MyRISK® was proud to sponsor the Avocado Consulting event “Cyber Security: from pain to pane – smashing through Minimum Viable Posture” held on 8 November 2022. Our founder, David Vohradsky also participated in the panel discussion.
Today, organisations operate within a complex cyber environment, with multi-faceted forces impacting business and technology strategy, implementation and resilience. This includes increasing global threats, fast-changing regulations, security knowledge and talent constraints, and the need for whole-of-organisation involvement. The result? Security resilience and challenges that are overwhelming. While cyber resilience is a top priority for boards, CXOs, risk, compliance and IT professionals – these teams are left with unmet gaps in their security approach; they require solutions that are fit-for-purpose across the entire cyber-attack chain.
David spoke on the V’s – visibility, vigilance and value that work together to build trust and resilience. David said “We must have visibility and cut through overload of information and the right controls. We must be vigilant in approaches and ensure duty of care. We must make sure we add or demonstrate value to build resilience and trust and secure funding”.
Visibility – We are dealing with an extraordinarily complex environment – Alongside the cyber threats themselves, internally, there is complexity in terms of the controls and tools used to manage the environment. Organisations that aspire to be digital leaders need to be agile and fast moving to compete, but they must protect the crown jewels and monitor critical systems.
Vigilance – The evidence shows that those organisations that maintain vigilance over cyber security have a definite linkage to trust. The most successful class actions overseas have been against those that had repeat failures of vigilance and demonstrated they couldn’t be trusted. The challenge with vigilance is implementing a cyber specific risk management process and addressing a huge backlog of assurance work. In many cases that assurance work is for a compliance requirement like SOCI, APRA or State Government initiatives. There is also the problem of being seen as roadblock not a business enabler when trying to do the right thing.
Value – While we have talked about the most obvious decisions for cyber – visibility and vigilance, what makes value so critical to a cyber security program? At the end of the day, everything we have discussed today still needs to get funded or approved via senior management or board level. The one thing we are going to get asked as a CISO is ROI. While recent events have brought cyber to the forefront of the Boards agenda, it can play two ways – one is that there is often a gap in Board level understanding and how value is articulated. The other is the overwhelming decision to know where to spend when budgets are limited, and resources are constrained.
So how do you go about demonstrating value from your cyber security programs?
MyRISK® can help.