Resilience, collaboration and engagement will become vital for organizations hoping to weather a catastrophic cybersecurity “storm” already encircling the world, experts argued at Infosecurity Europe this morning.
During a lively panel debate on the first day of the show, Ransomware Task Force co-chair, Jen Ellis, warned of a multitrillion-dollar annual cyber-threat that has disrupted food and energy supply chains and impacted healthcare systems across the planet.
“This is not a brewing storm; we’re already in it,” she argued. “If you consider the attack surface, the technical debt we’re building … if you consider how hard it is for people in this room to respond to that challenge, then I think we are in the storm. But that doesn’t mean we should give up; it means that we have to work together.”
Read more on cyber resilience: 18 Oil and Gas Companies Take Cyber-Resilience Pledge.
Organizations should prevent compromise wherever possible, but also be realistic and focus on proactive steps to improve incident response, such as via regular tabletop exercises, argued Nick Prescot, CISO at Norgine.
He added that engagement with senior business executives is key to ensure buy-in for important projects and ensure cybersecurity isn’t treated as a siloed technology function.
“This tends to get in the way [of good security] but things are changing,” Prescot said. “We’ve been doing complex cyber assessments for years but suddenly [the board] are paying more attention, which we’re finding tremendously exciting.”
CISOs can help to make their point by ensuring they “never let a good crisis go to waste” in discussions with the board, added Ellis. That could mean capitalizing on current events capturing executive attention, such as the threat from Russian state-backed cyber-attacks and using them as a jumping-off point to talk cyber and business risk.
Proposed SEC rules which could mandate cybersecurity subject matter experts sit on boards will also help to change the way business leaders view security, explained Wellcome Trust head of technology and digital assurance, Fene Osakwe.
He added that industry collaboration needs to improve if organizations are to enhance their cyber resilience, but that this may require trusted third parties like government agencies to first create the right frameworks.
“A catastrophic cyber storm is brewing; can we do anything to stop it? I think the answer is no. But we can manage it,” Osakwe concluded.
“We’re moving from a cybersecurity strategy to a cyber-resilience strategy. It’s no longer about stopping it from happening. It’s about even if it happens, making sure that the impact on the business is minimal and that core activities can continue.”