“If I had an hour to solve a problem, I’d spend 55 minutes thinking about the problem and 5 minutes thinking about solutions.” Albert Einstein
This well-known quote certainly hits home when it comes to cyber security. Unfortunately, many organisations instinctively jump straight into solution mode without first understanding the business problem at hand. Furthermore, this behaviour is often further enabled by vendors and others with vested interests who are all too happy to come along for the ride!
Not all controls are created equal
The key driver in addressing cyber security needs to be the enablement of organisations to protect the assets of most value to them. It’s not too hard to imagine the negative business outcome that would be brought about if, for example, valuable records containing health information were disclosed, damaged or destroyed. Yes, improving an organisation’s security posture may mean investing in controls. However, not all controls are created equal, and the degree to which an organisation should invest in a control depends on the level of risk they’re willing to tolerate. For many years this, vital decision has been left in the hands of the IT department. What has unfortunately resulted, is a perception of cyber security as a blocker or an inhibitor of innovation.
There’s a saying that cyber security is like the brakes on a car – generally used to reduce the speed of a vehicle or stop suddenly in case of an emergency. Another way of looking at it, however, is that brakes enable the driver to travel at much higher speeds because the driver has control, with the confidence to go faster, and to take more risks.
Another important distinction to this analogy is that it is the driver who hits the brake pedal, and not the mechanic. Getting back to the issue of cyber security; it should be the business who decide the level of risk that should be tolerated, not the IT department.
Cyber security needs to be viewed as a strategic business risk, at the centre of which are two key components (both can also be viewed as types of control) –Technology and People.
Technology underpins many of the controls which organisations rely upon to protect, detect and respond to cyber threats. People are unpredictable – our knowledge, attitude and behaviours towards cyber security can be both an asset, but also a liability. As we integrate technology further into our lives, it is more important than ever to see cyber security as an enabler that will assist us to get where we need to go in a safe and secure manner.
The Digital Resilience team believe strongly that aligning controls with business requirements is the best way to position security as a trusted advisor within an organisation. The true value lies in assisting the business to make an informed choice about the level of risk that it is willing to tolerate.
Written by Cerri Morgan.