Читать книгу Beyond Cybersecurity - Kaplan James M. - Страница 10

Cybersecurity has several characteristics that make it tough for large, complicated institutions to address in an integrated way. Cybersecurity is pervasive – it touches just about every business process, which means that many cybersecurity decisions have a far-reaching market and strategic impact, requiring senior management engagement. Conversely, getting the right level of senior engagement is also tough: the language is arcane, cybersecurity teams often lack the skills to interact with senior executives, and few tools exist to quantify cybersecurity risk or mitigation.

Too many companies put programs in place that avoid these inherent challenges rather than address them. They conduct mechanistic assessments that may not unearth the real issues. They fail to consider the full range of risk reduction mechanisms. They approach the task of achieving digital resilience as a technology program focused on compensating controls rather than as a business strategy and operations program with significant technology implications. Perhaps worst of all, they neglect to engage senior business leaders effectively.

An effective cybersecurity program that will make rapid and sustained progress toward digital resilience must be designed from the start around three principles:

1. Collaborative engagement between the cybersecurity team and their business partners to prioritize risks, make intelligent trade-offs, and, where appropriate, change business processes and behaviors rather than implement technology solutions to manage risks.

2. A focus on resiliency in the broader IT organization, to facilitate the convergence of security, efficiency, and agility – and to make sure that IT managers design technology platforms from the very beginning to be resilient and secure.

3. A dramatic upgrade of the skills and capabilities of the cybersecurity team so its managers can understand business risks, collaborate effectively with business partners, navigate a rapidly changing technology environment, influence application and infrastructure environments, and implement active defense tactics.

This implies an ambitious agenda, and companies may be inclined to walk before they run. Unfortunately, attackers will not patiently wait for cautious companies to improve their cybersecurity capabilities in this incremental manner – companies must act in a proactive and determined fashion now.