Content

Events
About

Keeping up with cyber security changes in operations

Thomas Kohlenbach | 03/18/2024

The ability to change is an essential survival trait in nature and business. However, being reactive isn’t enough. Very few significant changes happen overnight in industry, so organizations must be proactive about pursuing opportunities and preparing for emerging shifts in practice before they become urgent.

Think about the last time you bought physical music media: unless you’re a fan of vinyl, it’s probably been years, maybe decades. Services like Spotify have all but banished the act of buying music at all, but before that, the MP3 revolution spelled the death knell for CDs. It didn’t happen overnight, though; digital music came to the fore with Napster at the turn of the millennium. However, it was only in 2017 that digital music sales finally eclipsed their physical forebears. That’s a pretty long runway for an industry to effect change on. However, there’s no doubt some store chains and producers still found themselves with an overabundance of physical media in a newly digital world. Businesses need to recognize the changing circumstances around them and respond in a timely fashion or pay for it with their bottom line.

Changing cyber security requirements

Recently, a number of new or revised regulations have emerged that spell a significant shift in expectation and practice around managing risk in key industries. One of the most important areas affected is digital management and the requirements around preventing, responding to and reporting cyber security incidents.

The NIS2 directive in the EU requires 17 essential services to comply with strict new guidelines around safeguarding vital operations. The requirements now call for a minimum degree of cyber security training, encryption and multi-factor authentication in organizations that fall under the remit of the directives, as well as comprehensive risk assessment, management and response procedures. Businesses have until October 2024 to comply with the new legislative requirements.

Similarly, in the UK, Cyber Essentials has been a required compliance regime for any business contracting to the government since 2014. While the certification covers five key areas – firewalls, security configuration, user access controls, malware protection and security update management – it is seen by many as a precursor to the more rigorous ISO 27001. The International Organization for Standardization’s ISO27001 has become a benchmark for cyber security, and the 2022 revision of that standard sets out strict compliance requirements over four domains – organizational, people, physical and technical – encompassing over 90 safeguards and best practices for cyber security. While not mandated in the same manner as Cyber Essentials, there is a growing expectation that businesses conducting operations with any digital footprint will be taking measures in line with these practices to ensure their enterprises are robust and digital risks have been managed.

READ: 9 steps to scaling operations securely

In the Southern Hemisphere, there is an equal emphasis on managing the risks of digital information gathering and utilization. CPS230 is a set of prudential standards introduced in the Australasian region to govern risk management in the financial sector. No organization dealing with insurance, finance or superannuation in Australia can avoid complying with the new standards. As a major business hub in the region, this has far-reaching consequences.

CPS230 dovetails with the existing CPS234 Information Security Prudential Standard to tighten the requirements for managing risks, particularly around information systems and ensuring that relevant businesses have adequate provisions for continuity of operations should an interruption occur. The goal is to improve financial institutions’ digital resilience within the region to ensure robust cyber security frameworks are in place and effective risk management strategies are deployed. That includes extending those to cover material service providers and third parties that organizations rely upon.

These changing requirements haven’t appeared out of thin air, and the simple fact is that they can’t be ignored. However, once they are in effect, many organizations could get caught by a lack of preparation and, like the stores still trying to sell CDs, realize too late how the requirements around their business have changed. It would seem unlikely that anyone in an affected industry wouldn’t be aware of these significant shifts in operational compliance, but how can a company go from awareness to action?

Awareness to action

Most enterprise-level companies have legal and compliance departments, teams or officers that make it their business to keep current on changes in the industry and related legislation. Things like NIS2 and ISO27001 are well and truly on their radar. However, their insights need to be captured and actioned at an operational level in a timely fashion if they will benefit the organization. It’s of no value to have the legal team report on the requirements of a recent legislative change one week before auditors arrive. You can be almost certain that they would have been aware of the changes from the moment they began to be talked about, but without an effective framework for assessing their impact and applying changes, that knowledge has little value.

An effective way to turn forewarning into functional change is a versatile and engaged risk management system. Whether the changes on the horizon are technological, like the introduction of a new music format, or legislative, like the implementation of new standards of practice, having a structure that allows those who can recognize the warning signs to be able to identify and assess the likely impact is key.

Those most informed about the shifting landscape need to be able to document the likely changes and get those impacts in front of managers and executives that can make business decisions based on them. By democratizing risk management, the subject matter experts can raise potential areas of concern that can be weighed and addressed long before they become a crisis.

The best approach is to allow that to flow into your operational processes. Real change happens when your risk mitigation and management ties directly to the procedures and practices of the business. With a fully integrated process management system integrated with your risk management portal, the organization can begin to make changes as soon as the risks are identified. Rather than waiting until obsolescence or compliance becomes a critical issue, steps can be taken to evolve your business procedures and processes so that you can focus on meeting customer needs rather than patching poor practices.

The business world continues to evolve and shift in response to the changing environment we work in. The meteoric rise of digital technologies – and the inherent risks they bring – is not slowing down, and we can see government and industry oversight groups moving just as quickly to mandate better protocols for managing those risks. The key to remaining agile in something so essential as cyber security is staying alert to the changes on the horizon. Risk management needs to be forward-looking and available to those who can see how the industry is likely to change. By inviting them into the practice of managing risk, and allowing that to improve your processes, you’re less likely than ever to find yourself on the wrong side of a compliance standard, like a store with a stack of CDs in a Spotify world.

[inlinead-1]

Upcoming Events

MORE EVENTS