Cyber resilience has become a hot topic as the prevalence of cyber threats now permeates all industries and sectors, no longer is it the preserve of high value targets – all organisations and businesses are targets, including schools, healthcare providers and critical supply chain businesses.  Nothing is off the agenda it seems.

According to McKinsey only 1 in 5 companies cite cyber security as one of their key challenges in business today, which to some might be understandable given the changed face of how we now do business and also run our businesses.  However, for us this does not sit comfortably.

Being able to ask difficult questions is not something that most business leaders shy away from, however it seems that although there is an awareness of the significant threat cyber-attacks pose to organisations, being prepared to tackle the reality is not high enough on the board level agenda.  Cyber resilience needs to be given leadership focus.  Awareness doesn’t always lead to action for various reasons, and one of the main reasons behind this could be a combination of lack of resource and lack of knowledge, this can be the case in organisations of all types and sizes.  Facing up to the need to act if you find yourself in this conundrum need not be overly challenging, when starting to act you don’t need to hire lots of people and wait months to build knowledge.

According to Forbes the role of the Virtual Chief Information Security Officer (vCISO) should be of increasing interest to businesses small and large.  The vCISO enables you to buy in the skills and experience of a seasoned CISO at a fraction of the cost, and with significantly shortened lead times to them starting work with you.  The vCISO offers a very immediate representative at the board table who is able to start to build levels of resource and knowledge relating to cyber security, and start the process of change regarding both attitude and strategy.

How you engage with your chosen vCISO will determine their remit.  If you are early on in your process a solid basis would be to work with them to understand what your critical risk points are, and who are the key business stakeholders, away from the leadership team, that need to be involved in your cyber security strategy.

Even with dedicated and experienced resource you can’t protect fully from cyber threat, so a best prepared approach and mentality should be adopted from the outset, increasing levels of cyber resilience along the way.  It’s hard to know what to ask and where to focus, especially as the way we work and operate now is so different to even 2 years ago.  A vCISO brings with them something quite unique, a broad and outside perspective from all the roles they have held and hold across a range of businesses and sectors – this is such a valuable asset to invest in, especially early on in building your cyber security strategy.

As cyber security is a whole business challenge and not just one for the board, senior teams or the IT team, a dedicated approach to planning and embedding processes, systems and recovery will pay off when a cyber-attack happens.  People are central to this, across all parts of the business and at all levels.  Often cited as a weakness, or at best an entry point for cyber-attacks, not investing in your people would be a missed opportunity.  Having targeted and sustained cyber security training as a central part of the cyber security strategy will both enable the rollout of the strategy and create a critical line of defence in your people.  However, there is little point in doing this if your leadership team have not had the training they need, and deserve.

Training your leadership team in cyber security not only demystifies the subject for them, it also gives them a foundation on which to make investment decisions to build up cyber security, it offers the opportunity to create a security culture that belongs to everyone.  Learning how to better protect the business and staff by mixing with and learning from others facing the same challenges at the same level across a range of industries, is going to be of real value.  Every leader needs to be informed as to what pragmatic steps they can take to protect the business and ensure it still runs the way it needs to.

Dedicated resource, strategy development, top down training investments – these are all needed for an organisation to be able to best protect itself from an ever growing and complex set of cyber threats.  However, testing everything is a final layer of preparation that your business must invest in.  There are myriad ways in which you can do this through building and delivering Incident Response exercises that will put the team and processes to test in real scenarios.  We go in to more detail in this article, but the main aim of these exercises is to ensure that your people, processes and technology are able to respond as efficiently and effectively as possible in the face of an attack, and to be open to learning & developing from the process.

Cyber risks are plentiful, growing, and moving fast.  As businesses and organisations of all types move to a more digitised operating model, the two are colliding at a rate not experienced before.  No matter your position, fears or hopes regarding cyber security, the journey towards cyber resilience must start now.  Working towards greater cyber resiliency is a must for 2022.