The importance of cyber security is no secret to anyone who watches the nightly news. Senior executives at businesses of all sizes understand that the global economy is still not adequately protected against cyber-attacks, despite years of effort and annual spending in the multi-billion dollar range.
Until recently, CEOs received information and reports encouraging them to consider information and cyber security risk. But not all of them understood how to respond to those risks and the implications for their organizations. A thorough understanding of what happened, and why it is necessary to properly understand and respond to underlying risks, is needed by the CEO in today’s global business climate. Without this understanding, risk analyses and resulting decisions may be flawed, leading organizations to take on greater risk than intended.
Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous, and pose more risks, to an organization’s reputation. In addition, brand reputation and the trust dynamic that exists amongst suppliers, customers and partners have appeared as very real targets for the cybercriminal and hacktivist.
With the speed and complexity of the threat landscape changing on a daily basis, all too often we’re seeing businesses being left behind, sometimes in the wake of reputational and financial damage. CEOs need to ensure they are fully prepared to deal with these ever-emerging challenges by equipping their organizations better to deal with attacks on their reputations. This may seem obvious, but the faster you can respond to these attacks on reputation, the better your outcomes will be.
Employee Awareness and Embedded Behavior
Organizations continue to heavily invest in ‘developing human capital’. The implicit idea behind this is that awareness and training always delivers some kind of value with no need to prove it – employee satisfaction was considered enough. This is no longer the case.
Today’s CEOs often demand return on investment forecasts for the projects that they have to choose between, and awareness and training are no exception. Evaluating and demonstrating their value is becoming a business imperative. Unfortunately, there is no single process or method for introducing information security behavior change, as organizations vary so widely in their demographics, previous experiences and achievements and goals.
The time is right and the opportunity to shift away from awareness to tangible behaviors has never been greater. CEOs have become more cyber-savvy, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management. Moving to behavior change will provide the CISO with the ammunition needed to provide positive answers to questions that are likely to be posed by the CEO and other members of the senior management team.
Stay Focused and Ahead of Potential Security Stumbling Blocks
Today, the stakes are higher than ever before, and we’re not just talking about personal information and identity theft anymore. High level corporate secrets and critical infrastructure are constantly under attack and organizations need to be aware of the important trends that have emerged or shifted in the past year, as well as those that they should prepare for.
We’re operating in a progressively cyber-enabled world and traditional risk management isn’t agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that evaluates the threat vectors from a position of business acceptability and risk profiling.
From cyber to insider, organizations have varying degrees of control over evolving security threats and with the speed and complexity of the threat landscape changing on a daily basis, far too often businesses are getting left behind, sometimes in the wake of reputational and financial damage. CEOs need to take the lead and take stock now in order to ensure that their organizations are better prepared and engaged to deal with these ever-emerging challenges.
Steve Durbin is an International business leader and sales & marketing professional. He has managed and grown start-ups to £multi million turnover enterprises across Europe, the United States and Australasia. He is ranked as one of the top 10 individuals shaping the way that organizations and leaders approach information security careers in 2014. Currently, Steve is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
(Image Credit: Simon & His Camera)