Raising cyber security awareness

Cyber security is everybody’s responsibility, says Maxine Holt, principal analyst at the Information Security Forum (ISF). “Start by raising awareness across the organisation because people are an organisation’s biggest asset and also potentially its biggest risk. How these people take decisions and behave in key moments is essential to strengthening resilience.”

Holt advises capturing the attention of the business with a “sell not tell” message. “Promote a cyber-secure culture by using business language; individuals switch off if they don’t understand what is being said.”

Business relationship manager roles can be used to great effect, they can provide a link between the information security function and the rest of the business, they can help to explain what needs to be done to support cyber security.

Adrian Davis, managing director for Europe at (ISC)², advocates a more “business as usual” approach. “As businesses become more digital by nature, cyber security has to become a part of everyday operations. This means seeing cyber security as another operational risk, such as physical damage or theft, rather than confined to the IT department. This approach has seldom been taken but is desperately needed.

“Businesses have to become more responsible for their own cyber security, and to achieve the government’s aims, we must move away from the misguided approach of reducing cyber security to a technology problem. Cyber security must be recognised as a fundamental component of business, a critical responsibility that business leaders must not ignore,” he says.

Adrian Davis firmly believes that information security professional can aid communications of the risk by looking at this from more than a technical point of view and assessing the impact it has on other areas of the business such as customer service, PR and business reputation.

“These risks must be communicated in a way that clearly explains the potential harm to the business should a malicious or accidental incident occur. The risk treatments that can be put in place given the resources – and the residual risk to the business – must be clearly stated and updated as the business changes,” he says.

He also believes there needs to be communications between business leaders, boardrooms, IT and information security encompassing information risk.

“Business leaders should regularly and actively challenge IT and information security leaders on information risk and its business impacts, and not just accept that technology can solve the problem. This is a two-way street: as much as information security leaders can push this dialogue, business leaders must give the time to listen, comprehend and discuss,” he says

In addition Adrian Davis feels that organisations also need to consider how they can incorporate business security requirements in every area from design, development, engineering, testing and production of any type of product, service created, produced or bought by a business.

“This “security by design” approach is cheaper and more effective than adding security as an afterthought once the product is in market and problems arise,” he says.

An important element of the “business as usual” approach is for information security professionals to ensure it is easy for people in an organisation to follow good security practices, says Alex Ayers, co-founder and consulting director at Turnkey Consulting.