Cyber security plays an increasingly important role in the design and development of every category of engineering project, and at the same time government and multinational bodies are coming together to create global strategies to tackle the threat, says Kevin Fuller, Security & Risk Consulting Practice Leader, Burns & McDonnell
Hostile cyber-attack is a Tier 1 risk to the UK, according to the National Security Risk Assessment, sitting alongside international military crises, terrorism and major accidents or natural hazards.
In the UK, the National Cyber Security Strategy 2016 to 2021 aims to make the UK one of the safest places in the world to live and work online. Meanwhile, the EU’s Network and Information Security directive sets specific cyber security requirements for operators of essential services, which includes the energy sector.
In this context, businesses need to be more prepared than ever to devote significant investment and resources to their security frameworks and capabilities. Here are some of the factors you should consider to ensure that you have a robust cyber security framework that protects your business, your employees and your customers for the long term. Bear in mind that balance is vitally important for a well-designed cyber security programme. Just as a healthy company requires a balanced budget to operate effectively, a properly functioning cybersecurity programme requires similar equilibrium.
Over the years, I have had the opportunity to work with hundreds of companies across many industries and of varying size. It is eye-opening to see the number of companies that rely too heavily on cyber security products in their security programmes. They are continuously searching for a silver bullet that will solve all of their problems and make their concerns disappear. But whilst technological products are important, the reality is that a healthy cyber security programme requires a balance of people, processes and technology to be truly effective.
Any security professional who is a technician at heart enjoys tinkering with a new, shiny toy. Even newcomers to the industry quickly see there is no shortage of new tools to test drive. By some counts there are more than 1,200 technology suppliers in the cyber security market. Despite the opportunity-rich environment, security teams should be wary of chasing the latest and greatest tools until they have assessed the real need for the added capabilities.
Purchasing the latest and greatest device, without investing in people and skills, will not help your organisation in achieving its security objectives. A track record of not using new purchases will work against security leaders because new requests will be seen as more “shelfware.”
By balancing people, process and technology, an organisation is able to see that it is purchasing the right tools at the right times. People are trained on the new capabilities, and processes are established to integrate their use. The results of the new investments can be captured in key performance indicators (KPIs) to show real business value every time.
There are three other key aspects of a healthy cyber security programme that must be balanced: risk tolerance, affordability and continuous improvement. These are the real driving forces behind a security programme’s progression up the maturity scale. They are important facets because they will dictate how to focus your people, processes and technology investments.
An organisation that chooses to accept greater risk of an incident is likely to invest less in its cyber security programme. As major changes won’t come often, a greater focus on incremental, continuous improvement is an effective means for improving a programme’s maturity. Conversely, organisations with very low risk tolerance must be willing to invest more in people, processes and technology. This requires larger jumps up the maturity scale and there is less focus on incremental, continuous improvement because the security teams are pressed to reduce risk at any cost.
There are several activities and capabilities that organisations with low risk tolerance should consider adopting early on. One such activity is an annual, third-party risk assessment to provide an unbiased view of the organisation’s maturity and progress year-to-year. An insider threat programme provides risk reduction for security purposes as well as identification of non-malicious errors that can cause significant impact to an organisation. Behavioural analytics leveraging machine learning enhances the detection capability of any security programme. Finally, continual investment in training and awareness that goes beyond the thirty-minute annual refresher will always see a positive return on investment.
There is no silver bullet in the world of cyber security, and anyone who tries to sell you one is ignoring the complexities of modern business. A healthy cyber security programme demands a balance between the effective use of people, robust processes to utilise capabilities, and the right technologies to enable organisations to protect themselves. Failure to achieve balance will result in a programme that will certainly falter. Due diligence by security leaders throughout the programme life cycle will be well worth the time invested.
Amidst all the software and tech tools on the market, having a solid plan in place can help you build a more comprehensive security programme that’s ready to tackle risks today and in the future.
Kevin Fuller, Security & Risk Consulting Practice Leader, Burns & McDonnell