How information security professionals can help business understand cyber risk

Information security is continually moving up business and board agendas, but information security professionals find it challenging to help business leaders to understand fully the cyber risks across increasingly digital businesses.

The UK government’s latest National Cyber Security Strategy requires businesses to have a detailed understanding of the risks to their information systems and raise standards to mitigate them.

The challenge comes as businesses are becoming increasingly reliant on digital and online systems, making it all the more difficult to achieve a good understanding of cyber risks across the whole company.

As we are in the era of digital, there are new areas of entry for most businesses, this covers areas such as email to cloud, mobility to applications, payment gateways to datacentres and many more environments and applications.

Information security professionals play a vital part in the digital transformation development to make sure businesses understand the risk and are able to action reducing the severity of the risk.

That said, information security professionals find it very challenging engaging business leaders and boardrooms with regards to cyber security and for them in turn to understand the scope of this area to start with.

Apparently the Osterman Research has shown 37% of IT security professionals believe this risk is lowered following talks with their boards.

Many feel overlooked, ignored and underappreciated when trying to get a budget to address security holes, says Tim Holman, chief executive at 2-sec security consultancy.

“The challenge we face isn’t the business failing to grasp cyber risk, it’s addressing the communications gap between technical staff and business owners,” he says.

Cyber insurance a grudge purchase for business owners

According to Tim Holman, in general business owners do not like to spend money on anything that in turns does not make them money, even cyber insurance is purchased grudgingly.

“I’m never fond of paying a high premium, but I accept it if there’s a niggling feeling that I could lose my livelihood and house if I fail to get the right insurance cover,” he says. “And mitigating cyber risk is exactly the same. If companies don’t do it, they could go out of business.”

In general businesses can be overconfident with regards to their existing defences. This leaves information security professional in a position of challenge when trying to persuade their business leaders and boards there really is a real need to reduce security risk as they often doubt they could be seriously affected by a cyber attach.

Holman cautions against demanding cash after something has happened to plug a hole. “It’s about taking a proactive stance, dealing with cyber security before something happens, and being prepared to tell security suppliers where to stick their hardware if it doesn’t fit into your security programme.

“I’ve never seen a business turn down a carefully prepared cyber security risk mitigation programme that fits the business. Fortunately, creating one is remarkably simple. Define scope. Carry out a security audit on said scope. Conduct a gap analysis, work out three costed options with pros and cons to address each gap, and present to the business,” he says.

Holman is suggesting that if this does not work to execute a short sharp exercise where information security professionals can demonstrate to their business leaders exactly what could go wrong in their cyber world.

“Simulate a phishing email, put a malware test file on your CEO’s laptop, take your CFO’s laptop away for an hour and simulate critical hardware theft. Then leave a suspicious package in the mail room or simulate a web server hack to raise awareness over time, which will ultimately loosen the purse strings and get support for implementing change.”