Historically, cyber resilience was seen as the job of the information security team alone, but times – and expectations – are changing. Now more than ever, company executives must take greater responsibility for their organisation's ability to prevent, withstand and respond to cyber attacks, say two leading consultants.
One of the biggest mistakes companies make around cyber resilience is seeing it solely as a technology issue, when actually it is a business issue. So, while the Chief Information Security Officer's (CISO's) name might still be synonymous with cyber security, executive management and the board also need to step up to the plate.
In the words of Nick Seaver, Partner in Deloitte's Cyber Risk Services Team: "Cyber security needs to be owned by the executive committee." This, he says, includes ownership of wider cyber governance as well as providing strategic input to an organisation's cyber risk framework and risk appetite. "The board then need to ensure they have the skills and knowledge to appropriately guide and challenge executive management," he adds.
Ian Benson, Director, Cyber Security, PwC, agrees that the board and executive team should be taking a more active role in cyber resilience, but starting with the fundamentals.
"Firstly, they need to understand their own digital footprint – including their external exposure and how that could be leveraged to attack them. After all, CEOs and CFOs are increasingly being personally targeted by hackers. Secondly, they need to be active in setting the tone from the top, to help instil a culture of cyber security throughout the organisation."
According to Seaver, this 'tone from the top' should be set by board members having active visibility of their cyber security and resilience programs. This, he believes, should include regular briefings from executive management and delegated specialists around the latest threats, unsuccessful or successful breaches, and mitigation measures where controls have been found to be insufficient or compromised.
A positive philosophy
Benson advocates a slightly different approach alongside this. "The board needs to help spread the message that cyber resilience is an enabler and that being good at security can have a positive impact on the business – potentially helping the organisation to be quicker to market, or making it easier for the company to reach customers through digital channels. Talking about it in those terms really helps to define the culture," he notes.
The reason Benson believes that instilling a culture of cyber security across the whole organisation is so important is that "the large majority of cyber attacks begin with the end user." These attacks might include an employee clicking on a phishing email, or being socially engineered to disclose their password. "Unless you instil that culture right across the business, and make cyber resilience a part of everyone's role, you're never really going to tackle the problem," he explains.
Of course, training is an important tool in reducing that end-user threat, and both Benson and Seaver cite a lack of focused cyber awareness training as a common pitfall among companies of all sizes. Further investment in training should be high on the executive agenda therefore.
Avoiding the traps
Another frequent oversight is spending insufficient time planning and practising how to recover from an attack. "Corporates need to take a structured approach to cyber security – identify, protect, detect, respond and recover. Too often organisations focus on just one part of the process , such as having controls in place, and don't spend enough time on planning the recovery piece," says Benson.
"Investment in pre-event cyber-specific planning is crucial," agrees Seaver. "The development of predefined playbooks that set out the considerations and likely options can help guide any organisational-wide response," he notes. Cyber simulations are another important tool that can help the board and company executives to make difficult decisions in the event of a cyber attack, say both Benson and Seaver.
From dealing with the press to communicating with shareholders and cutting off certain parties' access to systems, 'dry runs' can "help everyone understand their roles and responsibilities in a cyber incident or crisis, both internally within the organisation and externally within their sector," notes Seaver. Moreover, war gaming and simulations to 'stress test' incidents and crisis response plans can actually help identify the strengths and weaknesses of an organisation's cyber capabilities, he adds.
What all this talk of planning and practising highlights is that people and processes, not just technology, lie at the heart of successful cyber security – which is precisely why boards must increasingly take responsibility for cyber resilience.