“I told you so.”
September 2017
So where do you start? What does the leadership team need to know and do? What skills are required for organizations to prosper in the face of growing cyber risks and how can organizations balance their digital transformation with effective resilience?
These were the subjects discussed by a panel of experts during a special edition of Digital Leaders TV entitled Cyber resilience in the digital age – skills, leadership, balance and collaboration.
The programme, hosted by technology journalist and presenter Kate Russell, featured Vicki Gavin, Compliance Director and Head of Information Security and Business Continuity at The Economist Group; Richard Knowlton, former Group Director of Corporate Security at Vodafone and Chairman at Richard Knowlton Associates; Nick Wilding, General Manager, Cyber Resilience at AXELOS and Louisa Perry, Senior Client Partner at Korn Ferry.
Kate Russell opened the programme by asking the panel to consider how a business can balance the need for digital transformation with the risk that digitalization brings to their businesses.
Vicki Gavin: Cyber resilience is about having a mindset that it’s not “if” but “when” an attack will happen. Attacks are growing all the time and that has to be acknowledged by companies. In my own organization we had 25 attacks in 2012 which grew to 350 in 2016 (a 1300% increase).
Nick Wilding: You have to be able to respond when an attack happens. Being prepared means knowing how you are going to respond and, importantly, bounce back. This is why it is important the board and senior management see it as a business issue and not something which affects solely the IT system.
Richard Knowlton: Any response has to be business-wide covering not only the IT department but also HR, legal, internal and external communications and the commercial teams. It is also important that, should a breach happen, everybody is familiar with their expected roles and responsibilities.
Louisa Perry: Being prepared for an attack has got to be seen as an insurance policy. How ready you are depends on how much insurance you want to have. Be proactive not reactive.
Louisa: Organizations need to think about the training and skills needed. It’s not always necessary to look outside for the skills as it’s often better to grow people from within and support them to gain the skills they need.
Nick Wilding: It’s no longer enough to have a tickbox, compliance-driven approach to training and learning. It needs to move from passive learning to engaging, collaborative learning delivered in a way which demystifies the tech language which surrounds it.
Vicki Gavin: In this day and age, we are all becoming tech companies and digital transformation is happening we like it or not; if we don’t transform, we’re going out of business. But people have to be brought on that tech journey: they need to understand what security is, how it works and what their role is. Technology is not the answer to the problems of cyber resilience – people are the solution and it’s people using technology intelligently that protect the business. In looking at the risks which exist we have to realise that “good old fashioned” risk management is what’s needed.
Richard Knowlton: We can no longer see [IT] security as a back-office function. We have to see that all those involved in those roles as comfortable in communicating effectively to all levels within the business about the threats and combating them.
Louisa Perry: Challenge the way you think. Companies and departments can’t work in silos as every department has a part to play in maintaining resilience.
Richard Knowlton: If your culture considers cyber risk an issue for the technology department then no-one else will worry about it. In reality it is everybody’s responsibility where all key stakeholders have to own the risks.
Vicki Gavin: Companies need to have a good detection regime where they are looking out for intruders. They have to be able to pick up early warning signs such as problems with phishing emails or someone clicking on spurious link to a bad website and act on it. You can look at this problem forever and think it looks huge; pick something and do it!
Nick Wilding: It’s about effective risk management and knowing what your risk appetite is while agreeing on what is most precious to the organization and how vulnerable that is. You also have to remain vigilant at all times and rehearse how you will respond to attacks when they happen. Do the simple things well – it’s about making sure you develop, test and rehearse your response to any problem. Effective resilience is about understanding everyone in the organization has a critical role to play – it’s about being brave, bold and on this ongoing journey we need to be much more open as a society in sharing our experience, learning lessons and best practice.
Watch the DLTV episode here:
This article was originally published here and was reposted with permission.