Security should be the enabler of the digital world. The ability to detect, protect, remediate and recover from a cyber threat is critical. Cyber resilience has become an elevated topic of discussion at board level. This has received further attention as a result of the recent WannaCry ransomware global attack.
Speaking at an event focusing on cyber resilience, hosted by ContinuitySA, Sean Duffy, Executive: Cybersecurity at Dimension Data Middle East and Africa, stated that “Organisations should adopt a risk-based approach to cybersecurity that is aligned to each organisation’s business objectives.”
Cybersecurity risks should be elevated and managed in line with an organisation’s enterprise risk programme. Cyber risk is a business responsibility and not only that of the Information Technology department.
Furthermore, Duffy stated. “Cybersecurity incidents will happen and organisations need to improve the security posture from a reactive to a predictive state, thus building cyber resilience.”
Duffy contends that in order to achieve a business-driven, risk-aware approach to cybersecurity, organisations have to begin with the business itself: Understand the organisation’s objectives and the aligned organisational risk appetite. Only once this is understood, can the non–technical and technical security controls be implemented. All controls that are defined need to be measurable and aligned to an industry security framework. Through this approach, organisation will be better suited to meet their operational continuity requirements.
To achieve cyber resilience, the following should be considered;
1. Align IT and business to a cyber resilience strategy.
2. Use a common language to enable alignment
3. Ensure board-level accountability for cyber risk and drive responsibility to C-level executives.
4. IT and business must collaborate in establishing the correct balance between the organisation’s risk appetite and need to be resilient.
5. IT Security should move from a controlling mindset focused on control, to promoting an integrated, comprehensive cyber strategy powered by people, processes and technology.
6. Organisation’s need to adopt a culture of preparation, prevention, detection, response and recovery.
“To align cybersecurity and business strategies to build overall cyber resilience, but without compromising operational effectiveness, is complex, and needs to be done within the overarching business resilience strategy,” adds Jeremy Capell, GM: Advisory Services at ContinuitySA. “In this context, investing in specialist business resilience consulting makes excellent sense.”