The world of work has evolved at such a rate over the past 18 months that the importance of being proactive rather than purely reactive with technology investments.
Cyber security has been propelled to the forefront of business conversations, as well as within media culture, due to the scope of the repercussions if things go wrong.
The BTN, in partnership with RiskRecon, brought together some of the brightest technology leaders across industry for a conversation around the role of security and its impact on the supply chain ecosystem.
The conversation was interactive, attendee-led and brought about the following key takeaways:
Business critical risk vs business reputational risk
The role of cyber security has never been more important as employees no longer work within the confines of an office environment and on devices that are potentially unsecured.
The conversation began with a focus around the role of vendors as part of the organisational infrastructure. The group looked at how they categorised what is ‘critical’ within their business model.
The most critical risk were defined by understanding what we must rely on with regards to the internet and services that enable our business provide us with the visibility around what occurs if applications are down that prevent the business from performing.
The 2nd tier criticals are those that we are dependable on but not necessarily critical. These were defined within the group as those that we can live with being down for a while.
The 3rd tier was the services that were not business-critical at all.
The criticality of an application should not always be defined by its downtime but also with regards to the amount of data they have access to. The focus should become on the availability of the systems rather than just the ‘trust’. Corporate data is valuable but the implications of downtime is potentially bank breaking.
Moving to the cloud will present an abundance of opportunities bug everyone wants the scalability of the cloud but then will either want to build their own or use the providers locally within the country.
Is this where reputation overrules confidentiality?
Outsourcing is not a ‘plug and play’
The journey of outsourcing your risk should start by simply grading your business processes at the beginning. You can’t outsource the right risks if you haven’t understood your business processes first and actually built a comprehensive risk management framework of what needs more focus.
There is regularly too much focus on the applications that are going to be outsourced rather than the processes themselves.
What are the impacts to the operational, regulatory, financial impacts if this data is ‘not available'?
When it comes to outsourcing, we must understand how we can collaborate with outsourced vendors to eradicate any issue there may be going forward.
Embedding a culture of technology and ultimately cyber security is one that is a dream for the majority of CIO/CTOs right now.
If you can create a ‘technically aware culture’, then the benefits that simply moving to the cloud can bring huge advantages. People may be aware but the culture isn’t, so the business may become conservative about moving and is only able to do it incrementally.
How much reliance can you realistically put on the vendor? It isn’t just ticking a box so we can then roll it out. If something major happens, you can blame the vendor but it’s your issue ultimately. The phrase that was uttered around the table was “No-one has ever been fired for buying IBM”.
Is Cyber Security the business Batman?
The conversation moved onto how we showcase the work that we do to our executives. What do we report to senior leadership? What breaches are we stopping? Can we show Return on Investment?
The attention span when it comes to senior leadership’s engagement with Cyber Security is notoriously low. We must use Cyber literacy effectively and map metrics to a reasonable ROI to prove our value. The role of cyber security is there to fix something before it impacts the business, therefore regularly resulting in no credit being assigned to the role itself at times. Can we showcase our value by summarising what we stopped’ on a quarterly basis?
Our senior leadership don’t care if there is a patch for example, they just want the business to be operating at maximum efficiency and availability.
There is regularly too much focus on confidentiality rather than the 2 other legs of the triad, availability and integrity. We must ensure there is a balance and more importantly, know where our focus is.