Whether your business priorities are protecting brand reputation, complying with regulations or keeping customer data safe, cyber security should be high up on the Board agenda.
However, the reality is that many organisations have not yet reached even a basic level of cyber security, leaving them exposed to significant threats in all these areas.
Our expert provides some top-level advice on how to move the organisation from basic to industry leading or gold standard cyber security.
Getting The Basics Right
A good place to start is by performing a small maturity assessment to see where the organisation stands at basic cyber security levels. For example, the UK National Cyber Security Centre (NCSC) has set out its basic guidelines as 10 steps to cyber security for organisations to follow and assess themselves against. At this level, the organisation completes a short review of current cyber security against a basic checklist, and works on a remediation plan to fix them. This can be accomplished with the help of skilled in-house cyber security resources or by leveraging cyber security expertise from third parties.
If gaining support for even a basic level of security is challenging, it is important to note that without a strong base, the organisation will find it much more difficult to comply and keep up with the demands of Regulatory Bodies. For example, with GDPR potentially handing out fines up to 4% of annual global turnover or 20 million Euros (whichever is greater) to organisations that infringe its requirements, it is certainly a situation worth remedying.It’s also advisable to make sure the organisation has the appropriate level of security standards documented and, more importantly, properly implemented. These include password policy, auditing policy, anti-virus, USB restrictions and encryption, amongst others.
Cyber Security Operating Model, Governance & Strategy
To sustain and continually improve against the basics, a cyber security operating model is required. This defines good security governance within the IT functions and beyond, and is essential to ensuring good overall security.
The cyber security operating model should accommodate a framework of governance that can operate independently from the IT function, so that security is not overshadowed by IT functionality. This framework should seek to understand the current maturity level, and the desired state based on the risk appetite of the organisation. This will help define the organisation’s strategy and continuous improvement activities that will works towards it, taking the form of a road-map of projects over, say, 3-5 years. Solving identified issues can take from weeks to even a few years, but these should be prioritised based on criticality, impact, ease of implementation and available budget.
A key point to understand is that cyber security strategy is not just a one-time implementation. It should not be treated like a remediation plan, but a framework of continuous improvement. Bearing in mind that new cyber challenges will spring up while the organisation is working on delivering on the strategy based on the road-maps and projects, it is vital to ensure that the framework includes possibilities to defend against these too. It is also important to revisit regularly, to see if the organisation is on track on delivering against the road-maps and strategy - or if it needs some finite tweaking.
Once the organisation has achieved its cyber security goals and objectives, the strategy should be updated to start on the road to becoming an industry leading practice.
Once the cyber security base is strong, the organisation can progress towards a standard that is industry leading or gold standard, should it so wish. This could be by defining new and innovative processes, and creating tools to defend the organisation against more sophisticated attacks.
Threat Intelligence (TI) can take this to the next level, proactively looking out for threats before they happen. Starting with cyber security research, the TI looks at the current threat landscape of the organisation, defining adversaries, different attack vectors, how the organisation could be attacked, from whom, and by which different methods.
At the top level, the organisation may implement rules into the security monitoring tool or security operations centre based on the research that will tend to incidents or attacks on a proactive basis.
Read more about our Cyber Security capabilities here.
If you would like to discuss your organisations Cyber Security Maturity, please get in touch.