{"id":1684,"date":"2019-05-08T03:57:56","date_gmt":"2019-05-08T03:57:56","guid":{"rendered":"http:\/\/kusuaks7\/?p=1289"},"modified":"2023-07-21T06:32:08","modified_gmt":"2023-07-21T06:32:08","slug":"cyber-security-in-the-when-not-if-era","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/iot\/cyber-security-in-the-when-not-if-era\/","title":{"rendered":"Cyber Security in the \u201cWhen-Not-If\u201d Era"},"content":{"rendered":"<h3 style=\"color: #aaa; font-style: italic;\">No longer just as an equation between risk appetite, compliance requirements and costs<\/h3>\n<p>The \u201cWhen-Not-If\u201d\u00a0<a href=\"https:\/\/corixpartners.com\/cyber-security-governance-ethics\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"paradigm (opens in a new tab)\">paradigm<\/a>\u00a0around cyber-attacks is changing the deal completely around cyber security.<\/p>\n<p>Many large organisations now assume that breaches are simply inevitable, due to the inherent complexity of their business models and the multiplication of attack surfaces and attack vectors which comes with it.<\/p>\n<p>This realisation changes fundamentally the\u00a0<a href=\"https:\/\/securitytransformation.com\/wp-content\/uploads\/2017\/07\/STRF-CyberSecurity-ESG-White-Paper-January2019-FINAL-10.pdf\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"dynamics (opens in a new tab)\">dynamics\u00a0<\/a>around cyber security.<\/p>\n<p>Historically, cyber security has always been seen as an equation between risk appetite, compliance requirements and costs. Compliance and costs were always the harder factors. Risk (difficult to measure and quantify) was always some form of adjustment variable.<\/p>\n<p>Risk is about uncertainty. The \u201cWhen-Not-If\u201d paradigm brings certainty where doubt was previously allowed (or used to manipulate outcomes):<\/p>\n<ul>\n<li>Cyber-attacks WILL happen<\/li>\n<li>Sooner or later, regulators WILL step in<\/li>\n<li>They can now impose BUSINESS-THREATENING fines around the mishandling of personal data<\/li>\n<li>Media interest has never been higher around those matters: Business reputation and trust in a brand WILL be damaged by high-profile incidents<\/li>\n<\/ul>\n<p>All the risk-based constructions which have been the foundations of many cyber security management practices are weakened as a result.<\/p>\n<p>Compliance requirements remain (if anything, they are getting stronger as privacy regulators flex their muscles in Europe and the US) and costs cannot be ignored, but \u201care we spending enough?\u201d has become a much more common question across the boardroom table, than \u201cwhy do we need to spend so much?\u201d<\/p>\n<p>For CISOs, protecting the firm becomes an imperative: This is no longer about doing the minimum required to put the right ticks in compliance boxes, but very often a matter of genuine transformation: It forces them to work across corporate silos, look beyond the mere technology horizon (which is often their comfort zone), and also look beyond tactical\u00a0<a href=\"https:\/\/corixpartners.com\/first-100-days-new-ciso-firefighting\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"firefighting (opens in a new tab)\">firefighting<\/a>\u00a0(which often dominates their day-to-day).<\/p>\n<p>Knowing what to do is often the easiest part: After all, good practices in the cyber security space have been well known for over a decade, and they still provide adequate protection against many threats \u2013 as long as they are properly implemented.<\/p>\n<p>True cyber resilience can only come from real defence in depth, acting at preventative, detective, mitigative AND reactive levels, AND across the real breadth of the enterprise \u2013 functionally and geographically.<\/p>\n<p>The \u201cWhen-Not-If\u201d paradigm will often bring the Board\u2019s attention and large resources onto cyber security, but with those will also come scrutiny and expectations: The challenge really becomes an\u00a0<a href=\"https:\/\/corixpartners.com\/cyber-security-execution-challenge\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"execution (opens in a new tab)\">execution<\/a>\u00a0and a leadership challenge for the CISO.<\/p>\n<p>In large firms where a major overhaul of security practices is required, establishing a sound governance framework and operating model from the start will always be a key factor of long-term success for the CISO.<\/p>\n<p>Equally important will be the need to put people and process first, and to identify the roadblocks which might have prevented progress in the past around cyber security matters.