Cyber Resilience: How To Achieve It When Businesses Don't Seem To Care
Can businesses become more resilient to cyber threats? A recent survey provides insight.
Shift in Focus for CISOs
Good news first: Nearly two-thirds (65%) of Chief Information Security Officers (CISOs) now prioritize business resilience over traditional cyber risk management. This shift comes in the wake of alarming ransomware attacks on major entities like Neiman Marcus, Indonesia’s national data center, and the US Federal Reserve Board.
Redefining Roles
Surprisingly, only 36% of CISOs see themselves in a 'protector' role, while 59% perceive themselves as 'business enablers'. Over two-thirds (67%) want to be more involved in the strategic decisions of their companies. They wish they could say “yes” to business proposals more often.
Increased Appetite for Risk
More than half (57%) of CISOs now have a higher appetite for risk. This might be alarming for some, suggesting that risk-taking is on the rise among those responsible for defending our data.
Is this shift due to frustration? Maybe CISOs should consider skydiving or free-climbing instead of taking gambles with sensitive information.
The Complex Threat Landscape
The landscape of cyber threats has become extremely complex. This decade has seen the rise of AI-generated deep fakes, disinformation, and phishing attacks. A realistic response now involves focusing on business recovery, continuity, and enablement.
Educating staff about risks and encouraging no-blame breach reporting can help create a safer environment. Even national data centers and the US Federal Reserve have been breached, so no organization is entirely safe.
Challenges in Security Policies
At a recent cyber resilience eForum, many experts agreed that most companies just don't care about security. A typical example is the UK's Ministry of Defence. Despite strict audits, they found that some critical infrastructure could be easily hacked.
This leads us to ask: why aren't security measures built in from the start?
The Importance of Security by Design
Regardless, both the Ministry of Defence and the NHS have been compromised this year. This shows that while security by design is critical, resilience must acknowledge the interconnected nature of modern systems – including those managed by partners in the supply chain.
What Holds Back Better Cyber Policies?
At the core, laws and policies sometimes drive the wrong behaviors. Organizations may follow a tick-box culture, which can actually make them less secure.
Adviser Mark Woods proposes that teaching organizations to use risk management positively could help. Managers need to ask the right questions and reward good behaviors.
Most Companies Don't Prioritize Cybersecurity
Jessica Figueras, co-founder of CxB, pointed out that most organizations only care about making money or delivering services. For most SMEs (Small and Medium-Sized Enterprises), cybersecurity isn't a priority due to lack of resources.
SMEs make up 99.9% of UK companies. Many have little to no security beyond basic measures like firewall and email filters.
A Call for A More Inclusive Cyber Resilience Approach
The current cyber resilience conversation is inadequate. Larger organizations often can't communicate their needs in non-technical language, reducing the effectiveness of resilience policies.
Vendor marketing often biases perceptions, making it tough for non-technical leaders to make informed decisions.
A Constructive National Conversation Is Needed
Resilience is about understanding the big picture and ensuring good communication across the board. It's about the right allocation of resources and better strategic risk management.
Final Take
The time to rethink and improve security measures to include everyone, especially non-specialist SMEs, is now. Resilience provides a promising path forward.
