A collaborative approach to cyber security

A collaborative approach to cyber security

Adam McCulloughWhile security threats are constantly evolving and becoming more sophisticated our industry’s approach to cyber safety has - in the main - not developed at the same rate.

Frequently, businesses have a ‘set it and forget it’ approach, tackling cyber security when an employee first joins an organization and then holding a refresher course once a year.

By companies not giving cyber safety and resilience the prominence it deserves, many organizations are validating a belief among employees that it is a commodity; security technology should ‘just work’ - you flip a switch and you are safe.

Equally, putting more focus on what employees cannot do, instead of what they can do to help in security, businesses are affectively encouraging people to have a more passive role in addressing the cyber security challenge. Even if an organization has the latest and greatest technology to prevent an attack, insider threats (inadvertently or on purpose) can cause irreparable damage.

What to do

So what should business be doing, rather than not doing? An effective, robust approach to cyber security requires a cultural change that begins at the top and works its way down; security awareness needs to become a daily habit of every employee, not just a security team or department.

To move to this positive, collaborative approach business leaders must begin by ensuring security is not an afterthought but an integrated part of the business. Then, based on the individual security needs and maturity of their business, senior leaders should consider things such as training and appropriate access management, e.g. what do individuals need to know and have access to?

A clear message

Communication around cyber and physical security is also critical to success. Messaging should be open and transparent and, importantly, explain why the business is asking their employees to do (or not do) something. Procedures/polices need to be explained, ensure they make sense and employees understand how and why their behaviour can make a difference.

Organizations should be encouraging an ethos of ‘see something, say something’ in their communications. To tackle security properly and instill positive behaviours, employees should raise any issues they see rather than assume someone else will. Often, security safety is given only enough thought or airtime when things go wrong. Businesses, however, should inspire proactivity and give a mandate to employees to expose issues before they become problems.

The importance of what’s said in employee outreach, frequency is key too. Often, businesses can go from one extreme to another, with communications either annual and therefore forgettable, or so frequent that employees tune out.

An ongoing challenge

Once a robust approach to cyber security is established that isn’t the end for the organization. Just like IT service management, cyber safety requires continuous improvement. Businesses must constantly look at how they can develop and advance their resilience to the evolving risks and threats and remember that what works now most definitely will not in five to 10 years.

Ultimately, nothing is ever perfect and that’s true of technology, processes and employee education. In fact, it’s particularly the case when it comes to training new staff as they come in to the business.

As well as considering emerging threats, companies should also be thinking about the challenges that are no longer a heightened issue. For example, if you’re no longer seeing an incident happening does it really need to be at the front of the training manual? Businesses should always be looking at what’s new and what people are doing now.

By thinking of cyber security as an ever-evolving entity and applying the same processes and behaviours that have become more commonplace in IT Service Management, businesses can ensure their resilience in the face of a crisis. What’s key is momentum and ensuring cyber security isn’t a tick box exercise.

See our RESILIA section for more information about cyber resilience.

Read more AXELOS blogs from Adam McCullough

Do businesses really need Business Relationship Managers?

Why should businesses do CSI?

I’m ITIL® Foundation certified - now what?

The real ROI of ITIL training

Current rating: 0 (0 ratings)

Comments

21 Aug 2018 John IT
Alternate text
Thanks for posting such an informative article.
You must log in to post a comment. Log in

RESILIA Core Publication

RESILIA™ Cyber Resilience Best Practices Guide - Guidance Preview

Guidance Preview

Download the first two chapters of the official RESILIA Cyber Resilience Best Practices Book in our exclusive FREE preview and buy the full book to find out more.

Buy the RESILIA Book

Suggest a Blog

If there's something you'd like us to cover in a new AXELOS Blog, please complete our Suggest a Blog form and tell us what you'd like to see.

Send us your Blog idea