In the risk management field, we often hear that it's not a question of if you will be attacked by a cyberattack, but when.
But that's still not enough, says Stefan Didak, head of security consulting at Adnovum AG.
Instead, he told an audience at the Risk-!n conference in Zurich, “It's not a question of when they will get in. They're already in. The question is just whether you haven't detected it yet.”
Against this backdrop, he identified three key priorities that are essential to improving cyber resilience and identifying, managing and recovering from attacks:
Cyber Hygiene
His first pick in a company's arsenal against hackers and cybercriminals is cyber hygiene. This sounds obvious, but Dydak says cyber hygiene is often overlooked because companies rely too heavily on cutting-edge security software.
He summed up the problem with a quote from Bruce Schneier: “If you think technology is going to solve your security problems, you don't understand the problem, and you don't understand the technology,” adding that the longer he's in the industry, the more obvious this becomes.
He explained: “In the cybersecurity world, technology seems to be at the forefront. Cybersecurity vendors try to sell you on superior technology, claiming to make more secure, more compliant products, etc. But I always find that companies invest heavily in technology, but don't invest in people, processes, or even basic psychology.”
Top-down support
Didak's second key pillar of cybersecurity is support from the board and senior management, without which he argues no cyber resilience plan will be successful.
The challenge risk management functions often face is being seen as a compliance tool or a cost center, but this impedes building a culture of resilience and cybersecurity awareness.
To combat this and effectively address cyber threats, organizations need to set the right tone from the top, and this starts with the C-suite.
“A lot of CCOs are leaving companies probably because regulation-focused companies put these people in place just to be compliant on paper, so they were basically hired as scapegoats,” Didak said.
“We didn't have the mandate or funding to do a proper cybersecurity program, and we didn't have input from senior management, the board or the CEO. If you want to have a good security program, you need top-down support.”
Risk-Based Approach
The final element of Dydak’s guide to a successful cyber strategy is to adopt a risk-based approach.
To achieve this, he says, companies need to have the right controls in place, continually test and improve them, and engage in regular risk management discussions on these topics.
He said.” [IT] Asset management. It's not something we talk about very often because it's not sexy. But it's a fundamental element of security: how can you ensure security if you don't know what's in your company or on your network?
“I've had a number of companies tell me that they've grown so much over the last few years, acquired a lot of other companies and of course used other systems. Essentially, they had no visibility into their IT assets. That doesn't allow them to do proper vulnerability management, proper hardening, or even really manage their data.”
“But if you do all these things,” he concludes, “you're off to a very good start. It's not about fancy techniques, it's about getting the basics right.”