Adapting cyber, risk and advisory strategies to enhance organisational resilience
Organisations across the globe are facing one of the most significant business continuity challenges of our time. A global pandemic of this scale, with such wide ranging and prolonged effects, is virtually untested in all but the most mature of organisational business continuity practices.
While the pandemic is indiscriminate among people, its impact on specific business sectors is certainly noticeable. Travel and hospitality sectors are, for the foreseeable future, likely to continue to face significant operational challenges.
This contrasts with those retail organisations, defined as essential, and the many organisations providing online services that will survive, even thrive in these challenging times. There are also organisations who are adapting quickly, such as those in manufacturing that have identified and responded to the needs of the situation. These have shifted, for example, to producing personal protective equipment (PPE), ventilators and other critical infrastructure required to fight this pandemic.
What does this change in operational activity mean for cyber security professionals?
Now more than ever, security professionals must truly understand the changes in working practices to support the secure delivery of operations. Regulatory and legal obligations must still be maintained, security risk assessments must be reviewed, policies and procedures must be quickly updated to reflect and enable core operations to continue in a secure manner.
Many of us will now, and for the foreseeable future, operate in environments where our teams are physically isolated, resulting in the organisation’s infrastructure and systems being stress tested (capacity and security) and in some cases requiring the quick adoption and integration of new technologies.
The existing security practices to identify the appropriate mitigating controls that reduce the risks to an acceptable level, are facing a paradigm shift. These practices need to adapt to be more efficient, whilst supporting the business to resume operations securely and faster than the competition.
Security must be an enabler and not a blocker
Our current circumstances mean that consultancy services also must evolve to offer a full range of remote capabilities and at BSI we are supporting clients through the following virtual services:
- Data Privacy support
- Data Privacy Impact Assessments (DPIA)
- Virtual CISO services
- Risk Management and Information Security Implementation Support
- Remote ISO 27001 Implementations
- Remote PCI DSS Assessments
- Third Party Security Assurance for Products and Services
- Audits and Gap analysis
- IT Health Checks including virtualised internal network assessments
Organisations that are focused on implementing new working practices to deliver continued, secure and efficient business operations, can leverage the above services, ensuring that previously implemented security operations will not be jeopardised. It will allow the business to align their previous ways of working with new working practices and still retain a secure profile.
During this time there are key services that are greatly beneficial to organisations that we can deliver remotely.
Data Protection Officer as a Service (DPOaaS)
Privacy is a continuous concern for every organisation, their clients and stakeholders, especially the Data Protection Officer (DPO). The DPO is an important leadership role within an organisation’s governance structure and is a key stakeholder in the data protection accountability framework defined by the General Data Protection Regulation (GDPR).
Appointment of a suitably qualified individual can be a challenge. An in-house DPO may not be feasible for every organisation, due to constraints such as resourcing and in this instance, it is possible to outsource the DPO requirement.
BSI understands how challenging it can be to align with regulatory obligations. BSI has built out a privacy program, using experienced privacy professionals, to deliver DPO as a service to support and fulfil the privacy agenda. These services include full DPO responsibility under GDPR or CCPA or supporting activities such as a Data Protection Impact Assessment, conformance and maturity assessments or assistance in the event of a data breach.
Virtual CISO (vCISO)
The Virtual CISO role embeds senior security leadership into an organisation and brings the security lens into the organisation’s leadership team. BSI’s experienced professionals can get working straight away once onboard, whether the organisation is a small to medium size business, or a large enterprise.
BSI have a broad and expert capability to supplement existing security teams or to provide leadership to organisations. We believe the approach to making a security journey successful is to work collaboratively with existing teams to ensure that security is delivered in a pragmatic way. This facilitates an organisation to:
- Securely and efficiently deliver on business objectives
- Meet compliance obligations
- Enable secure ways of working, without stifling innovation and rapid delivery and importantly, get the basics right, consistently.
Establishing a robust information risk management framework provides an organisation with the ability to consistently manage risks across their organisation. BSI has implemented many risk management frameworks and conducted risk assessments across a wide range of verticals including energy and utilities, technology, gaming, finance, and government. All of which require individual tailoring of risk criteria and risk management practices to suit.
To be truly successful these engagements need to understand what the business is most concerned about. We can determine this through interviews as well as in workshop settings with key stakeholders with participants ranging from Senior Business Executives through to Business Operations, Legal, Compliance, IT and Software Development stakeholders. Once the broad perspectives of risk are understood, consensus can be achieved on Risk Criteria.
These frameworks can appear overwhelming initially, however BSI’s methodology, led by our experienced risk professionals, can help standardise, and in some cases automate much of the common processes to ensure an ease of use.
PCI DSS Compliance
PCI DSS is a complex and granular standard that applies to all entities which store, process or transmit payment card data, as well as organisations that may impact the security of a credit card processing environment.
To ensure an effective audit, the governing body of PCI DSS, the Security Standards Council, requires PCI Audits to be conducted onsite at the organisation. Due to current social isolation restrictions, this presents a problem, and one which the Council has recognised.
PCI DSS assessments must still go ahead, however the council has stated that these can be conducted remotely where the requirement is justified, and the circumstances have been documented and agreed with the acquirer or payment brand.
Most importantly the council expects that the levels of assurance gained during the audit is of the same standard as would be achieved when physically present.
We have already certified many level one client’s using our remote audit capability during this pandemic and increased our global reach across North American, APAC, European and MEA regions.
Third Party Security
A reliable third-party assessment provides the assurance that external services are securely delivered, and that data is properly managed. There are common challenges that businesses are confronted with, when managing third-party cyber security risk:
- Lack of clarity over the security posture of the service provider
- Unclear demarcation of responsibilities between service provider and client
- Over reliance on supplier’s services and capabilities
- Remote access to in-house information and information systems
- Offsite information processing
The governing principle that links all these challenges together is the balance between immediately acquiring a service and the time spent evaluating a supplier’s security posture.
Our mature third-party security assurance methodology allows organisations to assess the risk of third parties, consider the criticality of the service provided, the level of access required, the type of information processed and the service provider’s security posture. Retrospective review of cyber incidents and security postures are considered, as well as ongoing monitoring of organisational security reputation.
Audit and Gap Analysis
In addition to PCI DSS, our auditors and security consultants continue
to conduct security assessments, helping organisations understand their current
security profiles. The audit or gap analysis depends on the depth of analysis required
and alignment with a specific information security standard. Our approach to
audit and gap analysis is based on assessing whether the control is meeting the
intent of the security framework and delivering value in an efficient way. Our
consultants achieve this through:
- Strategic Governance Review
- Configuration Review
- Process Review
- Documentation and Evidence Review
Our cybersecurity audit services provide an organisation with
assurances that corporate governance, IT risk management and internal IT
controls are operating effectively. We support organisations with the following
security frameworks and standards:
- ISO 27001/2
- ISO 22301
- NIST CSF
- Cloud Security Assessments in AWS, Azure and M365
While organisations adapt to the new normal, BSI’s Consulting Service has been adapting to meet their needs. We have enhanced our traditional consulting capabilities to enable a fully remote delivery capability with our Cyber, Risk and Advisory Services utilising secure communication solutions, including web conferences tools, to deliver our proven cybersecurity methodologies to our clients.
For more details on BSI’s Virtual Consulting Services visit bsigroup.com/cyber-ie
Stephen O’Boyle is global practice director for Cyber, Risk and Advisory at BSI