Chapter 1. Developing a Clear Set of Action Areas:
1. Institutional Readiness
Prioritize information assets based on business risks. Most institutions lack sufficient insight into the precise information assets they need protected and how to assign priorities to those assets. Going forward, cyber resilience teams need to work with business leaders to better understand business risks (for example, what it means to lose proprietary information about a new manufacturing process) across the entire value chain and to set appropriate priorities to the underlying information assets.
Develop deep integration of security into the technology environment to drive scalability. Almost every part of the broader technology environment has an impact on an institution’s ability to protect itself, from application development practices to policies for replacing out-dated hardware. Institutions must move from “bolting security on” to training their entire staff to incorporate security from the start into technology projects.
- Provide differentiated protection based on the importance of assets. As the axiom states, “To protect everything is to protect nothing.” By implementing differentiated controls, such as encryption and more rigorous passwords, institutions can focus time and resources on protecting information assets that matter the most.
- Deploy active defences to uncover attacks proactively. Massive amounts of information are available about potential attacks – both from external intelligence sources and from an institution’s own technology environment. Increasingly, companies will need to develop capabilities to aggregate and analyse relevant information, and use it to appropriately tune defence systems such as firewalls.
- Test continuously to improve incident response. An inadequate response to a breach – not only from the technology team, but also from those in marketing, public affairs or customer services – can be as damaging as the breach itself because of the adverse reaction it can elicit from clients, partners, government regulators and others. Taking a page from the military, institutions should run cross-functional “cyberwar games” to improve their ability to respond effectively in real time.
- Help personnel to understand the value of information assets. Users are often the biggest vulnerability for an institution. They click on links they should not, select insecure passwords and send sensitive files by e-mail to broad distribution lists. Institutions need to segment users, and help each group to understand the business risks of the information assets they touch every day.
- Integrate cyber resistance into enterprise-wide risk management and governance processes. Cyber resilience is an enterprise risk, and must be managed like one. Assessments of risks from cyberattack must be i ntegrated with other risk analysis and presented at relevant management and board discussions. Cyber resilience implications must be integrated into the broad set of enterprise governance functions such as human resources, vendor management and regulatory compliance.
The importance of these actions was highlighted in interviews with chief information security officers (CISOs) and other executives. Across the board, executives gave their institutions poor average marks for executing these critical responses (see Figure 1). As a group, these institutional readiness actions can also serve as benchmarks and form a core of expanded cyber resilience collaboration with the public sector and communities.
FIGURE 1: POTENTIAL ACTIONS TO IMPROVE INSTITUTIONAL READINESS