Business trends 2022: The acceleration of cyber security maturity
With such a rapidly changing environment, cyber security is a key theme across every industry. We spoke to our Head of Security, Michael Dowling, to discuss why he believes cyber maturity will be a top 2022 business trend.
Reaching cyber maturity in a changing threat landscape
The external cyber threat landscape is moving at such a fast pace.
I don’t think we’ve ever seen any other sort of external factor changing and evolving at such a rapid rate for businesses before. With that in mind, maturity will be key in cyber security in 2022.
1. Getting the Board on board
There are a number of areas that need to mature and the first place I want to start is around how we communicate threats to our Board. The Board of Directors is now an essential part of the cyber puzzle and they need to be across what’s happening in your company.
If you are a Board member, you need to understand what your senior leaders are talking about and if you are a CIO or Head of Cyber, you need to communicate in a language the Board is going to understand. Everyone needs to be clear and aligned on what your cyber threats are, and your current capability to prevent, detect and respond to these threats.
You need to think, ‘what is the actual risk to the business?’ Sure, you can report that you’ve detected and patched 50 critical vulnerabilities and blocked 100 emails with malware in the last month. That’s a good measure of activity, but what threats and risks to the business have I mitigated?
Try telling a story about the potential impact that any of these vulnerabilities or malware could have caused the business if they weren’t detected or blocked. Talk about how each time you’ve blocked a malicious email or patched a vulnerable device, you’ve reduced the likelihood of a risk event happening or at least kept the risk within an acceptable tolerance level.
2. Focusing on your supply chain
There also needs to be a maturity around how we look at supply chains. There’s been a significant increase in supply chain focused attacks which can obviously create problems for your company, but it can also create potential downstream implications for your customers, or make you more vulnerable to attacks on your suppliers and business partners. For example, if one of your suppliers or partners suffers a ransomware attack that takes their services offline, consider how this is going to impact your business.
These types of attacks affect every industry or ecosystem so it’s essential that your view on supply chain matures. Most organisations now do a security risk assessment on all their suppliers, and they have expectations on all their suppliers to maintain a minimum baseline level of security maturity. So, for many organisations, establishing and being able to demonstrate that baseline level of security maturity is becoming table stakes for doing business in most industry sectors.
3. The increasing cost of a cyber attack
My next point is around the maturity of the cyber insurance sector. Organisations rely on cyber insurance to get them out of trouble if a cyber incident occurs to recover some of the associated costs. However, the claims often do not cover the financial damage associated with reputational costs and loss of business.
Cyber insurers are putting more obligations on businesses seeking insurance around what level of cyber maturity they have. Being unable to meet these expectations may result in larger renewal premiums or rejection of claims due to a lack of hygiene around cyber security. So, organisations need to balance their investments, between transferring risk to a cyber insurer and building up their security controls. With that said, maturity is not just about tools. It’s also about processes and culture. You could have the best tools in the world and all it takes is for someone to click a link they’re not supposed to, which could result in a security incident. I believe the most successful organisations have an embedded cyber security culture across the organisation and that starts at the Board level.
4. Changes to legislation
My final point is around the Federal Government legislation for Australian companies that have connections to the country’s critical infrastructure. The legislation is broadening the scope of industries that are considered to be critical infrastructure to include sectors such as data storage and processing, food and grocery, transport, and higher education. The changes will also place increased obligations on these industry sectors to maintain a baseline level of security maturity, which include reporting into the Australian Signals Directorate (ASD) when a cyber attack occurs, and even needing to allow the government to step in during cyber attacks.
So, your ability to demonstrate a level of cyber security maturity will become increasingly important. The NIST framework is a common one to measure against. Pick a framework that suits your industry and do a self-assessment to measure what level of maturity you’re at against each of the relevant criteria.
Your assessment will help you understand where you are at, what your target level of maturity needs to be, and what needs to be done to bridge the gap and demonstrate that compliance.
You can certainly do that assessment internally, but you need to understand what is the right landing point to get to, and how to get there. Where do I start? What order do I do things in? What type of solutions are out there? That’s where you can save a lot of time and effort by working with someone that’s done this before and can help with a pragmatic and incremental roadmap to get you to where you need to be.
