Cyberattacks are one of the top 10 global risks of highest concern in the next decade, according to a new report from the World Economic Forum (WEF), with an estimated price tag of $90 trillion if cyber security efforts do not keep pace with technological change.
The challenges created by accelerating technological innovation have reached new levels of complexity and scale. Today, responsibility for cyber security in organizations is no longer one CISO’s job. It involves everyone.
In the Fourth Industrial Revolution, all businesses are undergoing transformative digitalization of their industries that will open new markets. Cyber security leaders need to take a stronger and more strategic leadership role. Inherent to this new role is the imperative to move beyond the role of compliance monitors and enforcers.
See Related: What Digital Transformation Means For Cyber Security Professionals
The WEF’s Centre for Cybersecurity outlined 10 tenets that describe how cyber resilience in the digital age can be formed through effective leadership and design.
- Think Like a Business Leader - Cyber security leaders are business leaders first and foremost. They have to position themselves, teams and operations as business enablers. “The CISO role isn’t only about security, but also about understanding budgeting and the different factors that a business needs to operate,” said OSI Global CISO Michael Welch in an interview with Cyber Security Hub. Transforming cyber security from a support function into a business-enabling function requires a broader view and a stronger communication skill set than was required previously.
- Foster Internal and External Partnerships - Cyber security is a team sport. Today, information security teams need to partner with many internal groups and develop a shared vision, objectives and KPIs to ensure that timelines are met while delivering a highly secure and usable product to customers. “The dynamic nature of the threat, not least in terms of how it reflects the recent growth of an integrated criminal economy, calls on us to build a better global architecture of cyber cooperation,” said Sir Rob Wainwright, Senior Cyber Partner at Deloitte.
- Build and Practice Strong Cyber Hygiene - Five core security principles are crucial: a clear understanding of the data supply chain, a strong patching strategy, organization-wide authentication, a secure active directory of contacts, and encrypted critical business processes.
- Protect Access to Mission-Critical Assets - Not all user access is created equal. It is essential to have strong processes and automated systems in place to ensure appropriate access rights and approval mechanisms.
- Protect Your Email Domain Against Phishing - Email is the most common point of entry for cyber attackers, with the median company receiving over 90% of their detected malware via this channel.
- Apply a Zero-Trust Approach to Securing Your Supply Chain - The high velocity of new applications developed alongside the adoption of open source and cloud platforms is unprecedented. Security-by-design practices must be embedded in the full lifecycle of the project.
- Prevent, Monitor and Respond to Cyber Threats - The question is not if, but when a significant breach will occur. How well a company manages this inevitability is ultimately critical. Threat intelligence teams should perform proactive hunts throughout the organization’s infrastructure and keep the detection teams up to date on the latest trends.
- Develop and Practice a Comprehensive Crisis Management Plan - Many organizations focus primarily on how to prevent and defend while not focusing enough on institutionalizing the playbook of crisis management.
- Build a Robust Disaster Recovery Plan for Cyberattacks - A disaster recovery and continuity plan must be tailored to security incident scenarios to protect an organization from cyberattacks and to instruct on how to react in case of a data breach. Furthermore, it can reduce the amount of time it takes to identify breaches and restore critical services for the business.
- Create a Culture of Cyber Security - Keeping an organization secure is every employee’s job. Instead of the obligatory employee training, Director of Security & IT for Pensar Development Kayne McGladrey recommends continuous engagement with the end-user community. “Provide opportunities and instrumentation to demonstrate policy violations rather than lecture at people.” Examples include leaving a USB data stick in a break room or using phishing tools to falsify emails from known employees that seem suspicious. “This helps educate and creates healthy suspicion,” said McGladrey. WEF adds that tailoring trainings, incentivizing employees, building elementary security knowledge and enforcing sanctions on repeat offenders could aid the development of a culture of cyber security.
See Related: Preparing Security Leaders For 2020 At The 13th CISO Exchange