enterprisesecuritymageurope

Cyber Risk-The Key to take Cyber into the Transformation Journey

Luís Morais, Chief Information Security Officer, Galp

Luís Morais, Chief Information Security Officer, Galp

Society, our Planet, and Technology are rapidly changing, and consequently, our customers are pushing our businesses towards enormous transformational processes, bringing in greater sustainability, digitalisation, agility, and data drive.

The same pace of change is seen also in the cyber threat landscape, where cyber criminals (and state-sponsored actors) with far greater access to resources than most organisations are continuously adapting and evolving to leverage and profit on weaknesses in our People, Processes, and Technologies.

What this means to us, cybersecurity professionals, is that we, too, need to change. The old ways of “here is my security policy, follow it!” do not work anymore. Driving down a 70mph speed limit highway doing 65mph can at times, albeit compliant, be very risky (in adverse weather) while driving at 75mph can, albeit non-compliant, be almost risk free (in the right conditions), and allows us to get to our destination faster. Nowadays, our businesses are speeding down the transformation highway, and this is a huge challenge for cybersecurity, pushing us to sit together with our business, advising them when to break, but also when it is ok to speedup. If we don’t do it, we will simply be left at home for this journey.

The key strategy for this approach is (as when driving) focusing on the risk and making sure it is a key element taken into account in the decision making, adjusting its perception not only to existing threats but also to what real impact they can cause (or not) to our businesses.

This, however, is not an easy process. To succeed, we need to deeply understand our business (while building the relations and trust)and pragmatically determine which cyber risk factors can have a real and material impact on it, linking these risk factors with concrete business risks (ex: operations downtime, reputational impact or regulatory issues).

The old ways of “here is my security policy, follow it!” do not work anymore

With this framework in place, we are then able to measure the real impact of cyber risks to our business and empower decision makers to take informed decisions based on data. If successful, cyber risk becomes business-as-usual, and our people become cyber ambassadors, being the ones taking the initiative to request our support in assessing the cyber risk for their projects and initiatives, as in the end, they also want to be successful.

On top of the required efforts towards protecting and preventing cyber threats- which can be heavily supported by the Digital Transformation journey by bringing greater standardization and adoption of good protections, such as multi-factor authentication, APT protection, and zero trust, with relatively reduced effort -organisations need then to invest in creating a capacity to anticipate cyber risks, identifying weaknesses and interdependencies on technology, people, other processes and third-parties. As if this was not hard enough already, they need to create mechanisms to do this in near-real time, to cope with the pace of change of today’s technological landscape (where systems can be created, used, and destroyed in minutes and onthefly) and Cyber Threats.

Last, but definitely not least, organisations need to be prepared to react when all the above fails and incidents happen, not only to be able to get out of them unimpacted (or mostly) but more importantly to identify what weaknesses were exploited and prevent them from being exploited again—learning from experience and becoming a de facto Cyber Resilient organization.

Weekly Brief

Read Also

Is your Security Program Reducing Business Risk? -Expect More from your Internal Audit Function

Is your Security Program Reducing Business Risk? -Expect More from...

Steve Williamson, Head of Internal Audit for Information Security and Data Privacy, GSK
Information Security Awareness - It's Time We Know What Works

Information Security Awareness - It's Time We Know What Works

Michael G. Carr, CISO, University of Kentucky
 Market Growth

Market Growth

Ioannis Roussos, Head of Deposits & Investment at Eurobank
Cloud At The Edge

Cloud At The Edge

Duncan Clubb, Head of Digital Infrastructure Advisory, CBRE
Automating the Engineering Journey with the Cloud

Automating the Engineering Journey with the Cloud

Wouter Meijs, Global Head of Cloud, ING