Navigating Your Way Through Today’s Risk Battlefield

Steve Durbin, Managing Director, Information Security Forum

Cyber-attacks continue to become more advanced and sophisticated than ever before. In today’s cyber age, a company’s reputation – and the trust dynamic that exists amongst suppliers, customers and partners – has become a real target for cybercriminals and hacktivists.

The commercial, reputational and financial risks that go with cyberspace are real and growing. Organizations need to extend their risk management focus from pure information confidentiality, integrity and availability to include other risks, such as those to reputation and customer channels. They must also recognize the unintended business consequences from activity in cyberspace.

Preparation for Increasing Legislation and Regulation

As pressure from regulatory compliance increases, Chief Information Security Officers (CISOs) must take an increasingly integrated and holistic approach to information risk management. By implementing strong information security measures, the CISO is more likely to stay ahead of increasing regulatory mandates.

There is no way to get around data privacy laws and regulations. Businesses must either comply or pay a stiff penalty. Few jurisdictions, if any, are alike in their regulations, privacy legislation, fraud and breach prevention. Traditional information protection methods may be difficult to apply or useless when it comes to storing or harnessing data in the cloud. Unless you are incessantly monitoring the rules, and put mechanisms in place to do so, you might not only be compromising your data, but also your corporate responsibility.

Most governments have created, or are in the process of creating, regulations that impose conditions on the protection and use of Personally Identifiable Information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, businesses need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.

Managing Information Risk

Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from cyber threats that are impossible to predict. Organizations must extend risk management to include risk resilience, in order to manage, respond and alleviate any negative impacts of cyberspace activity.

Cyber resilience also requires that organizations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents. This means assembling multidisciplinary teams from businesses and functions across the organization, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organization, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.

Protecting Your Sensitive Information

It goes without saying that business leaders recognize the enormous benefits of cyberspace and how the Internet, and today’s growing usage of connected devices, greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, many have trouble assessing the risks versus the rewards.

One thing that organizations must do is ensure they have standard security measures in place. One example of guidelines would be the Information Security Forum (ISF) Standard of Good Practice (The Standard). The Standard is used by many global organizations as their primary reference for information security. It addresses the rapid pace at which threats and risks evolve and an organization’s need to respond to escalating security threats from activities such as cybercrime, ‘hacktivism’, BYOD, the Cloud, insiders and espionage. As a result, The Standard helps the ISF and our members maintain their position at the leading edge of good practice in information security.

Focus on Cyber Resilience

Organizations operate in an increasingly cyber-enabled world today and traditional risk management just isn’t agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling.

In preparation for making your organization more able to manage the security minefield, here are a few steps that businesses should implement to better prepare themselves:

  • Re-assess the Risks to Your Organization and its Information from the Inside Out
  • Change your Thinking About Threats
  • Adopt a risk vs. reward mindset
  • Embed security in business unit plans
  • Define an approach for managing data accessed on mobile devices and in the cloud
  • Revise Cyber Security Arrangements
  • Focus on the Basics
  • People and technology
  • Be ready to provide proactive support to business initiatives in order to
  • Think resilience not security
  • Help your organization understand how to respond to regulators and data subjects
  • Prepare for the Future

Businesses have fluctuating degrees of control over today’s ever-evolving security threats. With the speed and sophistication of the threat landscape changing on a daily basis, far too often businesses are being left behind in the wake of both financial and reputational damage. Organizations of all sizes need to take stock now to make certain they are fully prepared and engaged to deal with these ever-emerging information security challenges.

About the Author

Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackerscyber attackscyber criminalshacktivistscyber resilienceCISOsISF Memberscyber securityBYOD

More about GartnerResilience

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Durbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts