There has been much media attention and hype around cyber security. Is it just a new label for an old function (Information Security)? Or is there something new and significant involved which has implications for organisations and how they manage their security risk?
The use of the label cyber security has been brought new attention and focus to the topic from people in various functions which fall outside the traditional security specialism. CEOs, Ministers, CFOs, CIOs all now have a view on the issue. This is welcome because the threat to their organisations is real and requires a strategic response.
There have been three interlocking trends which have elevated the security risk to one of strategic significance for many organisations:
- The nature of the adversary and the sophistication of their operations have evolved dramatically. Growing awareness of the Advanced Persistent Threat (APT), demonstrated by the Stuxnet attack on nuclear industrial control systems, has highlighted the risk to business continuity, intellectual property, commercial and customer information.
Meanwhile cybercrime has been recognised as a key threat to many organisations, driven by the scale, resources and ingenuity demonstrated by many cyber criminals
- The regulation and compliance regime in most sectors has become more rigorous in its approach to data compromise and breaches. The new powers of the Information Commissioner in relation to loss of personal data can impact significantly both financially and reputationally on organisations found to be in breach. Most industry regulation, such as Basel II and Solvency II in the finance sector, has information security implications.
- Few technology and service offerings in the IT industry, such as cloud computing, mobility, ubiquity, social networking, have in different ways undermined the value of traditional approaches to security by blurring the boundaries we are trying to defend and challenging many traditional security policies.
All 3 trends not only increase the exposure but also the potential impact and damage that could result.
The risk environment in which we now operate has been transformed and hence the traditional approach to security is no longer adequate.
We need to change the way we think about security. Primarily this demands a strategic approach, treating security as a strategic risk which is properly assessed and managed so that areas of weakness and vulnerability across the organisation are understood and prioritised for remedial action.
Risk should be reviewed and managed at the most senior level in the organisation, and the security function should have a powerful voice within the corporate structure.
The advent of the CISO as a significant role alongside or working to the CIO is an important development in this respect.
A strategic review of all dimensions of the security risk, taking into account the new and emerging threats, can lead to a significant shift in the overall assessment. For example, in the utilities and transport industries, the integration of key industrial control functions with corporate networks can create new areas of vulnerability to cyber attack and is causing a radical reappraisal.
This in turn can lead to an organisational cyber strategy which is about a fundamental transformation of the security architecture.
At a time when budgets are under severe pressure this can raise alarm bells, but one of the virtues of a strategic approach, based on a full risk assessment, is that the change programme can be properly prioritised and target the most significant areas of risk.
Nick Hopkinson was formerly CIO at GCHQ. He is now cyber security director at CSC: an IT services company providing cyber security solutions for businesses