A recent Forbes Insights report, which polled the perspectives of more than 200 CISOs across industries, revealed that most CISOs (84%) believe the risk of cyberattacks will increase. Equally worrying, almost a quarter (21%) believe the capabilities of attackers are outpacing their ability to defend their organizations.
As I wrote in my best-selling book, The Five Anchors of Cyber Resilience, without practical guidance on how business leaders use limited budgets to create high-impact, focused cyber security strategies, the idea of cyber resilience remains elusive for many enterprises. Some business leaders now harbour deep-seated reservations that cyber threat actors are undeterrable and cyber resilience is unachievable. Inside boardrooms, there is a significant amount of justified frustration. Most leaders feel like passengers on a run-away train that the driver can neither control nor stop.
These are reasonable sentiments, but they also raise important questions. Why are some enterprises able to withstand cyber stresses while other enterprises are hacked into bankruptcy? And why can some companies bounce back as quickly as they are taken down?
Building effective and sustained cyber resilience requires CISOs to focus on strategic aspects of cyber security that, if properly implemented, will significantly reduce any enterprise’s cyber-risk exposure while keeping costs at a minimum. Mastering these essential domains can spell the difference between an enterprise’s success and failure.
So, what are these ‘five anchors’? What do cyber-resilient enterprises do differently from other enterprises?
- They build their cyber security strategy centred on high-value assets
Cyber-resilient enterprises steer away from conventional, one-size-fits-all cyber security investment models and prioritise the protection of their crown jewels – their most critical information assets, which, if compromised, could severely undermine the enterprise’s bottom line, competitive advantage, reputation, or even threaten its survival. They are willing to break down barriers and redefine how cyber security is done. These digital assets represent the heart of the enterprise and underlie business functions that deliver high return on investment for stockholders and product offerings that customers value highly. They then build security infrastructure that actively supports these priorities.
Unlike several enterprises that start with a predefined set of controls and then build security frameworks based on ‘best practice’, cyber-resilient enterprises think differently – they place the customer at the centre of everything they do. By building customer-centred cyber security models, cyber-resilient enterprises shift the oft-held perception that security (and technology at large) is a cost centre to that of integral force that empowers business growth and buttresses customer trust.
They also acknowledge that times have changed: consumer digital experience is now a key differentiator – protecting the enterprise while meeting the demands of today’s empowered consumer is a careful balancing act. To that end, cyber-resilient enterprises actively manage the seemingly conflicting demands of convenience and security – they don’t prioritise one at the expense of the other. When designing new digital solutions, cyber-resilient enterprises always start with the end customer, and then design dynamic security solutions that enable customers to opt into security features based on their appetite for risk, rather that sticking to widely resented binary security models.
- They put people at the centre of their cyber security strategies
Cyber-resilient enterprises put people’s hearts and minds, not technology, at the centre of their cyber security strategies. They create deeply entrenched beliefs that protecting the enterprise from cyberthreats is everyone’s responsibility, from the board of directors through to frontline personnel. Cyber-resilient enterprises transform employee attitudes and behaviours through compelling and contextualised messages; reinforce good deeds; and provide steadfast, clear and frequent messages from the top. These enterprises know that cyber resilience transcends technology – the real work of defending the enterprise takes place within business teams and is underpinned by shared norms and values. They extend the scope of their cyber-awareness outreach beyond the periphery of the enterprise and empower their customers and business partners with real-time, practical insights. Their people embrace the precepts of cyber security appetite of their own volition and go way beyond their call of duty to protect the enterprise.
- They bake cyber security into innovative programs
Cyber-resilient enterprises recognise that, if properly governed, emerging technologies – such as big data, cloud, internet of things (IOT), Blockchain, artificial intelligence (AI) and so forth – have strong potential to accelerate innovation, revitalise customer experience and boost competitive advantage. They actively resist the urge to defer security work, making it an enduring and inescapable facet of all digital transformation programs. They are constantly thoughtful and diligent about the security decisions they make as they embrace disruptive technologies, anticipating major pitfalls early and embedding security deeply into design work. Cyber-resilient enterprises also maintain clear road maps to ensure security capabilities keep up with an ever- changing threat landscape.
- They implement a risk-based assurance program over suppliers
Cyber-resilient enterprises acknowledge that in today’s fast-paced business environment, businesses need to partner with external suppliers to access innovative solutions, lower costs or enable them to refocus on their core areas of differentiation. But they don’t enter these alliances blindly – the majority of debilitating cyber-attacks have emanated from poorly secured third- party environments. Cyber-resilient enterprises manage this complexity by implementing risk-based cyber assurance programs over suppliers, enabling the enterprise to adapt quickly to changing market opportunities, stimulate innovation and access unique capabilities, all while minimising exposure to cyberthreats that emanate from poorly secured business partners.
- They create highly effective, lean and efficient governance structures
Cyber-resilient enterprises acknowledge that board oversight and C-suite leadership are essential to driving any transformational change, and that cyber security is no exception. Their most senior business officers and the board of directors provide unwavering support for cyber security programs. They role model expected behaviours and uphold the virtues of their cyber- risk appetite. They embed cyber-risk governance into the bloodstream of their enterprises, making it an inevitable and inconspicuous part of strategic and operational decision-making, and, as a result, foster transparency and accountability. Cyber-resilient enterprises reject needlessly complex and rigid decision-making structures that impede prompt strategy execution. Instead, they favour lean and efficient structures that can rapidly and flexibly adapt to reflect changing market needs or business circumstances.
Granted, every enterprise is different – there is no universally right cyber security strategy. This is a consistent message throughout this book. There is certainly no one-size-fits-all approach to cyber resilience, but The Five Anchors provides a string foundation for CISOs to prioritise security investments and optimise governance structures. The Five Anchors of Cyber Resilience methodology certainly doesn’t replace good practice frameworks – it complements them.