The complexity and challenges presented by cyber security risks are both many and multi-dimensional. However, there’s no single solution that is the panacea as organisations assess their cyber security risks. The importance of adopting a strategic and holistic approach is more important than ever.
The 2018 AISA conference covered leading techniques and approaches for managing cyber security risks. However, for enterprises who are yet to test their cyber security defences or develop continuous testing and assessment programmes, it’s premature to think about solutions until the problem is understood.
Testing and assessment
This remains a challenge for many by their interpretation of the value proposition for regular testing and assessment processes. Many SME clients have yet to conduct any testing of their cyber resilience or identify areas of exposure. Yet, these enterprises have a material level of reliance on security to protect their operations and support strategic objectives.
With a growing number of cyber solutions, the need for security testing and assessment remains largely unaddressed. As security advisers, we should continue to advocate and explain why testing is a critical step in security strengthening so our clients understand the risk profile.
There are many established and new security solutions offering well regarded and tested products, alongside solutions which reflect the latest in machine learning and artificial intelligence. How best to identify and incorporate appropriate solutions can only be determined by enterprises themselves.
Remediation and technical solutions
This should reflect the risk profile and business needs of an enterprise. The difficulty is trying to align security solutions to the remediation and budgetary needs of the enterprise. Importantly, alignment between security products and business processes helps ensure the focus remains on business needs, rather than being purely an IT solution.
Boardroom governance requirements are increasing to satisfy the valid and increasing number of questions from the Board. There is also an increased focus on governance processes to coordinate and report on the effectiveness of security programs and processes.
With the increasing financial burden of testing, improving and maintaining effective cyber security (which incorporates people, systems and processes), the way security is managed and justified needs consideration.
This can often be seen in enterprises that demonstrate cyber security maturity. They have in place programmes and procedures to measure, evaluate and refine their activities as part of a governance regime.
The establishment of policies and procedures applicable to these activities, to ensure independent, effective and timely assessment of cyber security activities and investment is no different to the degree of scrutiny applied to other aspects of an organisation’s controls effectiveness.
Whether it is a product development process, or sales program and campaign, the measurement and assessment of strategic and operational success is necessary to confirm and validate the return on investment.
For further information
If you have any queries, please contact our cyber security expert Michael Shatter.
This article first appeared in AISA’s 2018 Cyber Australia – Managing Cyber Risk for Business publication.