teissTalk: Designing threat resilient organisations

On 10 May, teissTalk host Jenny Radcliffe was joined by Dr. Dave Chatterjee, Tenured Professor, The University of Georgia and Visiting Scholar, Duke University; Vlad Brodsky, Chief Information Security Officer, OTC Markets Group; and Michelle Griffey, Chief Risk Officer, Communisis.

 

Views on news

Less than one-fifth (17%) of cyber leaders feel confident that their organizations are cyber-resilient, according to the World Economic Forum (WEF)’s Inaugural Global Cybersecurity Outlook 2022 report. There is also a large gap with 92% of businesses believing cyber-resilience is integrated into their enterprise risk-management strategies, compared to just 55% of cyber leaders. Another mistake that businesses often make is the failure to learn lessons from previous breaches and incorporate them into the businesses cyber defence system. It’s a prevailing issue that CISOs’ advice and recommendations regarding the risks business initiatives involve are not given due consideration – which will affect the relationship of the CEO and the CISO negatively. Information asymmetry between the two roles is normal, but the percentages mentioned by the article definitely need improvement.

 

Preventive cyber security – the challenges of designing a cyber-resilient organisation

It’s hard to convince anyone to prepare for low-risk, high impact scenarios both in business and real-life contexts. Therefore, for CISO’s it’s key to be able to articulate the impact of a potential cyber attack in a way that people can understand and engage with, explaining them through relevant analogies how likely they are to happen, as well as the damage they can cause. Skills shortages are still hampering the design of a resilient organisation. Expectations that businesses will put more effort into retaining talent post-pandemic seem to remain unfulfilled. To create and maintain a high-performing security culture, several factors need to be in place along the lines of commitment, preparedness and discipline such as a hands-on top management, strategic alignment and partnerships, and an effective information security governance policy. CISOs and the function should also be empowered by the CISO reporting directly to the CEO. The feeling of being an integral part of the business and being listened to will also increase security recruits’ engagement and loyalty to the business. With large supplier software, it’s becoming difficult to detect and isolate breaches in suppliers’ networks, therefore businesses need more effective tools to prevent them from happening. Some new legislation is probably in the pipeline requiring shared responsibility and accountability in supply chain relationships – which may change how, for example, a cloud service provider can be held accountable for a client being breached. Some organisations have rather stringent information security rules where non-compliance on a couple of counts leads to dismissal. Training, however, should be a combination of learning about security controls and taking social engineering tests, and in case an employee fails them several times, their connection points should get restricted.