Guest blog by Matthew Mackay CISA CISM CITP MBCS ChCSP MCIIS, Security Practice Lead at Logiq
Article written for and first published by techUK
It’s time we stop thinking in terms of ‘information security’ and start thinking in terms of ‘cyber security’; not just as a linguistic shift, but a fundamental shift in the way we view cyber security as a business enabler.
Traditional information security has been rooted in protecting information, with all security practitioners being familiar with the CIA Triad (Confidentiality, Integrity, Availability). What has perhaps been missed is consideration of the second and third order effects on the organisations because of compromises of CIA.
Recent high profile cyber incidents have demonstrated not just the impact of the compromise of sensitive information, but also the significant operational disruption that have been caused.
Perhaps this shows that the lens by which we viewed security was too narrowly focussed representing only a subset of what we needed to be concerned by. Cyber security should no longer purely about protecting information, although this is still an important consideration.
The shift must occur where cyber security is enabling the business to achieve its core objectives in a secure manner. This must extend beyond just the technology, considering people and processes, taking a socio-technical approach to cyber security.
One very useful tool to enable this alignment is the NCSC Unacceptable Losses approach which starts by understanding the core mission of the organisation, the unacceptable losses that would prevent this mission from being achieved, and then the hazards and constraints which may cause the unacceptable losses to be realised.
This approach ensures that we keep the mission, or the business objectives, at the heart of the cyber security programme and ensures that it supports the organisation achieve its outcomes in a manner which reduces the likelihood of the unacceptable losses being realised.
The paradigm shift we need to make is to stop asking ourselves ‘How do we protect our information?’, instead we should be asking ‘How do we secure the business, so it can move faster, safer, and with confidence?’
This is the purpose of cyber security, it starts by asking what the business needs to achieve and making security part of the solution.
Author Bio:
Matthew Mackay is the Security Practice Lead at Logiq. He has been working in cyber security for over ten years with experience in both the Public and Private sectors, including the Ministry of Defence’s Cyber Vulnerability Investigation Programme and Secure by Design initiatives.
About Logiq:
Logiq is a NCSC-assured cyber security consultancy and secure managed services provider focused on safeguarding critical organisational data. Our clients are amongst the most demanding in the world and have some of the most stringent and complex security needs. We help to design and develop innovative solutions that enable them to focus on delivering their business securely.
Latest Posts
-
Bolstering SME Cyber Resilience
-
Logiq to Exhibit at DSEI 2025
-
Logiq Among First to Achieve Defence Cyber Certification (DCC) Level 0
-
From Information Security to Cyber Security: Aligning Security with Organisational Objectives
-
SaaS or Self-Hosted: What’s the right ServiceNow strategy for your organisation?
