London: As world political, technology and security leaders gathered at the London Conference on Cyberspace, hosted by the Foreign & Commonwealth Office, PwC today called on business and governments to take ultimate responsibility for cyber security and collaborate together more closely to address the pressing cyber threat.
William Beer, a director in PwC's cyber and information security practice, said:
"The cyber security industry is in freefall. Operating securely in the cyber environment is among the most urgent issues facing business and government leaders today. But many organisations have a long way to go if they are to combat the incredible resourcefulness and ability of the attackers. The criminals are nimble and quick on their feet, and this a fast-paced battle. Despite the growing threat, leaders continue to focus on exploiting the opportunities of cyber and are ignoring the risks.
"Cyber security is no longer only in the realm of the CISO or the head of IT, it is up to senior leaders to put this at the top of their agenda and collaborate more closely with other organisations. Public-private organisations, industry bodies and regulators all have a role to play. The message is clear — no organisation in any sector is safe."
Ed Gibson, a director in PwC's U.S. forensics practice and a former FBI Special Agent and chief cyber security advisor for Microsoft-UK, said:
"We have seen a shift in the last couple of years. Organisations are facing advanced persistent threats and attacks, the scale and nature of which are unprecedented. Hackers used to be the prime source but now we are seeing large groups of highly organised criminals and even countries, sometimes using hackers as part of their operations.
"The axiom 'information is power' has gained even deeper resonance. With so much more data to store, access and analyse companies know that information is now a greater source of power than ever--but only if it is secure."
To help public and private sector organisations transform their mindset and their capabilities to address the growing threat, PwC's William Beer outlined six key steps that organisations can take to make themselves cyber ready.
1. Clarify roles and responsibilities
PwC says CEOs need to come to grips with the threats from the Internet--it has coined the concept of the 'cyber savvy CEO'.
2. Reassess the security function's fitness and readiness for the cyber world
Organisations already have IT security functions that may be doing a good job in protecting against traditional threats. But as new risks emerge, the focus needs to be upgrading or transforming the existing capabilities to ensure that the organisation's responses to its security needs fully encompass cyber security.
3. Achieve 360-degree situational awareness
To align its security function and priorities as closely as possible with the realities of the cyber world, organisations need a clear understanding of the current and emerging cyber environment. This demands situational awareness, which is a prerequisite for well-informed decisions on cyber security actions and processes.
4. Create a cyber incident response team
Traditional organisational structures may have the unintended effect of hampering the quick and decisive responses needed in the cyber environment. Many organisations will already have an incident response team but the speed and unpredictability of cyber threats mean this may need to be adapted and streamlined. A well-functioning cyber incident response team means an incident spotted anywhere in the business will be tracked, risk-assessed and escalated.
5. Nurture and share skills
Any organisation needs to invest in cyber skills. However, these are in short supply. Given the restricted supply of cyber-savvy talent, it is up to employers to find new ways of inspiring those with the skills and desire to keep their businesses safe. Some organisations may even want to consider more radical approaches, such as putting younger employees on a board committee focused on cyber security.
6. Take a more active and transparent stance towards threats
The unpredictable and high-profile nature of cyber threats tends to engender a defensive mindset. But a number of cyber-savvy organisations are now getting onto the front foot by adopting a more active stance towards attackers, pursuing them more actively through legal means, and communicating more publicly about their cyber threats, incidents and responses. By taking a more active stance, the organisation can show that it takes attacks seriously and will strive to bring offenders to justice.
For Ernst & Young's take on Information Security go here.