In my last blog I talked about the 3 ages of cybersecurity and how we are now firmly in the third age – the age of response. This reflects the certainty that your organisation will suffer some form of cyber related attack or data loss, and the need to prepare for this incident sooner rather than later.
We again saw proof of this in early February 2015 when the US health insurer Anthem was hacked. Reportedly tens of millions of records were illegally obtained causing distress for those affected and no end of pain for the company charged with protecting this sensitive data.
Alongside the need to prepare for a data breach is the need to have some understanding of how good, bad or indifferent your organisation’s cybersecurity posture is.
In fact, a common question I am asked by clients is, “how good is our cybersecurity?” Many chief executives and Chief Information Security Officers (CISOs) find it difficult to benchmark how well they are doing to reduce their cyber risk and have little independent and objective help. Others have given cyber risk no thought at all, and need help in finding a place to start their journey.
Key to this is reducing the risk in a way that is proportionate and addresses cyber threats from a business-lead perspective. Improved security is not a direct result of a huge IT budget, it is the result of smarter use of budget against prioritised need.
And this needs to be assessed.
Why Bother with a Cyber Assessment?
Measuring performance, profits and sales are key requirements for most businesses. Aside from annual company submissions required by regulators, weekly or monthly performance reports are a key tool for executives who need to make decisions based on fact. When it comes to cybersecurity the same level of reporting may not be required by regulators (yet…) but it makes sense for most businesses to at least get a grasp on the cyber issues they face.
This is now more important than ever as new and emerging cyber threats challenge traditional responses and demand a more sophisticated approach. Putting in an anti-malware solution across corporate computers will no longer be your guarantee of security in the modern age of inside threats and targeted attempts to get to your intellectual property.
Cybersecurity Risk Assessments
Over the years methodologies have emerged from industry bodies to help organisations measure their cyber risk.
One of the best that I have seen recently is from the National Institute of Standards and Testing (NIST), a non-regulatory federal agency within the U.S. Department of Commerce.
Published in February 2014, version 1 of the NIST framework http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf pulls on a number of informative references from across the information security industry including respected sources such as COBIT, ISO and ISA. This blend of resources, presented across the assessment framework, makes for a well-structured and orderly way to answer the question “how good is our cyber security?”
The NIST framework has 5 functional areas; identify, protect, detect, respond and recover. These functions then contain 22 categories upon which a risk assessment can be conducted. The beauty of using a common approach, language and taxonomy is that data can start to be collected and then used for comparison purposes (normally anonymously) so that organisations can gauge both their own cybersecurity posture and start to compare with their industry peers. Indeed by applying a regular assessment I have helped CISO’s demonstrate to the business measurable improvements in their organisation’s cybersecurity posture. This also had a healthy impact on their personal bonuses as they could evidence a reduced cyber business risk, based on an independent and objective measure.
If you carry the burden of cyber risk in your business I would have a rethink about how you measure this risk and consider if you are necessarily taking the best approach. Take a look at the NIST framework and, if it helps, I am always happy to chat through the detail of conducting an assessment, so feel free to drop me a line.