Cyber resilience – an entity’s ability to continuously deliver a desired outcome despite adverse circumstances and events – is about much more than systems, software or IT departments. It’s about leadership, teamwork and the effort you put into improving your readiness.
F-Secure Principal Risk Management Consultant Marko Buuri has an extensive background in risk management, having worked with countless organizations to evaluate and improve their cyber security. Buuri currently advises F-Secure’s enterprise-level customers on their security protocols, both in terms of management consulting and software.
“The biggest problem I often see with companies of all shapes and sizes is not really to do with their technological capabilities, or even technical knowledge”, Buuri says. “Where organizations struggle the most relates to their cyber risk management culture and know-how – essentially, the softer skills needed to evaluate, avoid and deal with cyber incidents.”
You can’t buy cyber resilience – it’s not a simple collection of products and services, which you leave your IT department to manage. Effective security requires executive-level buy-in, and cross-departmental interaction and collaboration. Everybody needs to chime in with their knowledge, so that disasters like Equifax and Yahoo can be avoided.
“The evaluation of cyber risks and their expected losses needs to be done in a clear, quantifiable manner”, Buuri explains. “This is important in finding and justifying the right level of security spending. The next steps include extensive scenario-analysis and security drills: what would happen in this scenario? How about here? This is not easy, and requires expertise, but it needs to be done – it’s the only way to be ready for an incident.”
Buuri sees much to improve in most organizations’ cyber security programs, especially considering the constantly transforming threat landscape.
“It’s not enough to just have a shield – you also need a strong and well-coordinated arm to use it.”