The Expert View: designing organisations that are resilient to cyber-threats

Organisations are spending vast amounts on cyber-security, but the maturity of their defences has barely improved over the last decade. What should they be doing?

 

Resilience means different things to different people, said James Blake of Rubrik, introducing a recent virtual roundtable hosted by Business Reporter. “The value is in making your systems resistant to attack,” he told a group of senior executives from a range of sectors.

 

Blake said that over the past 10 years, spending on cyber-security has increased massively, but the maturity of companies’ defences has barely improved. Teams, budgets and complexity are all booming: a typical large company today has an average of 130 security tools. Unfortunately, many organisations respond to further threats by trying to add more layers of control over the top. How can we design organisations that are more resilient to cyber-threats?

 

Focus on the business and better alignment

 

The first step, attendees agreed, is to talk to the board, and to the business more generally, about what they need. Resilience plans depend on appetite for risk, which varies by organisation. Establishing risk appetite, however, requires communication and several attendees said that communication between IT security and other departments could be better.

 

Part of the reason is that, as one attendee put it, “techies don’t tend to communicate well”. The solution is to hire team members with strong communication skills, but this is not always straightforward given that there is a cyber-security skills shortage. Furthermore, articulating risk is difficult anyway. High-impact, low-likelihood risks, which many cyber-risks are, are particularly difficult to put in context.

 

Nevertheless, attendees agreed that better alignment would help, particularly between cyber-security and the rest of IT, but also with the organisation as a whole. Cyber-security is an issue that affects everyone, so everyone needs to know how it is being handled.

 

Get operations and process right

 

Another important part of the picture is getting the process right. Attendees agreed that, in their experience, organisations often didn’t consider resilience at the outset of a new project. For example, a cloud migration project often gets underway without anyone stopping to consider how, and to what extent, it fits with the organisation’s resilience plan. That leaves the security team constantly playing catch-up, trying to secure new systems while risking being seen as a the “blockers” adding friction to a process that is meant to be smoother.

 

Worse, when new projects are brought online, the old ones are often not turned off. They are still needed to run legacy systems and so security teams find themselves increasingly stretched, covering more products.

 

There must be a plan in place to cover all of it and attendees agreed that the plan shouldn’t aim for perfection. One attendee argued that about 80 per cent of eventualities should be covered in the plan but the rest left open-ended. Not everything can be predicted. Even so, said Blake, many organisations treat every incident as unique and don’t apply enough planning or learning from previous incidents.

 

Don’t focus on buying products

 

Those at the roundtable emphasised the need to debrief after incidents to ensure that everyone learns for future events. Multiple attendees suggested that the airline industry has set the gold standard for learning from incidents. Because airlines face incidents that can be life-threatening, the emphasis is on learning, rather than blaming. In cyber-security, attendees said, there is still much of a blame culture and a lack of planning based on new learning.

 

Rather than plan, some organisations still default to adding more products in an attempt to mitigate against every possible threat. That doesn’t guarantee that an attack won’t succeed but it does ensure more complexity. As one attendee pointed out, this can affect customer experience too. Customers want a fast, seamless experience and end up being slowed down by numerous security checks.

 

Tools have a role to play, of course, but they are only part of the picture, alongside good planning and a sound operational structure. Resilience emerges from those features, as well as from organisational culture and politics. Changing culture can take a long time and requires company-wide efforts that can’t be driven entirely by the cyber-security team. Even so, the security team can do its part to drive progress and focus attention on the most productive priorities.