Building a cyber resilient organisation requires a holistic approach that encompasses people, processes and technology.
By Al de Brito, Senior Consultant: Advisory Services at ContinuitySA
The Business Continuity Institute’s Horizon Scan for 2019 found that cyber-attack and data breach were the top threats for the coming 12 months. That’s a clear indication of the importance of IT and data to modern organisations—and the nature of the threats they face.
Because the threat landscape is so fast-moving and the cybercriminals are so well resourced, it has to be accepted that it is virtually impossible to predict and repel every threat. In a world where an unforeseen risk is likely to materialise, it becomes vital to build an organisation that can respond to, and recover from, even incidents it could not have foreseen and thus for which it has no specific plans.
The big question is how to build such a resilient cyber environment? The answer is to follow the process for building overall resilience: people, processes and technology must form part of an integrated approach that recognises the fact that IT is integral to the organisation, and that people are the key to cyber resilience.
This contradicts traditional cybersecurity approaches, that tend to see it in isolation, as a purely technical matter best solved by technology.
In practice, this integrated approach is made up several layers. The board and executive team are responsible for setting the strategy, while senior and middle management decide how the strategy should be implemented. Lower management and administration are tasked with the actual implementation, which obviously affects all employees.
It’s very clear how this approach pulls together people, processes and technology. But one must also concede that the fulcrum is people—they not only create and implement the processes and technology, they also act as the essential front line for identifying new threats and better ways of doing things. It is thus important that the organisation drives a mindset change as regards security generally, and cybersecurity in particular, based on awareness. Everybody needs to understand the psychological nature of the threat, and also what their individual roles and responsibilities are in the event of an incident.
If you follow this holistic approach, you can create a resilient organisation that can identify, respond and recover from any cyber threat, even when it’s something you could never have foreseen.
Contact ContinuitySA to talk to an advisor around your cyber resilience strategy.