CYBER STRATEGY

Problem Statement:

Most organisation’s cyber security strategy provides context on how an organisation views cyber security risks and what processes they have embedded into their organisation’s business as usual activities to manage that risk. The strategy should include these cyber security risk factors as part of it’s management practices to inform good decision making around business investments it makes, what risk tolerances are agreed and the ongoing maintenance of those tolerances as well as the target cyber security posture of the organisation.

No cyber security strategy can be successful without understanding the cyber threat landscape and how intrinsically linked our critical business infrastructure, our business functions our systems of systems are to cyberspace and the many threat campaigns underway to take away our ability to interact safely and without fear online as we go about our daily tasks. These campaigns involve persistent and sophisticated attacks to disrupt and derail our normal way of doing business and they mean to do us harm.

Often the response to a major attack on an organization is to bring in more technology, while this may be a requirement to remediate specific gaps, organisations should fall back on their holistic cyber resilience plan, which would typically cover security by design and security in depth elements. Unfortunately, many organisation’s become constrained due to inadequacies in not only their current investment, skills and other resources, but also in their ability to invest to the scope and size required to work their way out of their Cyber hole. There are any number of vendors promising speed to market for technical solutions rather than working with an organization to help build a robust cyber security strategy to ensure that cyber security risks are incorporated in the business risk management process.

Leadership has a vital role to play in securing cyber resilience and most leaders of organisations identified that cyber security is certainly a challenge for them and one that is front of mind for their leadership team. With this in mind, we need to form a collective view that as organizational leaders we should be ensuring that our cyber security strategy does much more than secure our infrastructure and our critical business systems, organisations need to change the mindset to make certain that cyber security strategy is at the heart and soul of every organization to secure our businesses, our communities and our nation.

Service Description:

AUSCSEC understands what is required to build a cyber resilient capability and will work with your team to document a Target Operating Model for your Cyber resilience strategy, with clear roles and responsibilities.

AUSCSEC can help you drive forward on your cyber security journey by working with you to develop and implement a risk management framework for your systems, assets, data and capabilities, and build on your organizational agreed risk appetite in accordance with your business environment.

AUSCSEC knows too well that it’s much better to be in control of a cyber security event rather than to be dictated to by the event and this means having the ability to detect early and enable timely discovery of cyber events by implementing Governance, Risk and Compliance (GRC) hygiene benchmarks to enable the timely recognition of anomalies and cyber events in your business as usual activities.

AUSCSEC can advise you on ways to contain the impact of a potential cyber security event through response planning, communicating to your stakeholders, providing evidence-based analysis, building mitigation strategies to reduce the likeliness of the event occurring and providing business cases in support of improvement programs to help build your cyber security continuous improvement investment program and strategies to meet your business planning and financial cycles.

Benefits:

  • The benefits of a cyber security strategy include your organisation’s ability to identify the context around how it views cyber security cyber risks and the processes and a collective agreement to manage those risks. This effort demonstrates your organization’s rigor and sophistication in cyber security risk management practices and the extent to which cyber security risk management informs good business decisions and investments for your organization.
  • AUSCSEC can help identify and prioritise opportunities for improvement.

  • Build continuous and repeatable processes that the organization can utilize to progress towards their agreed target state and cyber security posture.
  • The strategy will enable clear communications among internal and external stakeholders Your supply chains and third-party alliances should be capable of complying to the standards you accept and know where you stand with respect to your agreed tolerances towards cyber security risk. Your stakeholders should be in no doubt about the standards you accept, all stakeholders agree on a clear roadmap to maximize their supply chain cyber security resilience.
  • Your organization can work towards increasing their maturity model to continue to build cyber resilience capability.

Real Life Example:

Ransomware attacks are now commonplace, recent examples such as the Colonial Pipeline hack and the JBS foods paid $14m to ransomware attackers in early 2021 have provided evidence of the impact such an attack has had on 11,000 Australian employees across 40 sites who were on the verge of being stood down. Yet despite this, some organisations choose to take a light touch on Governance, Risk and Compliance (GRC) activities because they would need to agree to a continuous commitment to invest in assurance activities. These activities include making policy decisions, implementing repeatable processes and procedures. Managing and monitoring an organisation’s regulatory, legal, risk, environmental, and operational requirements and help inform the leadership team of the cyber security risk, priorities for remediation and provides a well informed and agree cyber security posture the organization can manage within its operational environment.