The security end goal for all organizations is cyber resilience. Effective prevention and detection measures are, and will remain, a critical cornerstone of security strategies, but companies shouldn’t stop there. What matters is how the organization prepares for, withstands, responds to, and recovers from an incident. And this depends on people and processes as much as it does on technology.
The U.S. National Institute of Standards and Technologies (NIST) updated its benchmark Cybersecurity Framework earlier this year. It added security governance as a strategic priority which refers to how security is implemented and managed through people and processes. As a CIO I completely agree with this.
Effective security governance includes such things as consistent security policies and programs, a business leadership that understands risk and how to manage it, robust incident response strategies, investment in skills and training, and more. Our international Cybernomics 101 study revealed that many organizations are finding these goals difficult to achieve.
Just 43% of respondents believe they can effectively address cyber risk. This low level of confidence in their own security posture is concerning. We decided to dig deeper into the data to learn about the top challenges facing organizations on their journey through risk toward cyber resilience and to draw on our experience to develop practical tools that could help them.
The result is our new CIO report: Leading your business through cyber risk, published today.
The report explores how challenges relating to security policies, management support, third-party access, and supply chains can undermine a company’s ability to withstand and respond to cyberattacks.
Common governance challenges
Among other things, the findings show that many organizations find it hard to implement company-wide security policies. This includes authentication measures and access controls. Half (49%) of the smaller to mid-sized companies surveyed listed this as one of their top two governance challenges. This could in part be a cultural issue, such as where employees push back against enforced restrictions. It is a risk area where business leaders have a powerful role to play.
Just over a third (35%) of the smaller companies worry that senior management doesn’t see cyberattacks as a significant risk, although a quarter acknowledge that senior managers aren’t kept up to date about threats facing the organization. It is hard to be interested in or care about something you don’t fully understand.
Management support was less of an issue among the larger firms surveyed. They were more likely to struggle with a lack of budget (38%) and skilled professionals (35%).
Regardless of size, many organizations have concerns about a lack of security and control over the supply chain and visibility into third parties with access to sensitive or confidential data.
Around one in 10 of all the businesses surveyed do not have an incident response plan to turn to in the event of a successful breach. The largest companies surveyed were, at 23%, the least likely to have tested their incident response plan. This could be due in part to the complexity and resource requirements of running a realistic test.
A non-existent or unproven plan could do more harm than good if a serious attack hits and a company doesn’t know what to do next or what its obligations are.
Resources to support your cyber resilience journey
Fortunately, organizations don’t have to go it alone. The CIO report signposts some external sources of help and also offers practical templates to help organizations manage cyber risk and map where they are in their journey toward cyber resilience. These include a risk management menu and a cyber resilience checklist.
The cyber resilience checklist draws on the latest iteration of the U.S. National Institute of Standards and Technologies (NIST) Cybersecurity Framework. This is available for free download from the Barracuda MSP website.
Note: This was originally published at Journey Notes.
Photo: Tapati Rinchumrus / Shutterstock
