Motivating cyber resilience: the carrot or the stick?
August 20, 2018
TEISS guest columnist Chris Moyer, VP and general manager of DXC Technology, considers the importance of resilience and how organisations are motivated to ensure they can recover from cyber breaches.
The cybersecurity landscape is evolving rapidly. Hackers are getting more sophisticated, their attacks more damaging, and the penalty for breaches is becoming more severe. As such, commercial and public sector organisations are increasingly focusing on cyber resilience, as they realise that the impact of the inevitable must be managed.
They have come to realise that focussing purely on prevention can leave them in complete disarray in the wake of a breach. It is for this reason that we started to see a greater emphasis placed on effectively detecting and quickly remediating attacks.
The objective of putting in place greater cyber resilience sits against a backdrop of awareness of the increasing pressure brought about by the pace of technological change.
Last year, the World Economic Forum focused on cyber resilience and resolved to support the development of cyber resilience governance capabilities at the enterprise and national level. This year in Davos, the terms AI, robotics and blockchain were the prevalent buzzwords. Now, as these technologies drive digital transformation across industries, the emphasis on cyber resilience will become more entrenched.
Enterprises have a huge carrot hanging in front of them when it comes to investing in cyber security. These include gains from automating processes and decisions, streamlining application development, and harnessing data to build better relationships with customers.
But for every carrot, there’s a stick. In this case, the regulatory requirements governing cyber security are having a much broader impact across regions than ever before. Companies are facing millions of dollars in fines, loss of contracts, and negative publicity related to disclosures of breaches.
The pressure from regulatory requirements has driven cyber security for decades, primarily in the financial services industry. CISOs of global banks have long experience in maintaining rigid compliance programs across multiple jurisdictions. The emphasis has now broadened as other industries, such as governments, focus on their susceptibility to cyber-attacks.
The security industry is also in the midst of complying with the new General Data Protection Regulation (GDPR). This is profoundly impacting the way organisations manage and secure customer data. Missteps in complying with the regulation could be costly — fines of 4 percent of annual revenue or €20 million, whichever is higher (the stick).
But if done right, GDPR can deepen your customer relationships as you build trust (the carrot).
More change is also afoot, with the latest topic for enterprises in the EU to consider being the NIS Directive, which was approved in August 2016 and became law in May 2018. It is aimed at “Operators of Essential Services” (OES). These include essential services that play a vital role in society, from water and electrical supply to healthcare and transport. As they come to understand that a severe and successful attack could harm the economy and well as the citizen’s daily life, governments are now concerned.
There are four objectives identified by the NIS Directive:
Managing security risk
Protecting against cyber attack
Detecting cyber security events
Minimising the impact of incidents
What it further emphasises is the prospect of fines of up to £17m for companies that fail to protect themselves effectively (another stick).
However, governmental organisations are also reaching out to the public to provide advice, and to support enterprises in developing their cyber resilience capabilities. The NCSC in the UK, for instance, is providing a broad range of advice as well as promising to publish a Cyber Assessment Framework for the OES audience in April of this year (another carrot).
So, the regulatory community is offering a big carrot in the form of helping organisations develop better cyber resilience standards to facilitate the adoption of new technologies. The stick is an increasing number of fines for organisations that do not place sufficient emphasis on their responsibilities on this area, and take steps to mitigate risks
CISOs have a chance to shine
For CISOs who were used to working in the shadows, the spotlight is now shining on them more brightly than ever before. The topic of cyber resilience is not going to stand still – it will in fact be changing at a faster rate.
For companies to survive, it’s critical that their CISOs ensure they have clear transformation plans that are aligned to the wider enterprise business strategy. With a cybersecurity skills shortage biting hard, organisations will need to make decisions about how to best deliver a robust security program, whether that be through the development of internal teams, bringing in trusted partners or investing in top of the range solutions and managed services.
Security should help to increase business agility, while protecting the expanding enterprise perimeter – an enabler to innovation, not a blockade. CISOs should be looking at the new wave of regulations as a chance to prove their worth to the business. After all, following the carrot is much more rewarding than avoiding the stick.
The Information Commissioner's Office has found HMRC guilty of violating GDPR for collecting biometric voiceprints of over five million taxpayers without their express consent and has directed HMRC to "delete …