The government has clearly outlined what it expects of businesses and individual citizens: everyone needs to be more responsible for their own cyber security.
As businesses become more digital by nature, cyber security has to become a part of their everyday operations. This means seeing cyber security as another operational risk, such as physical damage or theft, rather than being confined to the IT department. This approach has rarely been taken, but is desperately needed.
This means communicating information risk as a business risk, and information security professionals can help in these ways:
1.Information security professionals need to look at information risk as more than a technical issue. It must be assessed within its implications for customer service, PR and business reputation. These risks must be communicated in a way that clearly explains the potential harm to the business should a malicious or accidental incident occur. The risk treatments that can be put in place given the resources and the residual risk to the business must be clearly stated and updated as the business changes.
2.There needs to be a dialogue between business leaders, IT and information security around information risk. Business leaders should regularly and actively challenge IT and information security leaders on information risk and its business impacts, and not just accept that technology can solve the problem. This is a two-way street. As much as information security leaders can push this dialogue, business leaders must provide the time to listen, comprehend and discuss.
3.Information security professionals need to help business leaders deepen their understanding of information risk, and where new vulnerabilities arise as organisations change the way they operate and become more technology-dependent. Information risk must be thought of in the same bracket as governance.
4.Organisations should examine how to include information security requirements from idea through to design, development, engineering, testing and production of any product or service that is built, produced or bought by the business. This “security by design” approach is cheaper and more effective than adding security as an afterthought once the product is on the market and problems arise.
Businesses must become more responsible for their own cyber security, and to achieve the government’s aims, we must move away from the misguided approach of reducing cyber security to a technology problem. Cyber security must be recognised as a fundamental component of business a critical responsibility that business leaders must not ignore.
Adrian Davis is managing director for Europe at (ISC) 2. .....................................................................................................................................................................................................................................................