What is the biggest prob­lem with Cyber Security right now?

David Burkett - Working Mouse
(article on website - click here)

ISO Standards

So, what is the Standard?Well, it’s high. ISO 27001 Information Security Management is com­monly ac­cepted as the in­dus­try stan­dard. We are un­der­tak­ing this process our­selves, which takes sev­eral years and costs a sig­nif­i­cant up­front in­vest­ment in au­dits.Pete ex­plained that he had also started the process for CyberMetrix. But af­ter 18 months with lit­tle progress and not much to show for it, he canned the pro­ject.

Third-Party Cyber Risk Management

Next on the list is a TPCRM (Third-Party Cyber Risk Management). TPCRM equates to a ticket to trade with the or­gan­i­sa­tion and can make it VERY hard for an SME to sup­ply to an en­ter­prise.I’m not sure if you’ve ever re­ceived a gov­ern­ment cy­ber au­dit dur­ing the ten­der process… The au­dits usu­ally equate to a spread­sheet with thou­sands of ta­bles, of which you have to con­firm com­pli­ance and, if not, ex­plain why.Even as an I.T. com­pany, I’ve seen the pain in our CTO’s face try­ing to an­swer these. Let alone any­one who is­n’t run­ning a tech busi­ness.So, also high.

ASD Top 8

The next op­tion is to look at gov­ern­ment ad­vice.The Australian Federal Government fo­cuses on the ASD Top 8, and this model has dif­fer­ent ma­tu­rity lev­els but does­n’t ad­dress Cyber as a whole-of-busi­ness risk.The last op­tion Pete sug­gests is chang­ing the way the SMEs look at Cyber. Traditionally the en­try point was I.T., and there­fore, this was a func­tion of an I.T. man­aged ser­vice provider. Pete Suggests this is the wrong ap­proach as the prob­lem comes down to peo­ple and gov­er­nance.

People & Governance

There are a few es­sen­tial things that every busi­ness can do.Good gov­er­nance can save the com­pany by hav­ing an in­ci­dent re­sponse plan and train­ing peo­ple on good cy­ber hy­giene.Regarding the mod­els above, Pete rec­om­mends a sim­pli­fied down­stream TPCRM ap­proach for en­ter­prises, fo­cus­ing on the long tail of sup­pli­ers in 2 steps:

1 - Categorise

This is about dis­cov­er­ing the level of cer­ti­fi­ca­tion you re­quire your sup­pli­ers to re­tain us­ing a cat­e­gori­sa­tion ma­trix.

2 - Certify

Follow the Cyber Security Certification Australia (CSCAU) process for SME sup­pli­ers to meet your de­fined level.To achieve a strong sup­ply chain, the process needs to lead from the top down.If en­ter­prise cus­tomers re­quest this from their ven­dors, and from their ven­dor’s ven­dors, in an easy a fair man­ner, this will im­prove the ma­tu­rity of most SMEs.In short, it comes down to ask­ing your­self one cru­cial ques­tion; how are you val­i­dat­ing your ven­dor’s cy­ber re­silience and those that sup­port them?

For further information please visit website:  www.workingmouse.com.au | ph: Ph: (07) 3606 0230 |
e: info@workingmouse.com.au

Expression of Interest

Learn more about how Queensland Leaders can assist your business.

International Leaders