<\/p>\n<p>Repeating the mistakes of the past would simply perpetuate the spiral of failure around security, as would an excessive or premature focus on tech solutions. There is no magical technology product which can fix in a few months what is rooted in decades of adverse prioritization, lip service and under investment.<\/p>\n<p>The CISO must appreciate that and place all transformation efforts in the right perspective: Change takes time and relentless drive, and there may not be quick wins.<\/p>\n<p>Managing expectations and staying the course will always be key\u00a0<a href=\"https:\/\/corixpartners.com\/4-pillars-lasting-cyber-security-transformation\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">pillars<\/a>\u00a0of any lasting cyber security transformation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Many large organisations now assume that breaches are simply inevitable, due to the inherent complexity of their business models and the multiplication of attack surfaces and attack vectors which comes with it. This realisation changes fundamentally the&nbsp;dynamics&nbsp;around cyber security. Historically, cyber security has always been seen as an equation between risk appetite, compliance requirements and costs. Compliance and costs were always the harder factors. Risk (was always some form of adjustment variable.<\/p>\n","protected":false},"author":529,"featured_media":2666,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[195],"tags":[93],"ppma_author":[3178],"class_list":["post-1684","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-iot","tag-internet-of-things"],"authors":[{"term_id":3178,"user_id":529,"is_guest":0,"slug":"jean-christophe-gaillard","display_name":"Jean-Christophe Gaillard","avatar_url":"https:\/\/www.experfy.com\/blog\/wp-content\/uploads\/2020\/04\/medium_b55e5afa-fb86-428a-a054-3be0451df2a4-150x150.jpg","user_url":"https:\/\/www.corixpartners.com","last_name":"Gaillard","first_name":"Jean-Christophe","job_title":"","description":"Jean-Christophe Gaillard\u00a0is Managing Director and Founder at Corix Partners. He is also a Non-Executive Director with\u00a0<a href=\"https:\/\/www.stratasecurity.co.uk\/\">Strata Security Solutions<\/a>, a specialized cybersecurity firm. He has been co-president of the Cyber Security group of the\u00a0<a href=\"https:\/\/www.telecom-paristech.org\/\">Telecom Paris Tech alumni association<\/a>\u00a0since May 2016. He is the author of \u201c<a href=\"http:\/\/www.blurb.co.uk\/b\/9015902-cyber-security-the-lost-decade-2018-edition\" target=\"_blank\" rel=\"noopener\">Cyber Security: The Lost Decade<\/a>\u00a0\u2013 A Security Governance Handbook for the CISO and the CIO\u201d, He contributes regularly to\u00a0<a href=\"http:\/\/www.thedigitaltransformationpeople.com\/authors\/jc-gaillard\">The Digital Transformation People<\/a>,\u00a0<a href=\"http:\/\/www.business2community.com\/author\/jc-gaillard\">Business 2 Community<\/a>, and\u00a0<a href=\"https:\/\/www.iotforall.com\/\">IoTforAll<\/a>\u00a0platforms, as well as the\u00a0<a href=\"https:\/\/www.thebtn.tv\/\">Business Transformation Network<\/a>. He is an expert contributor on the\u00a0<a href=\"https:\/\/ciowatercooler.co.uk\/members\/jean-christophe-gaillard\/activity\/\">CIO Water Cooler<\/a>\u00a0and has previously published articles on\u00a0<a href=\"https:\/\/www.infosecurity-magazine.com\/opinions\/bridging-gap-security-it-operations\/\">InfoSecurity<\/a>\u00a0Magazine, \u00a0<a href=\"http:\/\/www.computing.co.uk\/ctg\/opinion\/2396800\/how-to-achieve-effective-cyber-security-in-a-hyperconnected-world\">Computing<\/a>, the C-Suite.co.uk,\u00a0<a href=\"http:\/\/www.informationsecuritybuzz.com\/?s=gaillard\">Info Sec Buzz<\/a>\u00a0and the\u00a0<a href=\"http:\/\/www.director.co.uk\/blog-cyber-insurance-what-do-you-think-youre-buying-20323\/\">IoD Director<\/a>\u00a0websites."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1684","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/529"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=1684"}],"version-history":[{"count":2,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1684\/revisions"}],"predecessor-version":[{"id":29468,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1684\/revisions\/29468"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/2666"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=1684"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=1684"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=1684"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=1684"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}