World-class organisations recognise that cybersecurity can, and should, be a powerful enabler for business: they align their cybersecurity strategy with corporate strategy, they support it with the right culture and technology, they accurately measure its performance, and they understand that performance in terms of business value and return on investment.
What they don’t do is adopt an imprecise, one-size-fits-all approach to cybersecurity that fails to properly mitigate the risks it claims to address, like that imposed by the Investigatory Powers Act (IPA) and the recent calls by Amber Rudd to outlaw strong encryption. These high-cost, outdated sledgehammers that claim to regulate and improve surveillance capabilities not only fail to improve security, they erode the privacy and security of innocent citizens and businesses.
Organisations that want to turn cybersecurity into a business asset can learn from the failings of successive Government attempts to successfully legislate against cybersecurity risks. As I see it, there are four key pillars of effective cybersecurity strategy that enables a business to operate securely and successfully.
1. Make cybersecurity an integral part of corporate strategy
Successful organisations don’t think of cybersecurity as an IT issue: they embrace it as a business risk requiring the same degree of board-level attention as any other. They see the technology required to secure information assets not as a drain on the business, but as a means of supporting growth.
Cybersecurity is expensive and organisations can still be compromised no matter how much they invest in it, but by working with senior stakeholders across the business to clearly define specific risks and then prioritising them, an organisation finds out exactly where to target its spending. Security by design is the only sensible approach.
Organisations must also carefully consider the residual impact of their security controls. Closing one risk may simply move the same threat elsewhere. How encryption works is not confidential; to ensure security and effectiveness, the math behind the common algorithms is widely published for peer review. Amber Rudd’s call to simply ban apps that provide strong end-to-end encryption would not prevent malicious actors from downloading and compiling freely available open source encryption libraries, or even writing their own implementations that simply copy the publicly available math.
2. Establish a cybersecurity culture and capability to help drive business success
There is no room for ivory towers in high-performing organisations: cybersecurity is everyone’s responsibility. Initiatives such as user-awareness training, helping non-IT employees to identify potential threats and question insecure business processes while encouraging technical staff to engage with their industry colleagues helps develop internal security talent and foster a deeper understanding of issues. It is also important to recognise that some specific security demands may require specialist external expertise.
The role of the CISO is a strategic one. A CISO who is focused on business strategy and senior stakeholder engagement will be able to align technical solutions with business needs.
A world-class cybersecurity function comprises a highly capable, experienced team that engenders a strong cybersecurity culture and constantly seeks to better enable the business.
3. Focus on key technology areas
Industry-leading organisations are clear about what is required to protect an IT-dependent business, especially those areas that present the greatest risks alongside the greatest benefits.
They know how to enjoy the benefits of cloud services while maintaining control over information assets. They can protect end-user devices from targeted threats and control ‘bring your own device’ (BYOD) while allowing flexible ways of working.
Successful businesses rigorously monitor the IT estate to spot vulnerabilities and potential breaches.
These businesses understand that good governance, supported by effective cybersecurity investment, is paramount. It is poor governance that puts security, freedom and commerce at stake – which is exactly what the IPA did in its bid to govern the use of covert techniques by public authorities.
4. Accurately assess cybersecurity performance
Not only did the IPA legislation, drafted for a different age and threat landscape, demonstrate the pitfalls of failing to clearly articulate the problem, it also proved woefully inadequate in terms of measuring the success of the ‘solution’ it imposed.
Organisations must know precisely how effective their cybersecurity is, which makes accurate measurement critical. Traditional measures of accessing cybersecurity effectiveness are not good enough. The historic ‘nothing happened’ approach doesn’t generate any useful intelligence on which the board can base cybersecurity strategy, while volume and compliance metrics only tell part of the story.
Combined, these can create a false sense of security that can be more damaging than simply admitting to a lack of understanding of effectiveness.
Knowing the number of viruses removed or spam emails blocked, or the time taken to detect an indicator of compromise, only reveals how well an organisation reacts to threats. Simply complying with best-practice cybersecurity control checklists is no guarantee against security incidents.
Organisations must also look at metrics aligned to strategy: evaluation of risk, their competence in predicting and defending against attacks, and their ability to identify and remedy the root causes of problems.
Including business metrics in the assessment gives the board a more rounded understanding of cybersecurity performance. Measuring cybersecurity incidents in terms of cost and impact to business operations, and demonstrating where cybersecurity initiatives have enhanced performance or prevented threats from manifesting, reveals the business value of the strategy.
In terms of cybersecurity for business, the lessons of the IPA and the current knee-jerk calls to ban encryption are clear: don’t waste huge resources implementing a strategy that is neither fit for purpose nor properly measured against the requirement. Getting cybersecurity right is a job for experts, not amateurs.
Published in Infosecurity Magazine.