In this blog article we continue to explore the topic of cyber security or more rightly cyber safety.
Cyber security mostly refers to protection from hostile forces which is a critical aspect of keeping what we value safe. However, it does not go far enough, cyber security must also protect against failure, breakage, or accidents. It must maintain a state of safety – the condition of being protected from harm or non-desirable outcomes which is what a managed cyber safety program does.
A Managed Cyber Safety Program
A managed safety program is an implementation of what is referred to as a "Safety II" approach with a focus on outcomes but may also incorporate attention to behaviors and activities as found in "Safety I".
A managed cyber safety program will answer the following questions:
What do we need to keep safe?
What are the effects of uncertainty on safety objectives?
What threatens safety?
What and how strong do defenses need to be to achieve safety objectives?
How do we maintain the performance of your defenses
How do we continuously improve effectiveness?
Answers to these questions form the context for the implementation of a managed safety system or Cyber SMS.
To meet the objectives of a managed cyber safety program we need a means of protection which we call "security" when it addresses hostile forces. In general terms, these are risk controls and measures.
The level of protection is roughly speaking equal to the safeguards or margins that buffer us from the effects of the threats should they occur. The greater the effects, the greater the margin or buffers needs to be.
We call this, "irreducible uncertainty." We can't reduce the threat from occurring, so we are left with creating a wall (safe guard) or at least buying insurance to address its effects.
However, there is another kind of uncertainty, "reducible uncertainty", which we can buy down by improving our knowledge, our models, and our measures to prevent threats from occurring in the first place or minimize their effects should they manifest themselves.
A managed cyber safety program will effectively address both kinds of uncertainty. It will safeguard against irreducible risk and buy-down reducible risk to provide the necessary total protection needed to keep what we value safe.
It does this through a business-like approach that uses a systematic, explicit and comprehensive process for managing safety risk. This is reinforced by a risk-based culture where risk is viewed as something to optimize rather than ignore.
Now, how is a managed cyber safety program implemented and managed?
It's important to point out that many companies will most likely be doing many of the activities involved to manage cyber safety. Every company has a cybersecurity program, some are more effective than others.
A managed cyber safety system will help you to coordinate your efforts more efficiently and effectively to ensure the safety outcomes that you have targeted are achieved and the undesirable outcomes are avoided.
And that's a good thing. And that’s what we want.
Cyber safety is not only a technical problem; it is a business problem that requires a business solution. A managed cyber safety system will therefore coordinate and manage two kinds of processes.
Technical processes - are risk measures used to contend with threats, vulnerabilities, and risk. These are the controls to prevent or recover from threats to safety.
Management processes - coordinate these controls, their performance, and their effectiveness at achieving a targeted level of safety.
Both of these types of processes are needed to establish effective layers of defense and where any weaknesses in either will create an opportunity for a breach.
Many companies invest in traditional cyber security which focuses on technology and equipment such as: firewalls, VPNs,, networks, software and so on. All of these are needed, but how much, and how well do they need to perform, and how effective do they need to be to achieve your cyber safety objectives?
Its reported that 75% of companies do not measure the effectiveness of their compliance programs. This means that most companies do not know if their efforts are helping to prevent a breach or increasing the certainty of one happening.
Companies that are effective at achieving their cyber safety outcomes will have the essential management processes to ensure safety is achieved, consistently, and that improves over time to address new uncertainties and risks as we are now experiencing with COVID-19.
In our next blog article we will look into what a selection of available guidelines, standards, and frameworks available to help organizations realize their cyber safety goals.