Next week’s NCSA Nasdaq Cybersecurity Summit in New York will focus government and private sector leaders on two priorities—developing a strategic approach to combating pervasive cyber threats and creating a culture of cybersecurity across enterprises. These are critical issues that Cisco is addressing head-on, and we are excited and proud to be a part of this important event.
Cisco’s 2017 Annual Cybersecurity Report unveiled startling insights into the damage that breaches are inflicting: 22 percent of breached organizations lost customers and 29 percent lost revenue, with 38 percent of that group losing more than 20 percent of revenue. Those are big hits, and such high stakes demand a strategic, proactive approach to defense rather than reactive responses commonly seen.
There are three elements necessary for a comprehensive cyber strategy:
Get the Board on board
Board-level support is essential, and corporate executives must be prepared to make their case for it. Board directors should be asking their leaders about people and process as well as technology and policy to ensure a comprehensive cyber resilience strategy.
People and Process:
- Are we evolving our culture (talent, skills, training, and adaptability)?
- Do we have a process for continuous improvement for cyber resilience?
- Do we have formalized response processes and capabilities?
- Are core business and financial processes adequately secure and how do we know?
- Are we using the right metrics to determine effectiveness of efforts?
Technology and Policy:
- Have we performed a thorough cyber risk assessment of our use of technology?
- What is our current level of cyber risk, and its potential business impact?
- Are our systems of controls equal to the risks?
- Is our cyber resilience strategy focused on our business objectives, protecting our most critical assets and providing business continuity?
- How does our cybersecurity program apply industry standards and best practices, and compare with industry peers?
- How do we measure our program’s effectiveness?
Answering these questions involves substantial effort, but the results will provide a solid foundation for the cyber resilient architecture that will be needed as companies invest in new technologies.
Securely Approach Digitization
An organization and its Board must understand that the business will digitize and use technology rapidly in order to keep the business agile – it is inevitable. Organizations must seize the opportunity to look at this digital disruption to hone focus and investment on associated security risks and challenges. While digitalization creates and expands business opportunities for organizations, evaluating the security considerations must be an essential part of the process. Savvy organizations are shifting from merely focusing on cyber security controls to building cyber resilient architectures that can stand up to today’s attacks. With such an architecture, a compromised system will resist failure—but if it is forced to fail, it will do so gracefully. Visibility across the network will enable the system to sense if it has been compromised, respond quickly and recover to an operational state.
For the last several years, Cisco has diligently pursued a secure digitization strategy that incorporates simplifying our processes based on targeted strategic outcomes, automating the specific technical architecture we need, monitoring our core processes to leverage analytics for machine learning, and continually innovating through collaborative technologies.
Create a Corporate Culture of Cybersecurity
As discussed in a previous staysafeonline.org blog post, cybersecurity must be part of everyone’s job. While previously considered to be “something the information security team does,” companies need to focus on making it part of everyone’s job. At Cisco, we’ve employed several successful education initiatives that have woven cybersecurity into the fabric of our company. Practices such as our Security Ninja Program are helping our employees understand the role they play in the overall security of our products and our customers’ data.
Understanding that there will always be budget and talent constraints, businesses must focus on relentless improvement measured via efficacy, cost and well-managed risk. Security must be an organizational priority – with commitments to training, evaluating the effectiveness of cybersecurity investments, and institutionalizing best practices and safeguards to minimize risk against current and emerging threats.