Cyber resilience needs leaders who can manage risk – CIO report and checklist

The security end goal for all organizations is cyber resilience. Effective prevention and detection measures are, and will remain, a critical cornerstone of security strategies, but companies shouldn’t stop there. What matters is how the organization prepares for, withstands, responds to, and recovers from an incident. And this depends on people and processes as much as it does on technology.

When the U.S. National Institute of Standards and Technologies (NIST) updated its benchmark Cybersecurity Framework earlier this year, it added security governance – how security is implemented and managed through people and processes – as a strategic priority. As a CIO I completely agree with this.

Effective security governance includes such things as consistent security policies and programs, a business leadership that understands risk and how to manage it, robust incident response strategies, investment in skills and training, and more. Our international Cybernomics 101 study revealed that many organizations are finding these goals difficult to achieve.

Just 43% of respondents believe they can effectively address cyber risk. This low level of confidence in their own security posture is concerning. We decided to dig deeper into the data to learn about the top challenges facing organizations on their journey through risk toward cyber resilience and to draw on our experience to develop practical tools that could help them.

The result is our new CIO report: Leading your business through cyber risk, published today.

The report explores how challenges relating to security policies, management support, third-party access, and supply chains can undermine a company’s ability to withstand and respond to cyberattacks.

Common governance challenges

Among other things, the findings show that many organizations find it hard to implement company-wide security policies such as authentication measures and access controls. Half (49%) of the smaller to mid-sized companies surveyed listed this as one of their top two governance challenges. This could in part be a cultural issue, such as where employees push back against enforced restrictions. It is a risk area where business leaders have a powerful role to play.

Just over a third (35%) of the smaller companies worry that senior management doesn’t see cyberattacks as a significant risk, although a quarter acknowledge that senior managers aren’t kept up to date about threats facing the organization. It is hard to be interested in or care about something you don’t fully understand.

Management support was less of an issue among the larger firms surveyed. They were more likely to struggle with a lack of budget (38%) and skilled professionals (35%).  

Regardless of size, many organizations have concerns about a lack of security and control over the supply chain and visibility into third parties with access to sensitive or confidential data.

Around one in 10 of all the businesses surveyed doesn’t have an incident response plan to turn to in the event of a successful breach. The largest companies surveyed were, at 23%, the least likely to have tested their incident response plan. This could be due in part to the complexity and resource requirements of running a realistic test.

A non-existant or unproven plan could do more harm than good if a serious attack hits and a company doesn’t know what to do next or what its obligations are.  

Fortunately, organizations don’t have to go it alone. The CIO report signposts some external sources of help, and also offers practical templates to help organizations manage cyber risk and map where they are in their journey toward cyber resilience. These include a risk management menu and a cyber resilience checklist.

The cyber resilience checklist draws on the latest iteration of the U.S. National Institute of Standards and Technologies (NIST) Cybersecurity Framework and can be freely downloaded and printed from the Barracuda website.