Interesting article from the team at Osborne Clarke focusing on mitigating cyber risk during digital transformation projects.
The first and most important raised, which I totally agree with, is that cyber does not mean IT - it is much broader and deeper than that. Although attacks may manifest themselves through IT systems, how organisations mitigate the risk and respond if there is an incident involves many more facets than just IT.
Secondly, cyber does not lend itself to a "one size fits all" solution. Every organisation needs to understand their own risk exposure, how they mitigate against the risk and how they manage, via insurance or increased controls, as well as any unacceptable gaps.
Organisations should also ensure that they regularly seek independent advice on their cyber security measures to avoid complacency and to bring fresh eyes to the situation. It is important, again, that this advice is focused on more than just the technical aspects, and also incorporates human, organisational and procedural elements. IT alone will not solve the problem!
Finally, organisations should ensure that they test any response plans that they have - they do not want to be trying them for the first time in a "live" situation.
These points, which are discussed in the article, are not exhaustive but one thing is for sure: cyber cannot be an afterthought - it must be considered from the start of any digital transformation project.
Cyber security is no longer just an issue for the IT team; everyone including Legal, Communications and HR must be a part of the discussion. So when it comes to designing cyber security strategies, whilst they must be multi-faceted and tailored to the business in question, the need for company-wide involvement in setting and implementing the strategy is a common thread.