In early September around 50 000 users had their personal details exposed when the fintech Revolut was breached in a cyber attack. The latest attack is one in a rising tide of breaches which are unlikely to subside until CEOs and CISOs can close the gap between how they view cyber resilience.
By Wessel Matthee, information security and compliance manager at Entersekt
True cyber resilience is not just about the technology, but rather it entails a more holistic approach which must include everyone within the organisation. If cyberattacks are to be avoided, CEOs and CISOs must close the gap in how they respectively view security and lead the cultural shift towards true cyber resilience.
The World Economic Forum (WEF) and Accenture Global Cybersecurity Outlook study for 2022 was clear that focussing on cyber security (having the tech in place to fend off attacks), is no longer enough. Rather, the report advises businesses to focus on cyber resilience – a term which entails having the tech, security experts, company culture and leadership commitment to successfully deal with attacks.
However, the WEF report notes that not only are cyber security resourcing efforts proving insufficient against increasingly sophisticated attacks, but there seems to be a disconnect between how business leaders and security leaders respectively perceive their organisations’ threat-readiness. It shows that “while 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk-management strategies, only 55% of security focused leaders surveyed agree with the statement.”
This year has been particularly challenging for IT leaders, with Gartner saying “it is proving to be one of the noisiest years on record for CIOs” with security being just one of the challenges on their radar. CISOs, meanwhile, are finding their ability to make a meaningful impact challenged when they are not consulted in business decisions. Gartner points out that CISOs’ roles need to shift from technologists who prevent breaches to corporate strategists managing an organisation’s cyber risks.
It is unfortunate that South African leaders also remain slow to respond to the growing cyber threat, with many waiting for an actual breach before they look at investing in the processes and architecture required to defend themselves. Cyber resilience is all about being able to function even if you’re breached. It must encompass both business and IT risk management and it must come from the top and permeate across the entire organisation, from business process mapping to engineering service availability, to critical vendor dependency.
Communication lies at the heart of risk management
Managing third-party risk forms a major part of cyber resilience.
A study published late last year by CyberRisk Alliance Business Intelligence, shows 91% of the 250 US-based IT and cybersecurity decision makers and influencers surveyed had reported a security incident related to a third-party partner in the last twelve months, while a worrying 15% had reported 20 or more partner-related incidents.
Companies need to go beyond best practice requirements of annual reviews and opt for more rigorous and frequent reviews of their third parties. What’s more, simply relying on security certifications is no longer good enough. For instance, CISOs need to be reviewing contracts on a regular basis as the manner in which data is handled can change quite frequently. Working closely with third parties and having frequent updates and assurances from them goes a long way to reducing risk.
Communication lies at the heart of the disconnect between CEO and CISO.
Regular incident simulations are the best way to stress test your systems, but will also allow you to isolate any gaps in your processes. This is all essentially about effective communication and will not only improve how you communicate within teams, but will empower the CISO to properly inform their CEO, going a long way to bridging any gap that may exist.
A good tool to apply to an organisation’s Security Incident Management is the RACI model which can help identify roles and responsibilities, ensuring effective communication. This can be briefly described as:
* Responsible – Determine who is responsible for each function.
* Accountable – Who is accountable for success and who is the decision maker.
* Consulted – Who needs to be consulted or alerted in the event of any changes. Who are the subject experts?
* Informed – Who needs to be informed of major updates (typically senior management).
* Finally, and most importantly, cyber resilience must have the sanction of the full leadership team.
Achieving true resilience is not just about throwing tech at a problem. Adding layers of security to all levels of an organisation is undoubtedly required to adequately protect a modern organisation. But cyber resilience depends on leaders understanding the challenge, co-creating the solution with trusted partners, and supporting the teams that are managing it. The only way this can be achieved is through an orchestrated approach that has the CEO and CISO in lockstep.