In this series we will share stories of inspirational heroes who we have worked with. Our aim – to demonstrate how and to enable and empower, organisations to progress along their cyber security maturity journey and to help align corporate risk appetite with actual, residual cyber risk.
Many CISOs we speak with are seeking to better understand and communicate business risk, demonstrate clear ROI, and develop compelling business cases to address known areas of weakness. All while dealing with an ever changing threat landscape and evolving compliance conformance needs.
Creating cyber security awareness and understanding at the executive leadership level by communicating in a language understood by those executives, whilst demonstrating the importance of securing critical information assets that the business relies upon, have led to what RSA calls a Business-driven security approach.
With the recent introduction of Mandatory Data Breach Disclosure legislation, Australian organisations with traditional cyber security programmes are now looking at advanced detection and response approaches. The key to continued success is to augment the detective controls of log-based SIEM that they already have, which over time may degrade in effectiveness as attack methods change.
Set against this landscape it can be easy to feel that transformation is impossible and that just defending the cyber security decisions of last year is success enough. Heroes though find within themselves the resources to do something very different. Every journey starts with the first footstep.
In this series we will introduce three examples of how information security has delivered not just the must-have of ensuring the protection of critical information assets, it has enabled business transformation:
● Workforce transformation: enabling staff in a highly secure and regulated environment to enjoy the benefits of workplace mobility and modern mobile devices, while minimising risk;
● Risk culture transformation: navigating a long blocked path toward quantifying and articulating cyber risk in a manner that resonates with the organisation’s executives and aligns with the strategic business mission of the organisation;
● Business transformation: creating a highly effective and forward leaning cyber security team whose services, people and processes, can be used to create a whole new line of business and sets the organisation on the journey of leadership within its industry sector.
Common to these stories are two key threads –
1. The security leaders achieved positive outcomes by first assessing their current security posture through a risk-based gap analysis allowing them to focus on actual threats that posed potential material risks to their organisations. They have been fearless when doing so; afraid neither of highlighting deficiencies within their own fiefdoms nor of uncovering truths inconvenient to the business.
2. They recognised that the status quo must be challenged, and that many of the assumptions of cyber security we have accepted as gospel over the last two decades need to be re-examined. They have accepted that preventative controls are not ‘defence in depth’, but rather ‘delay in depth’, and that adding further to the preventative control stack does not provide the ROI that it once did.
3. Having started the journey of building such an approach to reducing risk, they were able to unlock hidden potentials and opportunities for the business to grow and progress on the cyber security maturity model.
In our next instalment we will delve into more detail on how security professionals we have worked with, and look at how their leadership teams have enabled the transformation of their organisations’ workforce. In the meantime, your journey begins with your own first step –to assess your organisation’s cyber security maturity level, assess the gaps and consider how to make those actionable changes. Completing this exercise will start you on your own first step of joining the ranks of Australia’s cyber-security industry heroes.
Want to know more? Take the Cyber Security Maturity Assessment Survey.