The 2013 Information Security Breaches Survey – published yesterday – makes it very clear that the vast majority of business managements and boards are all concerned about cyber security, but are signally failing to translate that concern into a set of effective cyber defences.
This is not surprising – organisations build their IT infrastructures (and their IT teams) to deliver against business objectives, such as satisfied, more profitable customers. Most IT teams do not also contain extensive cyber security skills and competences; even where they do, the challenge of keeping those skills current and knowledge up-to-date for the most recent attack vectors and security requirements is substantial.
That’s fine because, luckily, cyber security skills and competences are readily available from specialist cyber security companies – such as my company, IT Governance Ltd. More importantly, these skills are available in a highly focused format: the cyber security risk assessment: a three-day exercise that is designed to analyse and assess the gap between what an organisation actually does and established good practice (such as the UK Government’s 10 Steps to Cyber Security), and to provide a clearly articulated action plan that will lead the organisation quickly to a more secure position.
