Vector
Vector

Choose your topics

Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Blogs
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Blogs
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
Vector (7)
Vector-1
Cyber Security

Part 1: Roundup of ISF’s Spring Chapter UK 2020 I Looking Back & Learning

Part 1: Roundup of ISF’s Spring Chapter UK 2020 I Looking Back & Learning
Written by

Lucy Montague

Published on

30 Oct 2020

Part 1: Roundup of ISF’s Spring Chapter UK 2020 I Looking Back & Learning

 

The Event

The first week of March 2020, saw many of the British-based ISF members head to London for the UK ISF Spring Chapter Meeting in the West End. Held three times a year, the ISF Chapter Meetings provide an opportunity for Members to meet and discuss security and risk management issues within their region. This 2-day event provides a peer-to-peer forum for professional networking and exchanging ideas in addition to learning from industry experts and ISF Analysts.

From a personal perspective, this year’s UK ISF Spring Chapter Meeting encapsulated two key areas; looking back/learning from failures and preparing for the future by optimising current programmes, people and processes.

So, to begin at the beginning…

Looking back – The Importance of Reflection

‘Shooting for the Moon’ – Learning from the Moon Landing on Success

Richard Wiseman sets the scene for the conference with his book “Shoot For The Moon”. Wiseman was the first to interview the mission controllers who got man to the moon, wanting to dive deep into the mindset of success and project management. He takes us through the failures, including the January 1967 fatality, which led to the victory two years later. As well as the Kennedy mindset of “go away and think bigger”, enabling a group of middle American twenty-somethings the chance to achieve the impossible by the end of the decade. The lack of ego, combined with their drive and passion “to do their bit”, allowed for a successful team that spoke only as “we” and “us” rather than “I” and “me”. Wiseman talks of 8 key points to achieving the “Apollo Mindset”. My top three favourites were preparedness, the power of small wins and openness to mistakes. Essentially, getting on with it and working hard without ego stopping you!

I was inspired listening to how the world came together in celebration as they watched the most televised event in history (over 53 million households to be exact). I asked Wiseman about where we are now in this individualist society fuelled by social media likes and shares, would we ever be able to have a similar global moment like this again? His optimistic side hopes we will.

Considering the current worldwide issue of the Coronavirus (COVID-19), it seems as if it may be the perfect time to tap into the 1969 spirit of working together rather than isolating ourselves as siloed countries and regions. Some individuals have already embraced this collective mindset – check out the BBC’s article on acts of kindness during this unique time to get inspired here.

Exploring the Last Decade in Security with Ernest Young

Moving forward into the 2010s, Naina Bhattacharya from Ernst & Young supports Forrester’s claim that the 10s decade was when cyber hit the mainstream. We began in 2010 with the UK National Security rating cyber-attacks as #1 threat which sets the scene for the decade. Cybersecurity then hit the headlines, our silver screens with shows such as Mr Robot and our social media channels including the infamous Facebook and Cambridge Analytica data breach. By 2019, there was a noticeable breach occurring month-on-month including, Marriott’s and British Airways’. This progression caused our mindset to move from ‘if’ to ‘when’ we will have a cybersecurity attack and cybercriminal groups are now operating like traditional professional organisations with holidays, set hours, quarterly goals etc. Despite this widespread coverage and awareness, we ended the decade with cybersecurity still feeling very much like a bolt-on.

How do we evolve beyond this in the 20s to an effective build in cybersecurity programme? Naina advises:

  1. Establish cybersecurity as a key-value enabler
  2. Built relationships based on trust
  3. Implement better governance structures
  4. Focus on board engagement
  5. Evaluate the effectiveness of CISO function

The History of Cyber-Risk in Business Context

Graham Rance from BitSight reflected as far back as the start of the millennia before bringing us up to today and spoke about how to focus on Board level engagement. He began with a focus on measurement in security outcomes – focusing on the lack of negative outcomes with objective-based measurements. Resulting in standalone compliance processes that do not embed compliance efforts within an organisations business as usual activities. The next phase is the familiar active testing, in the form of Vulnerability Management which is an improvement for communication as it is easier to speak to the Board about progression, particularly if you have a dashboard system to report on progress. Integrated Risk Management was then introduced to the mix, however, the definition and scope of different elements that fall under the IRM umbrella can cause complex communication challenges without the right clarity and reporting often derived from tooling.

BitSight has introduced security ratings to help plug some of these gaps by enabling clear visibility which leads to easy discussions with stakeholders and provides daily updates and alerts. The BitSight offering provides you with accurate, measurable reporting, which reflects the changing vendor risk landscape and your levels of compliance/vulnerabilities against industry recognised frameworks. This handy quantitative reporting feature is now integrated into SureCloud’s Third-Party Risk Management solution. If you’d like to learn more about the exciting joint offering, please click here.

 

Next week, will be part 2 of the round-up, which focuses on ‘Preparing for the Future’. The blog will focus on how organisations can get ready for the evolving threat landscape, including extreme weather, CISO’s priorities and forward-looking GRC programmes.

 

Don’t want to miss it? You can subscribe to my alerts below by filling in the pop-up form.