Listen to the article (0min)

“The road to hell is paved with good intentions, the road to heaven is paved with good deeds.”

Wanting to implement security – having good intentions – is one thing. Doing something about it? Well, that’s an entirely different matter, especially if you don’t have the skills or experience, or sufficient justification to commit to the spend.

But. Let’s say you do. You carry through those good intentions with “good deeds”. Are you done?

Well, no. Even if you’ve bought the tools, implemented the processes, created the policies, ran the training – or ordered it all as a service from your friendly local IT provider – there’s another dimension to consider. You should be asking yourselves: how do we know the measures have been effective?

Keeping your business safe is about good intentions, and it’s about good deeds. But it’s also about making sure that what you’re doing is appropriate and working. How do you know whether you’re going too far or haven’t gone far enough. In essence, how do you control and direct your organisation's approach to cyber security. And what methods do you use to assess, measure, and manage this?

It’s all about risk

With these types of decisions, determining what is right for your business starts with determining your risk appetite. How much risk is the organisation prepared to take to achieve its goals? Through this lens, the likelihood and potential impact of something negative determines its significance for the business and informs decision making.

Risk can be measured as financial, such as potential monetary losses, or in more nebulous, though no less important terms, such as potential damage to the company’s reputation. It may be directed to a greater degree by regulation, or it could be down to the stage your business is at, or the attitude of management, its owners, or investors. It should have a wider business context but will inform the measures you take to manage and control your cyber security posture.

Take for example a policy around Bring Your Own Device (BYOD). Allowing employees to use their own computers and mobiles to access the company’s data and applications may save on the cost of buying and maintaining the hardware. But it could introduce a whole raft of security issues as you are unlikely to be able to fully control what (or who) is on the device in question when it connects to your systems and network. You may view the initial saving BYOD offers as not worth the risk, given the likelihood and associated costs of a breach.

And it’s all about governance too

Governance provides the framework around which cyber security risks are identified, assessed, managed and mitigated. It’s the strategic oversight governing all aspects of the business’s cyber security posture, covering policies and procedures, risk management, compliance – ensuring the organisation adheres to relevant laws, regulations and standards – continuous monitoring and improvement and the whole approach to threat mitigation and response.

It’s common to use a recognised system for this, which can help organisations understand the types of risks they face, including threats to the confidentially, integrity and availability of their most important assets. An example would be ISO27001, which has an Information Security Management System (ISMS) for this purpose.

How do you walk the walk in cyber security

Having a recognised security management certification with an ISMS does not, in itself, guarantee good security, however.

If you’ve recently received a cyber due diligence questionnaire from a strategic supplier or your cyber insurer, you may have seen that simply having the right accreditations or documentation in place may not be enough. Those in the business of assessing risk, know that you can only be truly judged by what you do, and not what you say you do. A bit like black boxes fitted by an insurer to a young driver’s car, increasingly they are asking for evidence that policies are being followed and controls are monitored and managed effectively, not just that you have them.

Walking the walk in cyber is all about assurance. Vulnerability management programmes, security testing and audits are all examples. To understand how effective a cyber security programme is, you must measure the effectiveness of controls, track security incidents and trends over time. You therefore need metrics and reporting.

Key Performance Indicators (KPIs)

So, what does this mean in practical terms? To measure the effectiveness of cyber controls Key Performance Indicators (KPIs) are often used. Take patching for example. You’d use a metric, like the number of laptops with up-to-date patches, and divide that by the total number of laptops in use. This provides context and shows how well you are doing against the goal. In this case you may want to see no exceptions, i.e. 100% success. If 80 out of 100 are fully patched, your KPI for endpoint patching is 80%, and there’s still work to do.

Key Risk Indicators (KRIs)

With cyber, you can sometimes see the storm clouds as they gather on the horizon. That is, provided you know where to look and what to look for.

Should you measure it, you may notice a rise in the number of phishing emails over a given period, or an increase in the amount of malicious traffic blocked on a firewall. Either of these may indicate you are under increasing likelihood of attack. The former should prompt a notice to all users to remain vigilant; the latter might indicate a need to upgrade the firewall. These are both examples of Key Risk Indicators (KRIs), which provide a window into future, potential risks. Having this information allows decisive early action, so you can raise your defences and implement further mitigations before lightning strikes.

Ensuring reliability in backups

Everyone knows that backups are essential. In the event of data loss, corruption, or worse still a ransomware attack, they may be an option of last resort.

But, as anyone who has tried a restore will tell you, they can’t always be relied upon. What’s more, unless they are closely managed and monitored, things may be missed or runs may fail, meaning the data’s not there when you turn to backups in your hour of need.

It’s crucial therefore to have a relatively quick and easy way of verifying that the backups have executed successfully after every run, usually once per day with additional, fuller, backups at the end of a weekly and monthly cycle.

Less regularly, you will want to test restores, to ensure all the data is being captured and can be put back if required. If anything’s missing or not working as expected it would suggest a problem that needs investigating. Better to find out in a test, rather than in a live situation when you really need it.

Disaster Recovery is another area where restoration and recovery cannot be taken for granted. Systems must be tested where possible, some regulations may mandate the frequency. It can be harder to organise this, and it may involve some inconvenience or even downtime to the business, but, as with backups, the watchwords here are testing and practice. You will know what works, what doesn’t, who’s responsible, is everyone aware of their roles. You may even spot something seemingly obvious but occasionally overlooked – i.e. do we have a paper copy of the plan? If everything’s down or offline, the plan won’t be much use to you if you only have a digital copy on the company’s network.

Our approach to governance

Our approach to governance leverages the power of automation and continuous integration with your IT infrastructure through our advanced governance portal. This commitment to transparency ensures that not only are we held to the highest standards internally, but we also extend this visibility to our clients. Through the implementation of automated monitoring systems, we are immediately notified of any incidents, such as backup failures, within your system. This information is not only relayed directly to you but is also followed up with swift, decisive actions to resolve any issues, which are then meticulously documented and audited within our portal.

In addition to our proactive incident management, we place significant emphasis on real-time data analytics. By aggregating data from multiple sources, we can offer you a comprehensive view of your security posture and operational performance. This integration enables not just historical data analysis but also predictive insights, allowing for preemptive measures and strategic planning. Our analytical approach ensures that governance is not just about maintaining standards but continuously enhancing them, thus providing a dynamic, adaptive, and thoroughly modern governance framework tailored to the needs of high-performing businesses.