Risk managers are over-relying on technology and software solutions to build cyber resilience, says Stefan Dydak, head of security consulting at Adnovum AG. The consequence? They’re overlooking critical factors such as people, processes and culture

It is common in risk management circles to hear people saying that the question is not ‘if’ you’ll suffer from a cyberattack, but rather ‘when’ the breach will happen.

But even this doesn’t go far enough, says Stefan Dydak, head of security consulting at Adnovum AG.

Stefan Dydak

Instead, he told the audience at the Risk-!n conference in Zurich: “It’s not about when you get breached. You’ve already been breached, it’s just a question of whether you have detected it yet.”

Against this backdrop, he identified three key priorities that are critical to improving cyber resilience and identifying, managing, and bouncing back from attacks.

Cyber hygiene

His first choice of weapon in any firm’s armoury against hackers and cybercriminals is cyber hygiene. This sounds obvious, but Dydak says that it often falls by the wayside as companies over-rely on whizzy security software.

He shared a quote from Bruce Schneier, which sums up the problem: “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology,” adding that the longer that you’re in the industry, the more clear this becomes.

He explained: “In the cybersecurity world, technology seems to be at the forefront. The cyber security vendors want to sell you great technology claiming they’ll make more secure, more compliant, etc. But I always found that there’s companies out there that invest heavily in technology, but don’t really invest in people, processes or even just basic psychology.”

Top-down support

Dydak’s second key pillar of cybersecurity is support from the board and senior management, something that he argues that no cyber resilience plan can work successfully without.

The challenge that risk management functions often face is that they are seen as a compliance tool or a cost centre – but this prevents them from building a culture of resilience and cybersecurity awareness.

To counter this and tackle cyber threats effectively, organisations need to set the right tone from the top, and this starts with the c-suite.

Dydak said: “A lot of CCOs are leaving businesses because they were essentially hired as scapegoats, perhaps by regulatory-driven companies who were just putting these people in place to be compliant on paper.

“They didn’t give them any power to engage in a proper cybersecurity program, no funding, and especially no ear from senior management, the board, and, the CEO. If you want to have a good security program, you need that top down support.”

A risk-based approach

The final element of Dydak’s guide to a successful cyber strategy is taking a risk-based approach.

To achieve this, he says companies must ensure that they are putting relevant controls in place, testing and improving them continuously, and engaging in regular risk management discussions on these topics.

He said: “Take [IT] asset management. It never gets talked about, because it’s not sexy. But this is the fundamental block of security. If you don’t know what you have in your company, and you don’t know what you have on your network, how can you possibly secure it?

“How many companies have told me they’ve grown exponentially in the past few years, bought a lot of other companies, and of course, they use other systems. Basically, they didn’t have visibility of their IT assets. From there, you can’t do proper vulnerability management, or proper hardening or even actually govern your data.”

He concluded: “But if you do all these things, I would say you are off to a very good start. It’s not about fancy technology, it’s about getting the basics right.”