Simon Lawrence
Director at i-confidential
For over 15 years, i-confidential has been instrumental in developing cyber transformation programmes for many of its clients. Along the way, we have seen the chief security officers (CSOs) who own these programmes face a similar set of pitfalls and challenges.
One of these is the impact of audit teams on the transformation approach. In businesses where cyber security has not been a priority, it is often left up to auditors to point out what is wrong. This is necessary because audit is the last line of defence and often serves as an organisation’s conscience. This can, however, lead to a narrow focus on a spot set of issues.
The wider impact of not having an effective cyber security strategy in place can be overlooked. Investment priorities can end up being based on management’s natural aversion to open audit issues, rather than on a fully assessed, risk-based approach to addressing cyber weaknesses. This can lead to long delays in addressing the most serious security problems.
At i-confidential, we help clients address this challenge with our Security Health Check offering, which can assess their true cyber risk position. We are then able to convert this understanding into a set of prioritised, costed, improvement activities. Our Risk Reduction Equaliser is designed to demonstrate how any investment will move each material cyber risk from a high or medium level to a position within an agreed risk appetite. This allows organisations to make much better ‘cost vs. cyber risk’ decisions. Crucially, it also enables them to determine how long certain risks will be accepted.
Audit are included in this risk acceptance plan and can therefore focus on validating the overall strategy and the current year’s specific risk reduction deliverables. This approach ensures the most important risks are addressed first, while others are agreed as accepted until they are remediated during a later phase.
Using our Security Health Check, CSOs can be sure that their cyber programmes are complete in terms of required activities and costs. What gets the buy-in from the audit and risk committees, however, is the clear articulation of risk reduction over time as these programmes deliver. Gaining this wide support allows the delivery teams to focus on achieving their security transformation goals.