​How to assess your organisation’s cyber security resilience

High profile cyber attacks over the past 12 months – Census and the Bureau of Meteorology are two examples – have company directors scrambling to tighten up their IT security strategies.

Many are now wondering if their cyber resilience policies and procedures are effective enough in a global environment where attacks are more complex than ever. Directors also question how they will respond after an attack to lessen the financial and reputational impact on their organisations.

When creating a cyber security strategy, it’s important to establish a common language so everyone understands the technical issues being discussed.

Cyber security is a term often used synonymously with information security and business continuity and is generally seen purely as an information technology issue rather than a corporate risk issue. The truth is it is both.

The diagram below provides an easy way to understand the relationship between cyber security, information and risk management and how information technology management and business continuity also support security risks.

So, what questions do company directors need to ask when assessing their organisation’s cyber resilience?

The following questions are a starting point recommended in a report by the body responsible for company regulation the Australian Securities and Investments Commission (ASIC).

• Are cyber risks an integral part of the organisation’s risk management framework?
• How often is the cyber resilience program reviewed at the board level?
• What risk is posed by cyber threats to the organisation’s business?
• Does the board need further expertise to understand the risk?
• How can cyber risk be monitored and what escalation triggers should be adopted?
• What is the people strategy around cybersecurity?
• What is in place to protect critical information assets?
• What needs to occur in the event of a breach?

Many boards will find that management can only partially answer the above questions. To address this problem a range of cyber security frameworks have been developed to assist with the communication between the board and management and to focus discussion only on areas which need attention.

Is your organisation cyber resilient?

Several different frameworks are available to assist management address this question. All the reputable frameworks have similar elements and give similar outcomes if applied correctly, however some are more expensive and complex than others to implement.

In Australia, a commonly used framework is ISO 27000 which is an international standard against which organisations can be certified as compliant. Certification is a costly process and does not necessarily improve outcomes so many organisations will use this framework but not become certified.

However, one of the most commonly used frameworks internationally is the Cyber Security Framework (CSF) developed by the US National Institute of Standards and Technology (NIST). This framework is free and can be downloaded and used by any organisation.

The framework complements, and does not replace, an organisation’s risk management process and cybersecurity program. The organisation can use its current processes and leverage the framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices.

Additionally, the US Computer Security Response Team (US-CERT) which is part of Department of Home Security (DHS) has developed freely available tools to help implement CSF using the NIST controls defined in their publication Security and Privacy Controls for Federal Information Systems and Organizations.

The easiest tool to get started with is the Cyber Resilience Review (CRR) tool. This tool is a pdf document which provides an assessment that is designed to measure existing organisational resilience as well as provide a gap analysis for improvement based on recognised best practices.

A more comprehensive tool is the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which is also part of DHS. They offer a tool called Cyber Security Evaluation Tool (CSET), which is also free and can be downloaded on to a personal computer and will do a more comprehensive assessment.

The main benefit of CSET over CRR is that CSET allows assessment reports to be compared, so organisations can track progress over time as improvements are made to their security posture. However, for those organisations that have not done this type of assessment before CRR is the recommended starting point.

Although management must ultimately perform these assessments, the implementation of the frameworks can take a significant effort and be distraction for business. Therefore it is worth considering if a consultant should be engaged to assist in the first cut implementation and initial board presentations.

One thing you can be sure of is that at some point in the future every organisation must do some type of cyber security assessment so you may as well start now.

Ian Brightwell is principal consultant at DH4. He was previously director of information technology and CIO at the NSW Electoral Commission.