Different industries have different concerns in regards to Cyber Security

Alex Ayers who is the co-founder and consulting director at Turnkey Consulting is saying that information security professionals must remember that businesses do see security as an important concern amongst other things in their business, but also to take into consideration different industries have different concerns. It is felt that the “good enough” security point of view is an acceptable state, and to take on board that financially quantifying risk can be difficult to achieve, it does allow those that hold the budget to make better informed funding decision which gives them the opportunity to less likely see security as a poor investment.

“As security professionals, it is very important that we communicate in ways that resonate with our audience,” says Ayers. “We may be comfortable talking about data exfiltration to a CISO, but that same terminology may leave a CFO or COO confused. We have to understand the risk in the context of the business to make our advice relevant and pragmatic to implement. By doing this, we are demonstrating value as trusted advisors.”

The threats to digital business are only going to get more complex. “As an industry, we need ensure we can attract and retain individuals who fulfil the broad spectrum of roles that the industry has to offer,” he says. “We need to recognise and reward business engagement skills in the same way we do technical skills, and provide clear paths for progression that do not involve leaving the industry.”

While digitally enabled businesses certainly have an increased attack surface, the key principles of cyber security best practice will always remain the same, says Ramsés Gallego, past international vice-president of the Isaca board of directors and strategist and evangelist in the office of the CTO at Symantec.

“Whatever the type of business, it’s fundamental that there is a plan in place that takes into account all of the emerging technologies we’re seeing, from cloud to increased mobility, big data and the internet of things (IoT).

“It is also critical that organisations, no matter the size or industry, comprehend where data that is instrumental for the day-to-day activities of a company lives and, in consequence, how it should be protected.”

Gallego is saying that beyond these technical processes and procedures security professionals also need to familiarise themselves with the latest legislation and regulations that companies have to abide by coupled with a very clear understanding of the numerous governance frameworks.

Tailoring the security message for business

Peter Wehnham who is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management is saying that the businesses must understand profit and loss along with understanding the cost of marketing and sales as this is key to tailoring the security message.

Companies cannot exist without a marketing and sales function in their business, however many will as a worst case scenario fall foul to a breach of information security and will fail without good information security.

The message that should be given to the business, says Wenham, is simply this: “If you don’t do X, Y will happen, and that will cost the business £Z.

“X is an information security control such as ensuring the IT estate is security patched with the latest patches, or that all people in a company are given regular training and education in being security-aware citizens who know what to do when things start to go wrong.

“Y is of course a security breach, which could be someone hacking into a company’s IT estate and taking copies of data. But it is more likely to be someone opening a malware-infected email attachment or clicking on a link in an email that takes their browser to a website that is a source of malware, which increasingly these days could be ransomware.

“£Z is the cost to the business of recovering from the breach. It’s the cost to the business that needs to be articulated, and in a way, that is understandable. Simply saying it will take two days to recover from a breach isn’t sufficient,” he says. “You also need to identify the potential cost to the business and of lost productivity across the whole company, the anticipated loss in sales, and the typical cost of using external specialist help.”

Wenham says a funding request should be written with the recommendations immediately following the management summary, and structured along the lines X, Y and Z.

“If there is a range of options available, prioritising the options along the lines of ‘must have’, ‘need to have’ and ‘nice to have’ will help the business reach appropriate decisions,” he says. “Detailed risk reviews and analysis, work identification and costs to implement, and the potential costs to the business if various work is not done should be included as supporting appendices.”