October is National Cyber Security Awareness Month, reinforcing what is top of mind for many in IT. Given the recent breaches in both the private and public sectors, cyber security awareness, education and training are critical to success in today’s business world.
Cisco’s John Stewart recently shared his belief that ownership and education are two things that need to change in order for cyber security to be effective in his “Cyber Security, What Needs to Change Now” blog.
In it, Stewart contends that before we can even approach those elements, we must begin to view cyber security as “a strategy, and one that senior leaders in all organizations must embrace and own,” as Cisco does. He goes on to impart that cyber security cannot be merely a “checkbox” for organizations.
With Ownership Comes Great Responsibility:
According to Stewart, part and parcel of owning that cyber security strategy is investing in knowledgeable sources, such as in-house legal counsel and/or private subject matter experts to ensure that they are plotting the correct course in devising a cyber strategy.
He also says that “it is no longer acceptable to put cyber risk in one risk bucket with every other type of business risk.” Cyber security, according to Steward, has to be a priority for an organization.
With Great Responsibility Should Also Come Education and Awareness:
Educating oneself and employees about cyber security is the first step for senior leadership to take ownership. To start, Stewart suggests senior leaders consider the following:
• Which threats are relevant to our business?
• What’s connected, how does it work, what are the critical services, and who runs it?
• Is cyber part of the plan and, if so, who is held accountable for it?
• Do we have formalized response processes and capabilities?
• Do we have a disclosure process that we follow?
• What are our law enforcement and government relationships?
• Is our system of controls equal to risks?
• What else do we need to know?
In addition, Stewart explains that you should “demand verifiable trustworthiness from IT vendors.” To demonstrate the importance of this, Cisco created its Cisco Secure Development Lifecycle (Cisco SDL), “a repeatable and measurable process…designed to fortify the resiliency and trustworthiness of our offerings.”
To Read “Cybersecurity: What Needs to Change Now” in its entirety, click here.