SureCloud is a long-standing member of the ISF and proud sponsor of the ISF World Congress 2020, as well as a provider of GRC solutions that include an ISF approved IRAM2 solution.
In my previous blog, “Part 1 – A Roundup of ISF Spring Chapter UK- Looking back and learning”, I discussed the moon landing, how cybersecurity became mainstream and how to focus the Board on your cybersecurity programme.
My next piece focuses on how organisations can prepare for the threats ahead, CISO’s priorities and forward-looking GRC programmes. So, let’s dive in…
If the Coronavirus has taught us anything it’s that Risk Managers and in fact everyone, should consider far-fetched threats in their planning and programmes. Jordon Kelly kindly walked the audience through all nine key threats in the latest ISF Threat Horizon report, which can be found here. The ISF’s Threat Horizon report uses a PESTLE analysis to create the roadmap to inform future projects for ISF members. I’ll give you a summary view into a few with the hope you will want to deep dive into the full report.
As a marketer, a key threat that piqued my interest was behavioural analytics which could trigger consumer backlash. As technology such as cameras and other smart home sensors become more sophisticated and organisations become more dependent on behaviour analytics, so too will the public. We’re already seeing the public become more cyber-aware and are beginning to view techniques with high levels of exposure as invasive and unethical.
Kelly used the example of Argent’s facial recognition software that was implemented at King’s Cross Station without consent which then caused them to backtrack and remove features. Argent had to then consider the big question of how you store or destroy that data effectively. Under intensifying scrutiny from consumers and regulators, the data is also a key target for cyber-attacks. So, brands have a responsibility to implement a strategy to prevent exposure, adhering to the need for integrity and continuity. This can often be achieved through clear transparent data gathering policies, identify the use of data in their vendors, and ensure privacy is incorporated into corporate policy and business processes.
Due to the rise in climate change, ‘extreme weather’ is to be expected, with an increase in frequency, severity and the likelihood to occur at odd times. The issue here is that it can cause damage to physical and digital assets. For example, data centres are often situated on lower land as they need to be cooled by water which could mean increased flooding and so may result in a change of strategy or location. Business continuity and disaster recovery will become ever more critical to organisational planning and should be revised with extreme weather kept in mind. More recently, the ISF also advises transferring risk to cloud based providers as a way of combating environmental threats…
As a Gen Z employee, part of the “first truly” digital generation, this threat also grabbed my attention. I was interested to hear how we are viewed as an upcoming danger in the information security world. The behaviours and attitudes exhibited by the group born between 1995 – 2010, including the need to overshare online as well as the continuous drive for instant gratification. This suggests that they are reckless with security, privacy and content consumption, leaving an open door for hackers to exploit, which could lead to reputational and financial damage to brands. To combat their trusting nature and security ignorance, organisations should work on their approach to controlling social media e.g. with well-defined policy, as well as creating tailored Gen Z training and educational workshops during onboarding and within annual refresher training.
It should be noted as well about the positives of Gen Z’s as they push for social movements for good. They are seen to actively look for brands who engage with ethical practices and have a positive impact on society, including the need for sustainability. It is critical that organisations consider updating and aligning their corporate values and missions to match up to the younger generation’s needs.
Mark Chaplin, the Principle of ISF, spends a significant part of his working life chatting to CISOs. His presentation, therefore, brought us insight into CISOs’ main objectives which are, reduce frequency of loss events AND reduce financial loss from loss events. Essentially, “lose less, less often”. He discussed what their focus will be within this next 12 months arguing the need to move away from firefighting, a term that I heard continuously throughout the two days by many delegates. How would they go about doing this? By focusing on the basics, and not getting distracted by the *coughs* “new” tech, e.g. Artificial Intelligence (AI). This need for simplicity is something we have found to be very popular in our campaigns, including our latest third-party risk back to basics webinar which you can watch here. As well as our latest security feature with SC Magazine which you can find here.
He also discussed the importance of identifying our crown jewels and how we should always consider the intellectual property in whatever we are doing. The other key focus I picked up on related to adopting a risk management mindset by putting the risks at the heart of what you do.
He outlined the benefits of risk management which included improved governance, reduced costs, higher profits, operational efficiencies and the importance of trust, reputation and brand. These three key basics of focusing on IP, traditional tech and risk management could be a way for CISOs to step out of the fire finally. What do you think?
As you have seen, the main themes from the Chapter’s presentations are risk and learning from the past, which was also pivotal in SureCloud’s Matthew Davies’ presentation where he tackled the need for aligning with best practice within GRC projects. He discussed the importance of moving out of the past, mainly in relation to managing complicated spreadsheets or clunky homegrown systems, into the future of cloud-based GRC solutions.
How do you get there effectively? By focusing as Richard Wiseman’s Apollo mindset discussed in Blog 1: Looking back and learning, on “one step at a time”. Concentrating on the power of small wins, remembering where you started and focusing on where you’re going. The automated/streamlined BAU programme being your Risk Management moon. Like the mission controllers, Matthew emphasises the importance of sufficiently testing and incorporating review sessions.
This leads to understanding the importance for over-preparing before launching the software into your organisation’s way of working. You need your stakeholder (Kennedy) telling you to go away and get it done, and clear business objectives to fuel the passion of your team. Ultimately, helping you to continue working towards the project’s end goal, which should be a robust GRC programme underpinned by your shiny new tool.
It’s “everyone’s responsibility” to ensure that information security and effective risk management practices within an organisation is maintained. I can see the need to view cybersecurity as a build-in, not bolt-on, but to do this, we need relevant stakeholder buy-in and effective training programme’s with well thought out communication. Bringing people together as a team both internally but also on a global scale as we all work through these uncertain times which will go a long way to keeping us safe. Hopefully, leading to a feeling of celebration similar to the one felt when man landed on the moon once we’re finally out the other side of social isolation.
Read up on books recommended during the two days here: