It is important to manage IT security the same as you do all other operational risk. This means putting cyber security on the leadership agenda. A common challenge is easier to deal with, and reduce the threat of, than a disaster.
IT-security is like other management challenges: it must be prioritized, and decision must be made with the best information available. Obtaining an overview of systems, data, and employees, how critical they are to income and reputation and establishing routines to minimize risk is as important with security as all other areas.
The digitalization processes that are underway have several advantages. First and foremost, it is a golden opportunity to correct weaknesses and use security from scratch. This is cheaper than trying to add security later on. By doing it this way, routines for establishing and following up IT-security will become an operational task.
This is about securing the data against destruction, the systems against being taken down and giving the employees the best competence.
IT threats are dynamic, not static
You are blindfolding yourself if you believe that there has been no attack or security breach with the current IT system. The danger here lies in thinking that an update is not necessary. IT threats are dynamic, not static. The probability is very high that a dynamic attack will succeed against a statically designed and old-fashioned system. As static systems often lack modern surveillance and traffic control – and thus cannot say anything about whether an attack has taken place, whether it succeeded, when it happened or if it is still ongoing.
Management responsibility lies at the top of the business. It is the top manager and the board who are responsible for ensuring that the risks in the IT systems are known and that routines for dealing with the risks are established.
At Pedab, we have a large team of experts who work with business risk every day. We see that there is a lack of focus on addressing the potential for cyber threats in our daily dealings with others. There must be an increase in competence in areas such as cyber threats, cyber risk, and business risk.