When the board approaches you for guidance on how changing legal requirements could impact the organisation, how prepared are you?
As cyber professionals, it seems the goal posts are constantly moving, be it a new legal requirement, ever-expanding information sets, contractual relationships, adoption of cloud services, and of course the ever-evolving threat. It’s very clear talking with our Global Threat Intelligence Centre that our adversaries are innovating and outpacing organisations response, so we have to get smarter in our approach.
In my last article, in Issue 2, I wrote largely of that evolving threat landscape, challenges in keeping up with the bad guys, and how to identify the good as well as the bad, to close the gap. Given the changes to breach notification that is particularly pertinent, however, first I’ll take a few steps back and look at what we do and why.
The Why, What’s and How’s
At a high-level three things direct a business, management of opportunity and risk, strategy, and the stuff we have to do [aka compliance]. These three things dictate the people, process and tools being used by an organisation, the information and resources required to achieve an outcome, and hopefully, how we measure and report to make sure it’s all working properly. Sounds easy, right? So, why point it out?
Whilst we should ideally understand the above, we don’t always know our personnel, their relationships outside of work, or even in work, what they do day to day, or indeed what tools they use. How many of you have done an assessment of business process, application, contracts and services, not to mention information flow?
Most organisations know the big stuff, so that big database with all their customer details in, but have you considered telematics, industry data, that random IoT device or any number of other things?
The Who – Not the band (for those of us old enough to remember)
As a cyber professional, one of our main objectives is to confirm the right people are accessing and using the right information, that it’s available when they need it and is accurate. If that’s our objective, then conversely, we also need to be able to identify when it’s the wrong people, wrong or inaccurate information. That’s done by identifying the threat actor, through threat intelligence…Click here to read full article.
