In an era when cyber-attacks are an everyday occurrence, IT security has become one of the biggest problems for firms. However, a US researcher has argued recently that security should be seen in terms of across-the-board company efforts to confront digital information issues.
Christopher Bronk, Fellow in Information Technology Policy at the James A. Baker III Institute for Public Policy at Rice University, Houston, Texas, argues that the question which companies who fall victim to cyber-attacks should ask is not “How did it happen?”, but “Why did this happen?” As he writes in his paper entitled ‘Risk-Intelligent Governance in the Age of Cyberthreats’, understanding the way these attacks happen is important, but the first response should be to seek the reasons leading up to the breach of security. If a company is serious about securing its digital communications and general resources in the most effective way possible, it needs to develop and adopt an approach that he calls ‘cyber risk intelligence’. For organisations to become cyber risk intelligent, they must move beyond seeing cyber security as the province of the IT department and understand that it concerns all areas of the company.
Rethinking the organisation from the inside
Chris Bronk has some specific advice to offer in his paper: “We suggest three general flows of information in determining an organizational frame for cyber risk intelligence: one that encompasses the awareness of the IT enterprise and its apparent health; a second that brings internal business activities into view; and a third that encompasses broader geopolitical and economic forces.” It is by analysing the third ‘flow’ that a company will be able to understand the broader space in which it is positioned, subject to evolving market conditions, political changes, competition between companies, and so on. “Organisations need to think about how their competitors and adversaries may gain from compromising information resources or computer systems,” underlines the paper.
“Cyber security is a culture”
In some ways, cyber risk intelligence needs to embrace counter-intelligence thinking and practices, suggests Bronk. Building a more secure information ecosystem demands adoption of “good hygiene or public health in cyberspace,” says the paper. These include “technological practices such as deployment of anti-virus software, intrusion detection systems and email spam countermeasures.” This self-analysis approach is similar to the line taken by Dave Gray, author of several books on innovation and change, who also stresses that firms need to improve their overall awareness and self-knowledge. However one non-negligible factor recognised by Chris Bronk in his paper is the issue of scalability. “The largest corporations or government agencies can allocate far more resources than the smaller players to the cyber security problem,” acknowledges the Rice University man.