The 2020 UK Cyber Security Breaches Survey states that 80% of UK organisations view cyber security as a high priority by their senior management, a figure that increases to 95% for larger businesses. These are promising statistics, especially when you compare them to the 2016 figure of 69%.
What's driving this increased commitment to cyber security?
The constant evolution of the digital world, the increased adoption of cloud-based services and the ever-changing attack surface that organisation’s face.
Amongst the top concerns for an organisation and its reputation include; protecting personal or sensitive information, complying with laws and regulations and being able to respond to disasters and breaches.
Continued focus on regulatory requirements and legislation are key to driving progress and most organisations are bound by industry, operational or more general data privacy regulations. In the period leading up to the General Data Protection Regulation (GDPR) being brought into law in 2018, there was a huge effort by organisations to become compliant. A couple of years ago the ubiquitous GDPR media coverage had a huge impact on senior leadership teams and they sat up and listened to the risks they faced.
These regulations exist to ensure that organisations who hold valuable data and provide critical services are held accountable when things go wrong. These regulators are not just out to make money by handing out big fines, they are predominantly concerned with simplifying data protection regulations and giving individuals in the EU control over their personal data. In turn this drives better data governance and security improvements.
The most significant challenge when complying is to determine where to start and knowing how good you need to be. In many cases, information security foundations don’t exist in the first place for the appropriate bricks to be laid.
More than just meeting compliance requirements
Being compliant doesn't necessarily mean an organisation operates effective information security controls. Compliance programmes are often seen internally as an arduous process but they play a huge part in an organisation’s priorities and initiatives and they certainly don't have to be painful.
If you don't know how effective your organisation is in detecting a cyber incident or how effective you are in analysing, responding and recovering from a cyber incident then this is where the requirement for a tailored security assessment comes in. A successful tailored assessment provides two views of your information and cyber security functions:
- The level of compliance against your existing cyber security controls. This will be aligned to all relevant regulatory requirements, industry standards and best practices appropriate to your organisation
- The level of validity that these controls provide. It will show you how effective your current security programme is and what areas need to be improved to get the most out of your security spend and investment
The outcome of a tailored security assessment provides a clear view to building a roadmap that is compliance-driven and right-sized to your organisation.
Security assessments are tailored in breadth and depth to each organisation according to industry and regulatory requirements. Assessments can incorporate an additional deep focus into specific areas of security, either in response to previous drivers (e.g. previous cyber attacks or audits) or in response to business innovations (e.g. partnerships with third parties, perhaps moving to the cloud or managed services). For example, an organisation whose business relies heavily on a third-party supply chain will need a strong third party assessment and assurance function.
Over the past few years, Savanti have seen first hand that regulatory requirements and legislation are an ongoing driver in progressing cyber security. However, this should always be aligned with the overall organisational context to ensure any security compliance activities are relevant and meaningful. A good security assessment will not only appraise current cyber security controls, it will also assess how effective these controls are in protecting your organisation from security attacks and breaches, and support overall business goals.
It's important to use these findings to make security improvements and use your prioritised set of recommendations to keep driving your security journey, whether this is to adhere to regulations, win new business or protect yourself from cyber risk. Best of luck!
To discuss a security assessment with a member of the team, please provide your details below:
