Know your cyber risk

What is the cyber security risk profile of New Zealand organisations? What mechanisms are needed to make businesses more digitally secure? Adam Dodds of IDC addressed these questions and more at a recent series of events in Auckland, Wellington and Christchurch.

Digital imperatives, digital risks

Digital transformation, information management and customer centricity are key business objectives for 2018/19 – and all of these have the potential to increase an organisation’s cyber risk. The landscape is shifting daily, and cyber threats can impact productivity, critical dependencies, and brand integrity.

Valuing your information

Cyber security is a means to an end. It exists to enable the business to continue to function in spite of the threats that it faces. Boards and executives are often not informed of the value holistic cyber security can provide. The question is not “where should I spend my next security dollar?” but “what is the quantified threat to our business?”. Treating critical business information – such as that contained in your CRM and ERP systems - as an asset in the same way as infrastructure, buildings, plant & machinery can encourage management to invest in protecting the most important information against the most likely threats.

Information security, IT Security, cyber security

As organisations collect more and more sensitive data it raises significant questions around governance, management and ownership as well as the tools and frameworks needed for assurance and security.

Adam Dodds said cyber security should not be viewed as “IT security” as this narrows the scope and places pressure on already stretched IT teams. Instead organisations should approach cyber security as a business risk.

“Cyber security is not just IT security. It’s what IT can do to limit business risk. This engages the wider organisation. Ensure the CEO and board understand there is no such thing as being connected and 100% secure. This then widens the scope beyond protection to include risk management and mitigation.”

Dodds added “the funding model for security is more akin to military spending than the traditional metrics of ROI”. Cyber security is non-discretionary and investment should be spread across the full range of activities including prediction, prevention, detection and response.

Organisations are beginning to recognise this. Of the NZ organisations surveyed by IDC, 25% now have a dedicated Chief Information Security Officer or Chief Information Risk Officer role.

Dodds suggests, to be more effective, cyber security should be split into into at least two distinct mindsets:

  • Hunters - who are constantly tasked with seeking threats across the internal systems
  • Remediation team - who respond to and remediate the threats that the Hunters detect

Resourcing cyber security - some final thoughts from Adam Dodds

The future is SecDevOps, says Dodds, where security is embedded as part of the process rather than added later as an afterthought.

If you don't already have one, get a Chief Information Security Officer, and make sure they don't report into IT.

Make sure the CEO has KPIs for cyber security, so it gets the attention it needs.

Lastly, consider your suppliers, who also form part of your attack surface, and make sure they are not exposing you to unnecessary risk.