Cyberattacks can no longer be thought of as a problem for the Chief Information Security Officer (CISO) and the security function, but rather an organisational issue, managed by leaders who understand their IT dependence and capable of choosing the most appropriate and effective risk treatment options.
The proliferation of news stories covering attacks on major organisations and Web-based companies alike, including Tesco, Equifax, TESLA, AdultFriendFinder and more highlight that any business operating in, or linked to, cyberspace is at risk. The current spate of ransonware attacks — WannaCry, Petya and others — go on to demonstrate that companies must expect and prepare for a constant level of threat and attacks that are often random in nature. The impact felt around the world illustrates our economic and societal dependence on the Internet and IT, and just how vulnerable we have allowed ourselves to become.
Currently, organisations categorise information and systems risk as a technology problem to be managed by the information security and IT functions. This leaves the many extremely talented professionals working on the front lines of cyber and information security on the defensive, unable to keep up with the vulnerabilities introduced as organisations increasingly evolve with new technologies. They consistently give of their best day-to-day and in times of crisis. Their experience, however, demonstrates that the challenge of securing organisations and societies goes beyond their resources and the small pockets of deeply technical experts that analyse the threats. Security only comes when everyone understands and can respond to this growing threat.
This starts with accepting the premise that all businesses, their customers and their employees rely on the information, systems and software that underpin the products, services and processes now driving our economy. The current widespread lack of understanding of cyber risk however means that many businesses, large and small, continue to build, buy or use their IT without security in mind, and open new doors for the attackers. Clearly the IT function can be asked to change their perspective, but this will only occur if they are given the funding and mandate to do so. Unfortunately, our Global Information Security Workforce Study programme, highlights that this is not the case. Those who identify themselves as being IT professionals particularly report that their organisation doesn’t provide adequate resources for security training, while only 35% agreed their security suggestions are acted upon.
Wider appreciation for the priority given to security is needed to ensure IT and organisations are built to be resilient. The first step is to engage the conversations that allow you to:
- Assess cyber risk within the context of your business functions not your systems functions, including access to information, customer services, PR and reputation.
- Establish a dialogue, grounded in the terminology of risk between business leaders, IT and information security that regularly and actively challenge each party to examine business impacts.
- Help business leaders deepen their understanding of how technology is changing the way the business operates, the resulting dependencies and where these are leaving the business vulnerable.
- Include information security requirements from idea through to, design, development, engineering, testing and production of any product or service built, produced or bought by the business.
The knowledge is available to tackle the issues: The challenge lies in getting it to where it needs to be. As a non-profit professional association with over 125,000 members around the world, (ISC)2 is leading the conversation to embed a greater understanding of what we see on the front-lines into the decisions that are driving businesses and economies forward.