CIO Just 4 things about Information Security

In this instalment I try to distil an extremely important, and current, subject into 4 focus areas which should be used to frame and prioritise many sub activities. As always it comes with a caveat that this is not an exhaustive list and there are many more aspects that I could have covered. Nevertheless I believe these are helpful. So here are my 4 “buckets”: ?

• Prevent: Prevention is the whole set of activities that aim to reduce the likelihood or impact?of a cyber security incident. These activities are rather well known and encapsulated in a number of standards such as ISO 27001/27701 or guidance documents such as NIST/SOC. Implementing these and submitting yourself to an audit regime like ISO or SOC will ensure that you have most bases covered. The real secret, in my opinion, is not to only implement the letter of these standards but to embrace the spirit of them. They are, after all, there to ensure that you can have a relative measure of assurance around your preventative posture. It is also critical to focus not just on preventative technology, which undeniably will help, but equally on process and procedure as often cyber security incidents start by exploiting a human weakness. During this "Prevent” phase, it is critical that the C-suite is not only bought in but leads by example and this for two reasons, namely: there is often resistance within the organisation to the implementation of stricter security measures, and because the C-suite/Senior leadership team are often targets due to the amount of sensitive information, or privileged access, they have. ?

?

• Practice: it is critical to rehearse all the recovery and business continuity plans with frequency i.e. at least twice a year but possibly as frequently as once a quarter. Frequent practice will remove a significant amount of stress associated with cyber incidents and reassure leadership, as well as customers, that when something occurs the business will be able to deal with it as if it were just business as usual. Another reason to go for frequent rehearsal is the sheer number of attack scenarios, as well as the speed with which the attack vectors are evolving. In incident management, practice does make perfect. Finally, it is important to consistently learn from the practice exercises and that processes/ preparations are continuously enhanced as a function of what is discovered.?

?

• Partner: it is often not?economically feasible nor desirable to exclusively rely on an internal security team to face all and every potential eventuality. It is worthwhile either partnering directly with an incident management specialist or ensure that you have access to an incident management specialist via your cyber-security insurance. The latter (i.e. insurance) is an absolute must today and it is worth reviewing what they offer over and above damage cover, namely: incident management, legal specialists, and communication specialists. You can also partner with organisations who are not your auditors, who can review your state of readiness and can advise on areas of improvement. Many suppliers/partners will provide updates on the threat landscape and best practice as part of their normal service. This is very useful information that IT departments are not typically able to keep up with proactively. ?

?

• Embrace: cyber-security threats are a reality, so cyber-security readiness needs to become more than a set of activities that an IT or designated security department does. It needs to become part of the DNA of each and every employee. “Good” habits need to be created and a healthy approach to caution needs to be taught and adopted by all. One way I found worked to win over employees, was to make cyber-security?not just about corporate assets but also about their personal cyber hygiene. By Incentivising them with discounted home security software or password managers, or relating many of the security guidance to what they do at home, you are much more likely to create the afore-mentioned good habits which will then carry over into the office. This is even more important in the days of remote working where lines between home and office are very much blurred. If everyone learns to embrace cyber security as a good thing in their work and personal digital lives, the more prepared the organisation will be. ?