View
1.001
Download
2
Category
Preview:
DESCRIPTION
CyberSecurity Transformation Briefing Note
Citation preview
This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you
would like additional information or assistance with the customization and implementation of a balanced risk management
process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com
“Business transformation is about making fundamental changes in how business is conducted
in order to help cope with a shift in market environment”, Harvard Business Review January 2007
Kotter.
The transformation of any organization is a delicate strategic initiative that requires careful planning and
execution. When talking about Transformation and CyberSecurity in the same sentence most
Executives will be immediately concerned with the potential for delays to current business plans and
complaints because generally people don’t like change. The adoption of a CyberSecurity framework like
ISO/IEC 27001 doesn’t automatically result in delays, complaints or extraordinary costs unless
management makes a decision based on incomplete or inaccurate information.
Over the last decade the escalating cost of CyberCrime has been estimated to exceed $445 billion
globally. In addition there are growing threats to our national security and critical infrastructure that
supports our economy. These developments are forcing adjustments in strategic thinking. The
probability of reputational and financial damage is at its highest in the last 40 years of computing. The
need to transform organizations from ad-hoc security to full programs is changing Boardroom priorities.
The CyberSecurity transformation project requires planning, the following questions should be asked:
What assets are we attempting to protect? Within each organization there is a governance structure, so
who are the portfolio Executives? What is the predominate management style? What is our business
model? What is our mission, strategic goals and objectives? Do we currently have the capability and
competencies to design, implement and maintain a CyberSecurity Program? How are we going to
communicate decisions and sustain awareness once the ball starts rolling? A well thought-out
communication strategy will play an important role in the success of this transformation project.
The initial strategy will need to
take all the above into
consideration. Begin with a
review by talking to middle
management and subject matter
experts to verify, validate the
assets and risks. This will act as
input into version two of the
strategy. A risk assessment
needs to be facilitated against six
key assets (1).People,
(2).Information,(3).Software,
(4).Hardware,(5).Telecommunica
tions and (6).Physical locations
or facilities in scope. Risk based
decisions are made to accept,
mitigate or reject the identified
risk by the Governance
Committee followed by corrective
action plans and/or preventive
action plans. These plans can be
added to projects as necessary.
Establishing a risk management
Policy can speed up the process
by documenting the risk appetite
and empowering managers and
employees to make risk based
decisions further avoiding a
potential bottle neck.
In the perfect world the
Enterprise Information
Security program
should be established
first. This program
would naturally flow
into the CyberSecurity
program. See table A.
The CyberSecurity
program scope is
much narrower. The
Enterprise Information
Security Program,
addresses risks to
data, information and
knowledge flowing
across the Enterprise
and its vendors and
service providers. In
contrast the
CyberSecurity
program is concerned
with the protection of
data, information and
knowledge flowing
outside physical
locations across open
networks like the
Internet.
Table A
Recommended