security and the new ISO22301 standard for business continuity – now work very well together, so policies and procedures can be dovetailed. Employing both standards in tandem is the key to cyber resilience.”
The Government’s recently announced Cyber Essentials scheme was discussed by Richard Bach, Assistant Director for Cyber Security at the Department for Business, Innovation and Skills: “Cyber Essentials is complementary to the good work and value across several existing standards and frameworks. The Scheme gives testable guidance on five areas of basic technical controls. When implemented, it will help organisations protect themselves from online cyber threats. Its principles apply to organisations of all sizes, from micro enterprises to large corporates. Our main aim is adoption – we want to see Cyber Essentials adopted as far and wide as possible. We want to see a step change in organisational cyber security behaviours."
Reflecting upon Bach’s remarks, Alan Calder welcomed the Cyber Essentials scheme, and said to achieve cyber resilience organisations would need to employ complementary standards in parallel: “Anything that raises management awareness of cyber security is a good thing and we are delighted to see the Government getting behind this issue.
“I would argue Cyber Essentials should be adopted in addition to, rather than instead of, ISO27001. The ISO27001 standard offers various additional benefits, key ones being its international recognition and role as pillar of cyber resilience. You can use Cyber Essentials to try to stop attacks succeeding, but, realistically, some will get through your defences. How you recover from an attack falls entirely outside the scope of Cyber Essentials, so additional measures are essential.”
Other speakers at the conference included Neira Jones, an independent expert on ISO27001 and the PCI DSS standard, who gave an analysis of the devastating cyber breach suffered by US retailer Target; Bridget Kenyon, Head of Information Security at University College London, who highlighted the importance of ISO27001 in providing structure to information security management; Nick Wilding, Head of Cyber Resilience at AXELOS, who discussed ways for companies to assess their best practice compliance for cyber resilience; and Sarb Sembhi, Chair of ISACA’s Government and Regulatory Advisory Regional Committee for Europe and Africa, who discussed the value of the COBIT 5 framework in aligning management system standards.