The first RSA Cyber Security Poverty Index, published in June 2015, measures a number of large organisations against a sample of controls taken out of the US NIST Cyber Security Framework – collecting data from 400 security professionals across 61 countries. The results highlight that 75% of participants show a significant Cyber Security risk exposure. This recent survey is likely to drive discussions at the upcoming 2015 RSA Asia, Pacific & Japan conference due to be held on the 22nd-24th July in Singapore.
The roadmap proposed by RSA to move out of “cyber poverty” involves endorsing the NIST Cyber Security Framework, balancing controls against prevention, monitoring, and resilience (claiming 80% resources are currently focused on prevention) – and finally fixing the disconnect between cyber-policies and operational execution.
RSA qualifies the results of their survey as reflecting an “unacceptable status quo” and concludes by saying that it is time to “start thinking about Security differently and start doing Security differently”.
None of this is really new and, in fact, the results strongly echo those of an earlier survey conducted by McKinsey & Co for the 2014 World Economic Forum. We commented on those in an article published on Computing.co.uk in February 2015.
There is little to argue in principle about the roadmap suggested by RSA, but large organisations that want to transform their Cyber Security practice and build maturity must look at their current Cyber Security situation – without complacency and before jumping into action.
Endorsing the NIST Cyber Security Framework and better balancing resources between prevention, monitoring, and resilience is a good thing to do, but again – it’s nothing new. Large organisations must look back and confront the reasons why they have not acted before on matters of Information or Cyber Security.
The NIST Cyber Security Framework in particular follows in a long series of similar approaches that spans the best part of the last 10 to 15 years: “Identify-Protect-Detect-Respond-Recover” sounds a lot like an update to the “Plan-Do-Check-Act” of ISO 27001:2005, itself replicating a concept introduced in BS 7799 back in 2002.
Of course, threats continue to evolve and are now more virulent than ever, but basic controls (in particular around monitoring and resilience) have been well mapped out for a long time. Large organisations, that have been spending large sums on Information Security over the past decade, with fully staffed, fully functioning Information Security functions during this time – should not be in a position of such low maturity today.
Those large organisations (including those in the public sector, where maturity levels seem to be even lower) have to examine where the roadblocks are that have prevented them from making progress in the past – and ensure these are neutralised or removed. In our opinion, this is a problem deeply rooted in governance, organisational and cultural matters – underpinning the disconnect between policy and execution that RSA has rightly diagnosed.
With maturity levels at rock bottom, in spite of decades of Information Security spend, it is indeed time to start thinking about Cyber Security differently. However, it is not a technical revolution that is required – and there is no software, hardware or technical service alone that can make change happen in that space.
Security technology can support the right Security organisation and enable the right Security processes, but a genuine and lasting transformation of Cyber Security approaches can only come from a full rewiring of existing Information Security practices. This must come from the top and will require a long-term transformative vision articulated into a strategic Security Roadmap and a sound Security Governance model reaching across all corporate silos and geographies.
Managing Director
Corix Partners
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.