It is time for organisations to start viewing their approach to cyber security differently if they want to achieve real-world security, according to the Cisco 2015 Security Report.
Strategies suggested include applying more sophisticated security controls before, during and after a cyber attack, and making security a boardroom topic. The report also calls for better integration between people, processes and technology, a core principle of the information security standard, ISO 27001.
The report shows clear differences between security-sophisticated companies and the less-sophisticated companies based on the following three factors:
- Company executives consider security a high priority (91% vs 22%).
- Security processes are clear and well understood (88% vs 0%).
- Security technologies are well integrated to work effectively together (78% vs 17%).
The respondents surveyed were relatively confident in their security operations, which is slightly questionable if one considers that less than 50% use the following critical cyber security tools:
- Identity administration or user provisioning
- Patching and configuration
- Penetration testing
- Endpoint forensics
- Vulnerability scanning
Although Cisco’s research shows that 91% of organisations have an executive with direct responsibility for security, the report calls for the conversation to be stepped up into the boardroom.
Citing massive data breaches, increasingly tight data protection legislation, geopolitical dynamics and shareholder expectations as reasons for necessitating cyber security as a boardroom topic, the report urges “the future of cybersecurity hinges on boardroom engagement today”.
ISACA has revealed that 55% of company directors are now expected to personally engage with and understand cyber security risks. The Cisco report explains that to truly understand the scope of cyber security issues, some boards may need to take on directors with technology and cyber security expertise.
The report gives examples of questions that boards should be asking their CISO/CIO, such as:
- What controls do we have in place?
- How well have they been tested? Do we have a reporting process?
- How quickly can we detect and remediate the inevitable compromise?
- And perhaps the most important: What else should we know?
Despite advances by the security industry, criminals continue to evolve their tactics to penetrate security defences of organisations large and small.
Knowing your weaknesses and understanding your risks is the key to an improved security posture. But, clearly, without the involvement of the board, your best laid plans may be marked for failure.
Fully aligned with ISO 27001:2013, vsRisk is the leading, cost-effective risk assessment tool that streamlines and delivers an information security risk assessment quickly and easily.