David Kelleher
Jul 03, 2023
David Kelleher
Jul 03, 2023
In December 2022, the European Union approved the final text of a new legislative framework called the Digital Operational Resilience Act or DORA for short.
Covering the financial services industry, DORA comes into force in January 2025 and imposes stringent requirements in relation to ICT and risk management.
While DORA is specific to one industry, the framework can be applied to any industry and business. After all, every business should do its utmost to be resilient when faced with challenging and unexpected events such as a data breach incident or a ransomware attack
What do we mean by ‘resilient’ and how do you build a resilient business?
Resilience building refers to the process of developing the ability to withstand and recover from various challenges, disruptions, and uncertainties. It involves creating a strong and adaptable organisational structure that can effectively respond to and bounce back from unexpected events or crises.
Simply put, it means doing everything possible to get back on your feet when you’re down for the count.
However, to build resilience you need to know what you’re up against, what the risks are (internal and external) and what gaps exist in those defences.
With the increasing reliance on technology and digital platforms, businesses are more vulnerable to cybersecurity threats than ever before. A cyberattack can have a devastating impact on a business's growth and success.
The first step in resilience building is to assess the business’s security posture.
A security posture is the overall state of its cybersecurity readiness and resilience. It reflects how well a business can identify and protect its assets, data, and operations from cyber threats, as well as how quickly and effectively it can detect, respond and recover from cyber incidents.
A business's security posture is not static, but dynamic and evolving. It changes as the business grows, expands, innovates, and adapts to new challenges and opportunities. It also changes as the cyber threat landscape evolves, with new types of attacks, vulnerabilities, and actors emerging constantly.
When you assess your business’s security posture you are identifying its strengths and weaknesses in cybersecurity, as well as gaps and opportunities for improvement. Cybersecurity alone will not build your business’s resilience, but its importance cannot be understated given that most threats come from cyberattacks.
A security posture assessment is an opportunity to measure its performance against the business’s goals and objectives, as well as industry standards and best practices. It can guide the business on which actions and investments it needs to prioritise to enhance its security posture and reduce exposure to cyber risks.
It is also a strategic issue. Your security posture impacts the business’s reputation, trustworthiness, competitiveness, profitability, and sustainability. It also affects its stakeholders, such as customers, partners, suppliers, regulators, investors, and employees. Therefore, a business's security posture is not only needed but must be aligned with the business’s vision, mission, values, and culture.
A business's security posture is not a one-time project, but an ongoing process. It is a necessity. It is an obligation. It is not a burden. It is a benefit.
The starting point is to carry out a security discovery risk assessment. This assessment is typically based on one of several security frameworks such as NIST CSF or the CIS Framework. BMIT’s Cybersecurity Discovery Tool uses the 18 CIS v8 framework.
With over 200 checks, the cybersecurity discovery tool looks at 18 areas that cover cybersecurity from asset and inventory management to backup and disaster recovery strategies.
Any security posture assessment is influenced by many factors, such as the type of complexity of your IT infrastructure and network, the volume of data, how critical / sensitive it is; whether the business is required to comply with legislative frameworks; and budgets. The assessment should be seen as an investment not a cost, but at the end of the day it is a cost of doing business.
The assessment is also influenced by the business’s growth. A high-growth business with a high-risk profile will need regular assessments to ensure that its security posture is maintained.
The security assessment is step one in a long journey towards building resilience. The report that is generated from the assessment offers detailed recommendations and insights that will need to be addressed using different tools, systems, processes and frameworks.
A company should address IT Security governance, including the policies that govern the technology. It is useless, for example, to implement a tool to capture unauthorised assets when you do not have a governing process to review any findings. Here are more points to consider:
A business's security posture is not a static or one-time thing. It requires continuous improvement and adaptation to the changing threat landscape and business environment. By investing in your security posture, a business can enhance its competitive advantage and customer trust.
A business's security posture is not a static or one-time thing. It requires continuous improvement and adaptation to the changing threat landscape and business environment. By investing in your security posture, a business can enhance its competitive advantage and customer trust. Contact us and one of our experts will reach out and guide you accordingly.
