Why scaling cyber security controls has never been more important
Organisations across the globe supercharged their digital transformation efforts over the last 18 months, with innovation occurring at one of the fastest rates in history.
According to McKinsey, organisations accelerated the digitisation of their supply-chain and internal operations by three to four years over the course of 2020, with the share of digital- or digitally-enabled products in their portfolios accelerating by seven years.
But that pace of change brings with it significant challenges. For example, this historic pace of acceleration hasn’t always been done in alignment with cyber security priorities. That’s especially important given cyber security leaders now note that “providing secure remote access to resources, apps, and data” is their top challenge, according to a Microsoft report.
Many organisations must now retrofit their security controls to support new digital investments, which is problematic given the rate of adoption and transformation that’s occurred over the past 18 months.
These efforts will present many challenges, especially considering the growing sophistication of threat actors targeting organisations and – increasingly – their supply chains.
This topic was explored in depth during a recent Cyber Security Roundtable event at the Australia-United Kingdom Chamber of Commerce, held in partnership with Telstra Purple and featuring the below speakers.
Manoj Bhatt
Head of Cyber Security Advisory and Consulting at Telstra Purple EMEA
and ClubCISO Advisory Board Member
Stephen Khan
Chair of ClubCISO
Erika Lewis
Director of Cyber Security and Digital Identity at DCMS
Dr Tobias Keain
Ambassador for Cyber Affairs and Critical Technology
at the Department of Foreign Affairs and Trade
The event brought security leaders together to discuss the next steps for organisations in bolstering their cybersecurity proficiency, as well as the role governments should play in supporting businesses at this crucial time.
Here are some of the highlights from those discussions.
Bringing the right skills on board
Attaining cyber skills has always been highly competitive, but it’s become even more challenging as a result of the pandemic.
According to Gartner there was a 65 per cent upswing in demand for cyber talent in 2020 in the US, and a 5 per cent rise in the UK, driven by increased demand from big banks, technology giants, and niche infosecurity companies.
To alleviate this issue there needs to be wider recognition of the need to support cyber professional skills across industry boundaries. Organisations should consider establishing apprenticeship programs to train up new or existing staff, helping to build the right qualifications and experience.
Similarly, organisations need to be more collaborative. By working with universities and other institutions to ensure the right skills are built into education programs, businesses can increase the support they offer to new graduates as they begin their career paths.
The widening gap has disproportionately impacted small and medium businesses (SMEs), who have found it difficult to compete and lure talent from larger organisations. This is an ongoing challenge, potentially requiring intervention from governments who could work with SMEs to incentivise and upskill their cyber workforce.
SMEs should also consider leaning on third party support to help them navigate through this uncertain period, prioritising access to tech support, help desks, and trusted partners – especially if they’re based in regional areas.
Managing the swelling risk to supply chains
Increased collaboration with third party organisations has been critical to the innovation we’ve seen over the last 18 months. But it also increases your organisation’s attack surface significantly.
The SolarWinds attack highlighted the impact of these threat clearly, with up to 250 organisations and two dozen government agencies penetrated through a single, sophisticated campaign.
Supply chain risk has never been higher, with new types of attacks proliferating, growing public awareness, and increased oversight from regulators. And, as attackers are often backed by nation-states, criminals also have access to more resources than ever before.
As organisations have brought on new third-party stakeholders, they’ll now need to pay close attention to how they’re securing these ecosystems.
Supply chain risk is its own industry and, while it’s not linked to a central framework of compliance, organisations need to consider measures that are directly proportionate to the risk it presents to their business.
This will include creating a secure community for suppliers who can be vetted and constantly assessed via ongoing security health checks across the supplier engagement.
These communities should be as collaborative as possible, with mandatory risk frameworks that aim to reduce risk and demonstrate to supply partners that organisations are compliant with regulations. This standardised framework would be useful as an extension of group risk assessment tools.
The role of government support
The UK and Australian governments have already introduced some important legislation and cyber strategy documentation to help drive awareness and influence organisations to prioritise cyber security throughout their organisation and supply chain. However, there is still work to be done.
In Australia, there has been a strong push to continue to legislate around digital issues, although a balance must be struck between strict enforcement and providing capacity for organisations to respond in times of extreme crisis, as we’ve experienced in the last 18 months.
In the United Kingdom, we’ve seen some important measures raised in parliament, although often with long lead times for legislation to be passed and implemented. This can be challenging for organisations to adapt to comply with new laws given the inconsistency of time frames.
However, developing regulation is a difficult feat. While there is an appetite to globally unify business to adopt digital standards, this varies across jurisdictions and can be confusing for organisations to follow.
In this sense, there are opportunities for more collaboration across governments to create more comprehensive joint frameworks. This would provide greater access to cyber security best practices and provide clearer guidance for organisations when it comes compliance.
Through collaboration and cross-industry support, governments can help organisations fight back against an increasingly sophisticated threat landscape, helping to develop skills and safeguard organisations of all sizes at a time when many of them are at their most vulnerable.
