Interviews

Cyber word

by Mark Rowe

Traditional cyber security is now inadequate for today’s threats and must be superseded by ‘cyber resilience’, demanding more vigorous action from company boardrooms.
This was a message of a panel at the international cyber summit hosted by IT Governance in central London on Thursday, May 8. The event, ‘New Standards in the Global Cyber War’, ran at the Churchill War Rooms. It included speakers from the Department for Business, Innovation and Skills, British Standards Institution (BSI), international professional organisation ISACA, and AXELOS, a joint venture between the Cabinet Office and services contractor Capita plc that runs the Best Management Practice portfolio. The conference drew more than 60 from across the UK.

Alan Calder, Executive Chairman of IT Governance and conference chair, told delegates: “Cyber security is no longer sufficient to ensure business sustainability. Yes, organisations need to defend themselves against potential attack, but they must accept that some attacks will inevitably succeed. Therefore, an organisation’s cyber resilience is now the critical survival factor – its ability to recover quickly once an attack has taken place. Business continuity is unequivocally a boardroom responsibility, so directors will have to increase the attention and resources they devote to information security and resilience. For example, spending just 10% of the IT budget on security is no longer adequate to keep your organisation in business.”

Mike Edwards, management systems tutor at BSI, added: “Organisations need to converge their management of information security and business continuity. The good news is the best practice standards in each area – ISO27001 for information security and the new ISO22301 standard for business continuity – now work very well together, so policies and procedures can be dovetailed. Employing both standards in tandem is the key to cyber resilience.”

The Government’s recently announced Cyber Essentials scheme was discussed by Richard Bach, Assistant Director for Cyber Security at the Department for Business, Innovation and Skills: “Cyber Essentials is complementary to the good work and value across several existing standards and frameworks. The Scheme gives testable guidance on five areas of basic technical controls. When implemented, it will help organisations protect themselves from online cyber threats. Its principles apply to organisations of all sizes, from micro enterprises to large corporates. Our main aim is adoption – we want to see Cyber Essentials adopted as far and wide as possible. We want to see a step change in organisational cyber security behaviours.”

Alan Calder welcomed the Cyber Essentials scheme, and said to achieve cyber resilience organisations would need to employ complementary standards in parallel: “Anything that raises management awareness of cyber security is a good thing and we are delighted to see the Government getting behind this issue.

“I would argue Cyber Essentials should be adopted in addition to, rather than instead of, ISO27001. The ISO27001 standard offers various additional benefits, key ones being its international recognition and role as pillar of cyber resilience. You can use Cyber Essentials to try to stop attacks succeeding, but, realistically, some will get through your defences. How you recover from an attack falls entirely outside the scope of Cyber Essentials, so additional measures are essential.”

Other speakers at the conference included Neira Jones, an independent expert on ISO27001 and the PCI DSS standard, who gave an analysis of the devastating cyber breach suffered by US retailer Target; Bridget Kenyon, Head of Information Security at University College London, who highlighted the importance of ISO27001 in providing structure to information security management; Nick Wilding, Head of Cyber Resilience at AXELOS, who discussed ways for companies to assess their best practice compliance for cyber resilience; and Sarb Sembhi, Chair of ISACA’s Government and Regulatory Advisory Regional Committee for Europe and Africa, who discussed the value of the COBIT 5 framework in aligning management system standards.

Related News

  • Interviews

    Network forecast

    by Mark Rowe

    Digital transformation will continue to have an effect on the demands and requirements of IP networks according to the Cisco Visual Networking…

  • Interviews

    Consec review

    by Mark Rowe

    CONSEC 2017, the annual conference of the Association of Security Consultants (ASC), returned to the Marriot Hotel, Heathrow on Thursday, October 12.…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing