Cyber resilience must become everybody’s business in the organisations of today and tomorrow.
By Bruckner de Villiers, GM: Western Cape, ContinuitySA
Once upon a time, caped crusaders—speedos and all—prowled dark alleys on the lookout for criminals. Then they started to work in groups, presumably as criminal gangs started to get more sophisticated. It’s not much of an exaggeration to say that this kind of approach remains standard for anyone involved in security, including cyber security, with intrepid IT nerds setting traps and policing the firewalls.
It’s just not good enough. Cyber threats are pervasive and subtle, and business’s reliance on ICT is too complete to be dependent on individual efforts—although most businesses haven’t yet come to terms with the full extent of their reliance on ICT.
In short, cyber resilience should be everybody’s job. It requires an integrated and proactive response to a shifting set of very real threats.
Think about it. ICT is no longer solely about improved communication speeds and operational efficiency. It is no longer even just the platform on which business takes place. It is these things but more: it has literally become the business itself. In more and more businesses—and even governments—business processes, transactions and data are all digitised and increasingly automated.
And now, thanks to the mobile revolution, the digital world is decentralising as it becomes pervasive. It is truly everywhere—as are the criminal syndicates. As industries digitise more and more completely, increasingly well-funded and sophisticated criminal syndicates are targeting the rich stores of corporate and personal data in cyberspace.
Despite this dependence, and the calamity a systems breach or failure would represent, too many companies still see cyber-security as a purely technical issue, the preserve of the CIO or IT manager. In fact, cyber-risk should be one of the primary business risks, and form part of the overall business continuity and resilience plan. If it is seen in isolation, as a purely technical issue, the impact of cyber-risk on the business will be underplayed, and recovery plans will tend to focus on technical issues. However, recovering systems is only half the job—the business processes which rely on ICT must also be recovered, and proper crisis communications with all stakeholders are vital to preserving reputation.
In addition, IT executives are not necessarily trained in risk management, and may inadvertently leave the proverbial back door open while securing the front door.
To put it bluntly, the resilience of an organisation depends on the resilience of its ICT—but only as part of the overall organisational business continuity and resilience plans.
By making ICT governance a board responsibility, governance codes like King and the like have begun to shift perceptions and have laid the foundations for seeing cyber-risk as an integral part of the overall risk mitigation strategy. The move towards integrated thinking in King IV takes us a little closer. But we are still not there yet: until cyber-risk is integrated into the overall risk strategy, and thus the business continuity plan, organisations will remain vulnerable to the shadowy forces of cyber-crime, caped crusaders notwithstanding.
Business Continuity Awareness Week (BCAW2017) [15-19 May] this year explores the issue of cyber-resilience. Find out more about the series of webinars designed to explore this critical subject.