Featured Product
This Week in Quality Digest Live
Management Features
Gleb Tsipursky
The problem is a lot more complex than you think
Rita Men
A survey shows people tend to trust their employers more than governments or the media
Dirk Dusharme @ Quality Digest
Cloud-based eQMS solutions provide quality professionals with the data they need when they need it
Kate Zabriskie
Strategies to retake control, push for greater accountability, and regain control of your sanity
Mike Figliuolo
It’s easy for your team to get sidetracked if your strategy has a lot of moving parts

More Features

Management News
Tech aggravation can lead to issues with employee engagement, customer experience, and business results
Harnessing the forces that drive your organizations success
Free education source for global medical device community
New standard for safe generator use created by the industry’s own PGMA with the assistance of industry experts
Provides synchronization, compliance, traceability, and transparency within processes
Galileo’s Telescope describes how to measure success at the top of the organization, translate down to every level of supervision
Too often process enhancements occur in silos where there is little positive impact on the big picture
Latest installment of North American Manufacturing Covid-19 Survey Series shows 38% of surveyed companies are hiring
How to develop an effective strategic plan and make the best major decisions in the context of uncertainty and ambiguity

More News

Paige Needling

Management

Creating Cyber Resilience

The need to move beyond security is more than semantics

Published: Tuesday, October 15, 2019 - 12:02

Amidst a sea of alarming cybersecurity statistics, there’s one that perfectly captures today’s reality. It’s from a 2019 Trend Micro survey, which says: “80 percent of all businesses expect to be hacked this year.” Not “perhaps” or even “likely.” But will be hacked.

And perhaps worse, only 39 percent of the 400 executives and board members surveyed (see figure 6) said their company has fully developed and implemented a cyber-defense strategy. The expectation of being hacked shows the vulnerability organizations across the board feel, not just those that have been breached or that may fit a profile of “high risk” businesses (e.g., banks or hospitals). Small and medium-sized businesses are particularly vulnerable because of their relative lack of resources compared to Fortune 500 companies.

What’s particularly noteworthy is the reason so many businesses believe they’ll be breached. It’s not because of an exotic piece of technology they can’t afford, or some rainmaker cybersecurity professional they can’t recruit. Their biggest vulnerability is their own lack of alignment: employees and business processes ill-coordinated to prevent or recover from a breach.

As reported in the study’s findings: “A primary cause of these risks was found to be complex, misaligned organizations with a lack of security connectivity, scalability, and agility, and too few qualified people to manage security systems.”

In this age of artificial this and cyber that, the single biggest risk factor is human error. According to one study, upwards of 90 percent of all successful corporate cyberattacks in 2017 could be attributed back to employee error.

On top of that, external threats sometimes walk right through the front door of your office, lab, or factory. Someone making a delivery, an unmonitored visitor... they swipe a thumb drive from a desk or leave one that is laden with malicious code.

What is cyber resilience?

Resilience speaks to a system’s ability to absorb disturbances and keep functioning. Resilience is deeply tied to systems thinking, which is one of the things that makes it so compatible with ISO standards.

Applied to information security, resilience is:
• The ability to bend but not break, and to snap back into shape
• The awareness and IQ to incorporate lessons learned and become even stronger in the process

The underlying idea is to be so thoroughly prepared that it’s almost as if disaster has already struck, and yet you are still operating at full business capacity. The single best thing you can do is visualize a breach and “see” the pathways of response that you’ll employ.

The resilient enterprise believes in elasticity. The difference is mindset, which directly determines allocation of resources. Protect your systems and information assets with every investment dollar you can muster. But don’t expect to be perfect, and don’t be shocked when a breach happens.

Prepare for it. Anticipate it. Operate every day as if it’s happened, and you are accelerating through it.

Recovery is crucial, but true resilience demands rapid evolution as well so you can arrive at a more secure place. Resilience requires learning and adaptation. Otherwise, you are just restoring the same status quo that allowed the breach in the first place. Hardly desirable.

Connecting the digital dots: ISO 27001 certification

The path forward relies less on technology and more on organizational vitality. You must create a clear understanding among staff about cyber risks and their roles in preventing breaches. Educate, train, and rehearse. Repeatedly. Empower a chief information security officer (CISO) to create a resilient IT infrastructure and to be proactive in protecting company assets.

ISO/IEC 27001 for information security management is the one “technology” available to any organization. The standard is specifically engineered to improve organizational alignment, which, after all, is the core problem. It forces an organization to have a cogent, documented, and executable game plan. When the digits start to fly, what matters is organizational muscle memory. Transparency is critical.

After a breach, 47 percent of companies with a fully implemented plan were able to identify the cause of the breach and resolve it within one month, compared to just 26 percent of those without a complete strategy.

ISO 27001 certification empowers exactly that kind of complete strategy. In certification parlance, it’s known as a “nonprescriptive” standard. The certification process sets forth a series of guidelines and “expectations” (requirements) but does not tell you how to run your operations. This flexibility is critical; it makes ISO 27001 as suitable to a Fortune 500 auto manufacturer as it does for a small parts company that supplies that large automaker.

At the end of the day, each organization creates its own security. All the rules and guidelines in the world won’t protect you if you are not vigilant and truly ready. Better yet, start with the idea that you’ve been hacked, and rehearse in detail what you’re going to do about it. If you see your organization recovering quickly, with little or no damage to stakeholders, you’re at the doorway of resilience. To step through, you need to get better than you were before.

To learn more, join Paige Needling, ISMS sector manager at DNV GL Business Assurance NA; Todd Begerow, Eastern Territory sales manager at DNV GL Business Assurance NA; and Quality Digest editor in chief Dirk Dusharme on Thurs., Oct. 24, 2019, at 1 p.m. Central/11 a.m. Pacific for the webinar, “From Cyber Security to Cyber Resilience: 5 Steps?” Click here to register.

Discuss

About The Author

Paige Needling’s picture

Paige Needling

Paige Needling serves as the ISMS Sector Manager for DNV GL Business Assurance responsible for all certification registrations for ISO 27001:2013, ISO 20000:2018 and ISO 22301. She has over 20 years of "in-the trenches" experience in solving real world data security and compliance challenges. Paige has been featured as one of the Game Changers in Information Security by HUB Magazine, as well as Compliance Weekly and other publications.