Steve Durbin, Managing Director of the Information Security Forum (ISF), discusses some of the key risks to organizations today and provides guidance on how to steer clear of them while becoming more resilient.
Until recently, leading executives at organizations around the world received information and reports encouraging them to consider information and cybersecurity risk. Yet not all of them understood how to respond to those risks and the implications for their organizations. A thorough understanding of what happened (and why it is necessary to properly understand and respond to underlying risks) is needed by the C-suite, as well as all members of an organization’s board of directors in today’s global business climate. Without this understanding, risk analyses and resulting decisions may be flawed, leading organizations to take on greater risk than intended.
Cyberspace is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, get noticed, cause disruption or even bring down corporations and governments through online attacks. Over the past few years, we’ve seen cybercriminals demonstrating a higher degree of collaboration amongst themselves and a degree of technical competency that caught many large organizations unawares.
Today, the C-suite must be prepared for the unpredictable so they have the resilience to withstand unforeseen, high-impact events. Cybercrime, along with the increase in online cases, the increase in cost of compliance to deal with the uptick in regulatory requirements and the relentless advances in technology against a backdrop of underinvestment in security departments, can all combine to cause the perfect threat storm. Organizations that identify what the business relies on most will be well placed to quantify the business case for investing in resilience, therefore minimizing the impact of the unforeseen.
After reviewing the current threat landscape, I want to call specific attention to two prevalent areas of information security that C-suite executives need to be familiar with in the day-to-day running of their business. While these are not the only threats they should be mindful of, they are the ones executives should be keeping a close eye on.
A Need to Avoid Reputational Damage
Attackers have become more organized, attacks have become more sophisticated and all threats are more dangerous and pose more risk to an organization’s reputation. In addition, brand reputation and the trust dynamic that exists amongst suppliers, customers and partners have appeared as very real targets for the cybercriminal and hacktivist.
With the speed and complexity of the threat landscape changing on a daily basis, all too often we’re seeing businesses being left behind, sometimes in the wake of reputational and financial damage. The C-suite needs to ensure they are fully prepared to deal with these ever-emerging challenges by equipping their organizations better to deal with attacks on their reputations. This may seem obvious, but the faster you can respond to these attacks on reputation, the better your outcomes will be.
Relying on Employee Awareness and Embedded Behavior
Organizations continue to heavily invest in “developing human capital.” No executive speech or annual report would be complete without stating its value. The implicit idea behind this is that awareness and training always deliver some kind of value with no need to prove it – employee satisfaction was considered enough. This is no longer the case. Today’s executives often demand return on investment forecasts for the projects they have to choose between, and awareness and training are no exception. Evaluating and demonstrating their value is becoming a business imperative. Unfortunately, there is no single process or method for introducing information security behavior change, as organizations vary so widely in their demographics, previous experiences and achievements and goals.
While many organizations’ compliance activities fall under the general heading of “security awareness,” the real commercial driver should be risk and how new behaviors can reduce that risk. The time is right, and the opportunity to shift away from awareness to tangible behaviors has never been greater. C-suite executives have become more cyber-savvy, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management. Moving to behavior change will provide the CISO with the ammunition needed to provide positive answers to questions that are likely to be posed by the members of the executive management team.
Stay Ahead of Possible Security Stumbling Blocks
Organizations of all sizes are operating in a progressively cyber-enabled world, and traditional risk management isn’t agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that evaluates the threat vectors from a position of business acceptability and risk profiling.
Organizations have varying degrees of control over evolving security threats, and with the speed and complexity of the threat landscape changing on a daily basis, far too often I’m seeing businesses getting left behind – sometimes in the wake of reputational and financial damage. Executives in the C-suite need to take the lead and take stock now in order to ensure their organizations are better prepared and engaged to deal with these ever-emerging challenges.
Steve Durbin is CEO of the Information Security Forum, an independent association dedicated to investigating, clarifying and resolving key issues in information security and risk management by developing best practice methodologies, processes and solutions that meet the business needs of its members. 
