You only have to be a casual follower of the news to see that cyber attacks and the resulting damaging data breaches are happening with greater frequency.
TalkTalk and JP Morgan are just two of the latest high profile companies to show their vulnerability to cyber crime.
Once again, these attacks illustrate how organizations increasingly need to recognize that a cyber breach is inevitable. It’s been said that there are only two types of organizations – those who know their systems are being hacked and those who don’t.
It’s not surprising that information security is regularly overlooked; organizations are focused on their primary objectives - for example, innovation, growth, operational efficiency, getting closer to customers and partners. Typically, as a result, information security has often been bolted on rather than built in to an organization’s systems and, in many organizations cyber resilience remains the domain of IT Security alone. While companies are keen to capitalize on the cost savings of new network technologies and the internet, treating security as an afterthought creates vulnerabilities.
What companies need is an enterprise wide cyber resilience approach; resilience best practice – as contained in the AXELOS RESILIA™ methodology - is equally about security (preventing a breach) as it is about responding, recovering and remaining operational when a breach happens. It’s also about designing and managing an effective balance of people, process and technology controls to best mitigate your risks.
The cyber resilience approach
RESILIA’s cyber resilience best practice provides practical ‘know-how’ guidance, centred on essential processes complementing ‘what to do’ information security frameworks e.g. ISO 27001.
RESILIA provides one overarching management system for an organization with a joined-up approach for all areas, focused on collaboration across the whole enterprise and not just IT teams. Take incident management for example: RESILIA gives guidance on how to follow and embed a process while aligning organizational cyber resilience with business objectives and strategy. It also focuses on awareness training for everyone in an organization as well as targeted training for security specialists.
Through its close alignment with ITIL® – the de facto global standard for service management - RESILIA builds on the ITIL best practice guidance. So, the countless organizations with the ITIL framework already embedded will be well placed to improve their cyber resilience.
Cyber resilience in action
Focusing on cyber resilience brings a more holistic approach to the cyber breach problem then simply focusing on the technology aspects of security.
Its processes are considered in the strategy and design phases and are then embedded to ensure they are being effective used and referenced day-to-day. Lessons are learned and the resulting robust processes are well managed.
In this way resilient processes – installed from the outset rather than bolted on later – are ready and proven when the breach occurs. They are thoroughly tested so the organization is able to react, respond and recover in a well-understood and effective manner.
Why “react, respond and recover”?
Cyber security best practice has previously focused on protective and detective technology, with additional attention given to business continuity and disaster recovery. Crucially, however, resilience is about recovery and minimizing the effects of a security breach.
For example, resilience can encompass practicing board room scenarios in the event of a breach; dealing with affected personnel, including customers; and returning the organization to an operational state so it can continue its core business functions.
What is becoming more and more prevalent is that organizations that believe they have done enough to protect themselves are still victims of cyber crime. To combat this, an organizational culture change is required in order to achieve the requisite level of robustness.
RESILIA Certification– what does it give the practitioner?
I recently undertook the RESILIA Practitioner level qualification, which has given me a much better understanding of the processes required to ensure organizations have robust cyber resilience. It has also provided me with a solid understanding of how RESILIA and ITIL are complementary, along with a greater ability to embed essential processes into organizational culture.
The Practitioner level is applicable for people who have responsibility for data security, risk compliance, cyber security practitioners, and is built upon the Foundation level certification, ideal for people in roles with some peripheral cyber resilience responsibility, such as those in HR, procurement, supply chain, commercial, legal and finance teams.
In order to embed an effective cyber security approach across the organization, employees need to be made aware of cyber resilience. It’s no longer enough for IT or security teams to have sole responsibility for maintaining the cyber safety of an organization.
Cyber resilience best practice addresses company culture, and AXELOS’ range of RESILIA products addresses this need for organizational culture change. Cyber risk training is predicated on regular updates to affect behaviour and attitudes to cyber security: this is the most valuable and effective way to react, respond and recover with confidence.
See our RESILIA™ section for more information.
Do you think that cyber resilience best practice and training should be part of the culture of an organization? Have you or your organization undertaken any formal qualifications or do you take less structured measures to help protect you from cyber-attack? Please let us know in the comments box below.