The often-asked question of “are we secure” should be changed to “are we prepared” to better represent a company's position on resilience.
Speaking to Infosecurity, Amar Singh, CEO and founder of the Cyber Management Alliance, said that when he was a CISO he saw a common gap in middle and senior management not understanding the strategies on building a resilient business, “and resilient in terms of if you get attacked can you detect, respond and recover.”
Singh cited one analogy, where if you are flying 30,000 feet in the air and someone hacks the plane you have two options: do you want someone to detect, recover and remediate within 20 seconds or two hours?
“That simple story gets across the importance of building a cyber-resilient business, as there is no excuse for a non-techy to say that they don’t get it as with this example everyone gets it,” he said.
For this, the Cyber Management Alliance launched the Cyber Incident Planning and Response Training course, which Singh said had been certified by both the IISP and GCHQ. The GCHQ-certified course was rigorously assessed to ensure that the course content and materials met the required competency level defined by the IISP Skills Framework.
Singh explained that the course is designed to teach vital processes, knowledge and skills to lead and manage a cyber-crisis.
He added: “What is the one single question most boards ask the security officer: ‘Are we secure?’ The only answer we can give is yes or no. If we said yes we are fired if there is an attack. If we said no we get fired as we are not doing our job. The problem is not with the answer, the problem is with the question.
“We all know that 100% cyber-secure is not possible, so that begs the question on how can you ever give an answer, so why don’t we convince management to ask a different question like ‘Are we prepared?’ The whole logic of this course is once we convince management to ask the right question, it becomes much easier for the CISO and the team to say yes.”