When contemplating this blog topic, I asked myself these questions “What is one of my biggest frustrations in cyber security? and ‘What can I do to improve the situation?
The frustration? Probably my biggest frustration throughout my career, is that generally cyber security budget is under utilised. Not for lack of appetite but from an awareness perspective. With due awareness and governance, budget can be proportionately and appropriately applied to enhance the cyber security posture and longevity of the organisation.
A quick scan of recent reporting indicates the time is ripe for prudent, informed investment in cyber security enhancement and maturation.
- Extensive reporting that the pandemic has been the ‘key driver for operational excellence and digital transformation’[i]
- The exponential increase in recent ransomware attacks, up by 400% in 2021[ii]
- It costs twice as much to recover from a ransomware attack for those that paid the ransom compared to those that did not pay[iii]
- Forthcoming legislation driving greater digital oversight in industry leading sector[iv]
- Updating of globally recognised standards reflects the change in approach to cyber management[v]
- Foremost financial regulatory oversight body published Cross Industry Guidance on Outsourcing
- In 2018 it was reported that 45% of ransomware victim companies paid the ransom, of which only 26% got their files unlocked[vi]
- Of the companies which paid the ransom, 73% were targeted and attacked a second time[vii]
Cybersecurity defence continues to rely on three main components, it is achieved across technology, people and process; the people factor is a critical, but sometimes overlooked, component. Whatever technology is introduced people can defeat, or circumvent it, when they have the necessary permissions, but that is a security function in itself, for another blog, another time.
‘So, what can be done about the under-utilisation of cyber security budget?’ That is the key question, which must be driven by three aspects, priorities, threats, and approach. In all instances your approach to cyber security should be considered holistically, across the entire organisation and/or environment. Priorities are driven by the business strategy, by defining the priorities resources can be applied appropriately. There is little benefit gained by making sure the paper in the printer is re-stocked by the outsourced provider if there is no network to deliver the print job to the device. There is little benefit preparing for an opportunistic threat when the greater threat may be state sponsored, the security controls to defeat these threats are chasms apart, this allows for the appropriate direction of cyber security.
We have covered the ‘what can be done’, so ‘how do we do it?’ The starting point must always be assessing the current status. You can’t define the path ahead if you don’t know where you’re starting! This is where a holistic approach is particularly relevant, by conducting a holistic assessment you will build awareness and understanding of the whole environment. But this is the challenge, and this is where DORA the Cyber Informer comes into play….
So, who is DORA the Cyber Informer? DORA is Digital Operational Resilience Assessment. It is a concept I have been working on for some time which has never been more pertinent than now! Currently many organisations present ISO 27001 as the assurance of their cyber security. Organisations need a start point and ISO 27001 is that, but for most organisations where cloud is utilised the standard does not adequately address security in that space. Where regulations are now applicable for specific information, these requirements must also be fulfilled. DORA is a current status assessment framework developed across a suite of standards which cover the majority of business technology uses and legislation for information security, even legislation which is still in draft.
DORA comprises six different standards that span the breadth of security of current business technologies and is supported with extensive threat awareness and business awareness, which combine to deliver a portfolio which is forward-thinking, proactive and progressive. Being able to support industry to progress cyber security maturity is my goal, and DORA is the mechanism to deliver that. This is not a sales pitch and there is no proprietary information herein, but Kontex have supported the development of the framework, which is holistic and oriented for the digital transformation.
Whilst many organisations reacted quickly to deploy technical solutions at the outset of the pandemic, these solutions may not have aligned with a broader, more considered security strategy. For those businesses that considered the requirements, achieved an informed decision-making process and applied the findings in a business-aligned risk-managed approach, then the return of investment would have been far greater than a rushed response. The informed approach aligns with the security improvement plan which ensures continual improvement and cyber maturation, as well as providing the means to recover effectively from an incident, whether that is ransomware or critical business disruption.
Having worked in cybersecurity for over three decades, in critical information security environments and a range of physical environments, believe me, you can prepare for the unexpected with the appropriate forethought, planning and culture! But don’t rely on my words, Pablo Picasso said “Our goals can only be reached through a vehicle of a plan, in which we must fervently believe, and upon which we must vigorously act. There is no other route to success.” Nothing is unexpected or unmanageable, if it is planned for!