ISF: consider a cyber resiliency response to protect against 'unknown unknowns'
Cyber resilience is a matter for the whole business to be involved with and not just the security team.
At a presentation this week, Michael de Crespigny, CEO of the Information Security Forum (ISF), said cyber security is not solely an information security issue, but a business one.
He claimed that cyberspace is increasing the information security risk as it is remote and difficult to identify, and potential victims need to be aware of more than ‘information security' when it comes to their defences.
“A range of attacks cannot be protected against, either because they are unpredictable or use lots of people, but the real story is for a resilient organisation that can respond to an unpredictable threat,” de Crespigny said.
He claimed that more than a technical response is needed, and communication needs to be held with customers, stakeholders and suppliers as well as staff. He said: “This is a key thing for organisations; it is not down to the information security function or the organisation to respond on its own. It needs to communicate functions, as they all have customers and suppliers and they will find themselves a target.
“Organisations haven't thought about cyberspace threats from a resilience perspective.”
He cited four elements of cyber resilience: a governance layer and partners for management buy-in to bring partners in and identify external organisations – this needs to be led by the CIO or CEO; delivering situational awareness on strengths and threats that businesses will face; a response to cyber groups and ability to make decisions for the benefit of stakeholders; and a regular cyber resilience assessment.
De Crespigny said cyber resiliency is not about more control or cost, but about what cannot be anticipated, as a risk assessment approach is often done after the event. “It is about anticipation of unpredictability," he said.
The ISF launched a cyber framework diagnostic tool to members in December; this is now available to non-members also. Named 'Cyber Security Strategies: Achieving cyber resilience', it was produced after meeting 300 of the ISF's members.