Featured Product
This Week in Quality Digest Live
Management Features
Taran March @ Quality Digest
If at first you don’t succeed, make it a quality problem
Richard Ruiz
Seven ways automation can focus layered process audits on quality improvement rather than administrative workload
Ryan E. Day
Dimensional Engineering uses FARO QuantumS ScanArm for a complex reverse engineering project in petrochemical industry
Janelle Farkas
Data and analysis don’t have to be complicated to yield bottom-line benefits
Theodoros Evgeniou
To leverage AI’s transformational potential, remember that people will determine its context

More Features

Management News
Workers more at ease about job security. Millennials more confident regarding wages.
46% of creative workers want video games in the office
A guide for practitioners and managers
Provides eight operating modes and five alarms
April 25, 2019 workshop focused on hoshin kanri and critical leadership skills related to strategy deployment and A3 thinking
Process concerns technology feasibility, commercial potential, and transition to marketplace
Identifying the 252 needs for workforce development to meet our future is a complex, wicked, and urgent problem
How established companies turn the tables on digital disruptors
Streamlines shop floor processes, manages nonconformance life cycle, supports enterprisewide continuous improvement

More News

Paige Needling

Management

Creating Cyber Resilience

The need to move beyond security is more than semantics

Published: Tuesday, October 15, 2019 - 11:02

Amidst a sea of alarming cybersecurity statistics, there’s one that perfectly captures today’s reality. It’s from a 2019 Trend Micro survey, which says: “80 percent of all businesses expect to be hacked this year.” Not “perhaps” or even “likely.” But will be hacked.

And perhaps worse, only 39 percent of the 400 executives and board members surveyed (see figure 6) said their company has fully developed and implemented a cyber-defense strategy. The expectation of being hacked shows the vulnerability organizations across the board feel, not just those that have been breached or that may fit a profile of “high risk” businesses (e.g., banks or hospitals). Small and medium-sized businesses are particularly vulnerable because of their relative lack of resources compared to Fortune 500 companies.

What’s particularly noteworthy is the reason so many businesses believe they’ll be breached. It’s not because of an exotic piece of technology they can’t afford, or some rainmaker cybersecurity professional they can’t recruit. Their biggest vulnerability is their own lack of alignment: employees and business processes ill-coordinated to prevent or recover from a breach.

As reported in the study’s findings: “A primary cause of these risks was found to be complex, misaligned organizations with a lack of security connectivity, scalability, and agility, and too few qualified people to manage security systems.”

In this age of artificial this and cyber that, the single biggest risk factor is human error. According to one study, upwards of 90 percent of all successful corporate cyberattacks in 2017 could be attributed back to employee error.

On top of that, external threats sometimes walk right through the front door of your office, lab, or factory. Someone making a delivery, an unmonitored visitor... they swipe a thumb drive from a desk or leave one that is laden with malicious code.

What is cyber resilience?

Resilience speaks to a system’s ability to absorb disturbances and keep functioning. Resilience is deeply tied to systems thinking, which is one of the things that makes it so compatible with ISO standards.

Applied to information security, resilience is:
• The ability to bend but not break, and to snap back into shape
• The awareness and IQ to incorporate lessons learned and become even stronger in the process

The underlying idea is to be so thoroughly prepared that it’s almost as if disaster has already struck, and yet you are still operating at full business capacity. The single best thing you can do is visualize a breach and “see” the pathways of response that you’ll employ.

The resilient enterprise believes in elasticity. The difference is mindset, which directly determines allocation of resources. Protect your systems and information assets with every investment dollar you can muster. But don’t expect to be perfect, and don’t be shocked when a breach happens.

Prepare for it. Anticipate it. Operate every day as if it’s happened, and you are accelerating through it.

Recovery is crucial, but true resilience demands rapid evolution as well so you can arrive at a more secure place. Resilience requires learning and adaptation. Otherwise, you are just restoring the same status quo that allowed the breach in the first place. Hardly desirable.

Connecting the digital dots: ISO 27001 certification

The path forward relies less on technology and more on organizational vitality. You must create a clear understanding among staff about cyber risks and their roles in preventing breaches. Educate, train, and rehearse. Repeatedly. Empower a chief information security officer (CISO) to create a resilient IT infrastructure and to be proactive in protecting company assets.

ISO/IEC 27001 for information security management is the one “technology” available to any organization. The standard is specifically engineered to improve organizational alignment, which, after all, is the core problem. It forces an organization to have a cogent, documented, and executable game plan. When the digits start to fly, what matters is organizational muscle memory. Transparency is critical.

After a breach, 47 percent of companies with a fully implemented plan were able to identify the cause of the breach and resolve it within one month, compared to just 26 percent of those without a complete strategy.

ISO 27001 certification empowers exactly that kind of complete strategy. In certification parlance, it’s known as a “nonprescriptive” standard. The certification process sets forth a series of guidelines and “expectations” (requirements) but does not tell you how to run your operations. This flexibility is critical; it makes ISO 27001 as suitable to a Fortune 500 auto manufacturer as it does for a small parts company that supplies that large automaker.

At the end of the day, each organization creates its own security. All the rules and guidelines in the world won’t protect you if you are not vigilant and truly ready. Better yet, start with the idea that you’ve been hacked, and rehearse in detail what you’re going to do about it. If you see your organization recovering quickly, with little or no damage to stakeholders, you’re at the doorway of resilience. To step through, you need to get better than you were before.

To learn more, join Paige Needling, ISMS sector manager at DNV GL Business Assurance NA; Todd Begerow, Eastern Territory sales manager at DNV GL Business Assurance NA; and Quality Digest editor in chief Dirk Dusharme on Thurs., Oct. 24, 2019, at 1 p.m. Central/11 a.m. Pacific for the webinar, “From Cyber Security to Cyber Resilience: 5 Steps?” Click here to register.

Discuss

About The Author

Paige Needling’s picture

Paige Needling

Paige Needling serves as the ISMS Sector Manager for DNV GL Business Assurance responsible for all certification registrations for ISO 27001:2013, ISO 20000:2018 and ISO 22301. She has over 20 years of "in-the trenches" experience in solving real world data security and compliance challenges. Paige has been featured as one of the Game Changers in Information Security by HUB Magazine, as well as Compliance Weekly and other publications.