Robert Stroud, Vice President at CA Technologies.
Just five short years ago, cybercrime represented just 1% of all economic crime (source: PricewaterhouseCoopers, Global State of Information Security Survey, 2011). By 2011, that number jumped to 23%, and we can continue to expect those numbers to climb.
The numbers aren’t the only thing increasing – so too are the complexity and persistence of these crimes. According to an ISACA survey of more than 1,000 security professionals, more than 9 in 10 respondents believe advanced persistent threats (APTs) represent a credible threat to national security or economic stability. Among the enterprises that have experienced an APT attack, one in three were unable to determine the source (source: ISACA, Advanced Persistent Threat Awareness Study Results, 2014 (publishing in April).
There is no question that cybercriminals are more sophisticated than ever before. Enterprises today not only have to defend their assets – they must hunt. Detection and response, rather than prevention, are becoming the focus. But with a growing skills gap, still-lean budgets and constantly evolving threats, where can enterprises start?
Eight principlesIn its Transforming Cybersecurity Using COBIT 5, global association ISACA recommends starting with these eight principles:
- Know the potential impact of cybercrime and warfare. Make sure you are aware of the potential damage a cyber attack can cause and the wide-ranging impact it may have. The organization must decide the risk level it can tolerate in order to ensure the appropriate level of cybersecurity governance.
- Understand end users, their cultural values and their behavior patterns. As the ISACA guide notes, “Business impact and business risk relating to cybersecurity arrangements are strongly influenced by organizational and individual culture.” The culture – and the resulting end-user behavior and patterns – should be accounted for in the enterprise’s strategic, tactical and operational security measures.
- Clearly state the business case for cybersecurity and the risk appetite of the enterprise. The business case outlining expected value and tolerable risk will drive the overall cybersecurity strategy. As a result, the business case must have depth and definition. Among its contents, it must include cost-benefit considerations and the organization’s culture and values pertaining to cybersecurity.
- Establish cybersecurity governance. There is no need to reinvent the wheel here. Adopting and customizing a governance framework such as COBIT will give you the tried, tested and proven governance guidance you need. By effectively governing cybersecurity, an organization provides a clear sense of direction and boundaries.
- Manage cybersecurity using principles and enablers. The principles and enablers found in COBIT 5 will help your organization ensure end-to-end governance that meets stakeholder needs, covers the enterprise to end and provides a holistic approach, among other benefits. The processes, controls, activities and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.
- Know the cybersecurity assurance universe and objectives. Cybersecurity covers multiple areas and aspects within information security. To provide adequate assurance over cybersecurity, the cybersecurity universe must be well defined, and the assurance objectives must be clear and manageable.
- Provide reasonable assurance over cybersecurity. This principle requires all three lines of defense within an enterprise to be defined and managed. This includes monitoring, internal reviews, audits and, as needed, investigative and forensic analysis.
- Establish and evolve systemic cybersecurity. Cyber attacks target the weakest link in the system. As a result, cybersecurity must be looked at as a system of interdependent elements and the links between them. To optimize cybersecurity, the enterprise must have complete understanding of this dynamic system and must be fully aware that security governance, management and assurance cannot be viewed in isolation.
Using COBITWhile no company can be 100% secure, regardless of the controls and security measures it has in place, companies that use good practices such as COBIT are off to a good start. COBIT treats cybersecurity systemically. It helps ensure that an organization has end-to-end policies and processes in place, which helps them recover more quickly and effectively after a breach.
Using COBIT 5, enterprises approach cybersecurity as a business process that is aligned with the enterprise’s governance, risk management and compliance arrangements. They divide it into four phases: prepare, investigate, remediate/respond and transform. The “transform” phase is especially key, as it ensures that the post-incident analysis leads to key insights and improvements that are put into practice. By using COBIT 5 to transform cybersecurity in your enterprise, you can help ensure that cybersecurity is transformed systemically.
Consider this sobering statistic from the ISACA APT survey: one in five enterprises have experienced an APT attack. That number is only going to grow. Take advantage of the excellent guidance out there and make sure your enterprise is following these eight principles; to make sure you are ready to prepare for, detect and respond to a cybersecurity attack.