Too many cyber security programs/initiatives fail because they are rolled out in a linear IT fashion. Ticking compliance boxes, buying new software thingy’s, making staff endure the mandated annual two hour training session, conducting the annual pen test (scope reduced to guarantee a good result), monitoring the perimeter – the list goes on.
But as Lindy Cameron of NCSC pointed out last week, Cyber is not a problem exclusively owned by the IT department, it’s the business’s problem and everyone must be a part of the solution.
With the rush to embrace all things internet, organisations have transformed the way their business operates – yes we’ve reduced the cost base and made information more accessible, but by not baking in security principles we’ve made it more accessible to the wrong people and that now poses a big problem.
So how do we fix it and what learning is there to tell us how we need to tackle the cyber issue?