August 20188 I know, I know, yet another article on cyber security. However, sometimes the only way to get a message across is to keep telling the story. There is no doubt, cyber security is in danger of becoming one of those issues where the message keeps being repeated, yet it remains a challenge to tackle it effectively and efficiently. In some way, the message about cyber security is not too dissimilar to Y2K (although many still are skeptical about the Y2K mania in any case).There are similarities in that Y2K risks were difficult to see; just as cyber security risks are often difficult to see. That is, until a business-critical system is attacked by ransomware or malware infects your environment, although you only find out 7 months later when it is discovered that $100,000 has been transferred from your account and withdrawn from the bank with no recourse. However, an important difference being that cyber risks can be more definitely be identified and mitigated. How? through structured testing, review and reporting procedures. The results of which provide empirical evidence of what the risk is and therefore affording the opportunity to at least make an informed decision on how the risk should be remediated. The skill is doing so in a way that aligns with the risk appetite and profile of the organization. Alignment is critical. Without alignment of the identified risks and mitigation strategies, there will likely be a mismatch between security risks, solutions, and strategies.To provide the best understanding of an organisations security posture, it is not only the technical results of security testing that are relevant, it is an understanding of how security governance processes provide an envelope around the security and assurance activities. While the governance processes provides useful outputs in their own right, combining the two moves towards a balanced approach, involving both the performance of technical security testing and assessment of security governance procedures. The IT industry is skilled in applying systematic, methodical and planned processes when it comes to activities such as systems development and testing. Therefore, it seems natural, that the same strengths in planning, preparation, delivery, and analysis are applied to security testing. Sure, the big end of town is resourced and doing this well. The challenge for small to medium size enterprises is applying this well-known approach to business units that may not be as well funded and where there are competing business priorities. I don't need to state the obvious, that this is a challenge for many IT groups and management teams. The opportunity to respond to this risk may be assisted by not only a risk-based approach on how resources are allocated to testing activities but to marry the risk analysis to an assessment of security governance processes. Technical security solutions (systems and devices) are an absolutely critical and necessary element, but I believe organisations should be structured as to how security is managed holistically across the business.The best way if translating this is to consider the following steps: 1. Develop a security testing plan that givesconsideration as to what has or has not beensecurity tested. A useful way to explain this is to liken it to how safety testing BY MICHAEL SHATTER, PARTNER, NATIONAL DIRECTOR, SECURITY AND PRIVACY RISK SERVICES, RSM AUSTRALIATHIS IS NOT Y2K AGAIN! Michael ShatterIN MY V EWPLEASE TELL ME
< Page 7 | Page 9 >