MIDDLE EAST RISK WATCH – ISSUE 1 – APRIL 2015

How to protect, not perplex: Three questions to ask about your cyber security resilience


By James Solyom, Head of Cyber Protect and Respond and James Lewry, Head of Consulting, Control Risks Middle East.

Organisations in the Middle East spend millions of dollars every year on information security and in return for this, senior executives are presented with a variety of perplexing technical solutions. These ‘solutions’ range from antivirus to intrusion detection systems, various metrics and dashboards, regular penetration and vulnerability testing, and a series of accreditations such as ISO27001. After committing this expenditure and receiving a tsunami of data in return, many senior executives think, or hope, that their organisation is protected from the much publicised threat of a cyber-attack. But is this enough?

Ask the senior executives of any company that has publicly suffered a cyber breach in the last few years – be it Apple,  eBay or JPMorgan – and you will likely find a common theme: they’ve all made consistently high investment in IT security, performed regular testing and have a list of accreditations. So if these are not enough to protect you, then what is?

There are three questions that you, as a senior executive, should ensure your cyber resilient organisation can answer.

  1. What is the actual cyber threat we face? Park the scare stories! It is surprising how many organisations commit millions of dollars to cyber security protection without first understanding the specific threat they face – namely who would be targeting what within the business, why would they do it and how. Critical to this effort is ensuring your intelligence is regularly updated (because of the rapidly changing threat) and that it is detailed and specific to your organisation (so that you can make decisions based on this information).
  2. Faced with this threat, what are our priorities? Information security is a universal challenge that requires effort from across an organisation, not just from the IT department. Just like any other area of enterprise risk, senior executives need to be able to take informed decisions on the information security priorities for the organisation as a whole, to ensure that investment is proportionate and focussed in areas with the biggest gaps relative to the threat. To enable this decision-making, it is necessary to have a complete overview of your information security – over and above a set of reports from the IT department.
  3. How well protected are our ‘crown jewels’? This is the most important question. Many organisations fail to recognise that their most critical assets will face an elevated threat relative to the rest of the organisation and, therefore, require special protective measures. This means making trade-offs to protect these assets (through increased investment, reduced functionality or restricted availability) that would not make sense at an organisation-wide level. Failing to identify and then protect your critical assets risks a targeted cyber-attack having a significant impact on your organisation.
Cyber security is often synonymous with complexity and confusion, where large amounts of investment may seem to create paperwork rather than real protection. Through asking just three questions, senior executives can gain a clearer understanding of where their organisation stands and ensure they are spending money on the right defence for the specific threat they face.