Research from Accenture indicates a disconnect between perception and reality of resilience as far as the UK boardroom is concerned.
According to the research, nearly two-thirds of C-suite executives polled said cyber attacks occur daily or weekly, yet only a quarter said their company always incorporates measures into the design of its technology and operating models to make them more resilient.
This disconnect was also highlighted by a survey from the Economist’s Business Intelligence Unit. Dominated by C-suite level respondents, the Cyber Incident Response survey found that 39% did not have a formal incident response plan (at time of answering) and yet, of those organisations which admitted having no plan (and no team), almost 38% claimed some level of preparedness for a cyber incident.
This shows a level of wishful thinking not normally associated with boardrooms and does make one wonder if they exercise the same kind of magical thinking in relation to finance or HR. A lack of C-suite leadership in resilience matters greatly when it comes to how successful policy and process adoption is and how fit for purpose any resilience plans, such as business continuity, will be.
Risk and its register frequently sit in a different organisational place to security risk or information security risk. This separation means that business resilience is compromised and oversight at senior level will therefore be flawed and incomplete.
Part of the solution to the issue here is a risk-based approach to resilience and the resulting designs in security and in process. The plans need to have a boardroom champion who can take overarching responsibility for their design, testing and implementation, as well as their renewal, retesting and embedding as business culture.
Joining up the thinking across silos such as facility management, security, IT and information security under one overall leadership will help close some of the gaps that are being exploited, such as vulnerable building management systems that can be used to access a business and move across unsecured borders into other areas, including corporate networks.
Also making sure there is some IT security oversight of all systems will make sure they join the regimen of patching, updating and testing that corporate networks and systems enjoy instead of being left out in the cold to become increasingly vulnerable.
This applies doubly if the platforms they are built on become obsolete and are no longer supported by security patching. Facility managers may be unaware of the fact that a system they are managing is actually a potential threat to the organisation, security will be unaware of something that needs protecting and the boardroom will be oblivious to where or what the threat is because there is insufficient oversight of a joined security landscape at that level.
Mike Gillespie is director of cyber research and security at The Security Institute.
