A guest blog by Thilen Pillay, Manager – Risk Advisory Services, RSM Betty & Dickson (Johannesburg)
If there was ever a time that information security was on the radar of risk management committees it would be now. It is an aspect of Enterprise Risk Management (ERM) that now demands attention and recognition. Cybersecurity is leading the charge in this constantly evolving field.
While the concept of cybersecurity is well known in the technology sphere, the not-so-techno-savvy individuals may require a bit of background on this topic. Cybersecurity is a component of information security which focuses on the protection of digital assets. At its core this includes a vast array of hardware and software applications that facilitate the processing, generation and dissemination of digital information via the internet.
Information is arguably an organisation’s most important asset, yet the controls and strategies implemented by many organisations to guard this asset continue to remain sub-par. Those organisations that do have adequate security controls often do not to have an adequate incident response system implemented to react to and contain data breaches.
But does this then mean that if information security controls are implemented that an organisations digital assets are protected? No. Implementing information and cybersecurity controls without first considering the risks facing your organisation could result in critical information and digital assets not being protected.
It may sound cliché, but knowing is half the battle. Know the cyber risks and threats which your organization is faced with. By conducting a full risk assessment of an organisations information and cybersecurity environment you are able to identify threats which could harm your digital assets as well as vulnerabilities exposing your systems to the identified threats. Once a risk assessment is performed you can improve the existing control environment up to the point required to mitigate those risks, decreasing the likelihood of unprotected digital assets, cyber-attacks as well as wasteful usage of resources.
Adequate information security and cybersecurity risk identification and assessment, together with the implementation of appropriate control strategies, including that of enterprise-wide cyber awareness and incident management and response systems, will help organisations foster a strong cyber defence strategy. At this point it is important to note that for an organization’s incident management and response system to play its role in their cyber defence strategy it needs to be consistently tested and constantly honed to be able to respond to and contain cyber-attacks quickly, thereby assisting in the reduction of data loss.
To assist in the development of and organisations cyber risk and control framework there are guides to help them along the way, which include ISO 27000, SANS Top 20 Critical Security Controls, as well various publications by ISACA which also includes a guide on Transforming Cybersecurity using COBIT 5.
Recent cyber-attacks like that faced by Target, JP Morgan and, of course, Sony may have left Chief Information Security Officers worldwide in a bit of a panic. But this panic can be alleviated if cybersecurity is taken seriously by organisations and given its due attention in their risk management process.