Organisational attitude is incredibly important for cyber security resilience. An organisation’s attitude is reflected in its planning and policy development.
Cyber security may be seen as a priority in your organisation, but how mature are your policies, strategies and plans?
How often do you update those policies, strategies and plans, and how well do they align with your technical controls and the working environment?
Your organisation’s resilience relies on these factors.
Aligning attitude and reality
The latest ACSC Cyber Security Survey found organisations with a resilient attitude (in terms of plans and policies) were more likely to be technically strong.
However, gaps were evident where organisational attitudes or exposure to risk were out of step with the technical controls in place. For example, many organisations had embraced work practices that offered greater flexibility, such as using personal devices at work or working remotely from home, yet few organisations had systems in place to manage the risk exposure.
It is vital that your policies and plans reflect the working environment of your organisation and address relevant risks. This often means reviewing plans and policies regularly as the business changes.
Review and test plans regularly
A plan might look good on paper but it needs to be tested regularly to ensure it is effective.
This is especially relevant for incident response planning. In the survey, fewer than half of the organisations who reported they had incident response plans in place said they regularly reviewed and exercised them.
The speed of new technology, risk evolution and business change makes testing a significant challenge, but it is also critical to resilience.
Make sure your incident response plan includes a review schedule that considers the frequency of changes to your organisation or to the threat environment.
Integration with business planning
Another indicator of attitude and resilience is how well cyber security is integrated into business planning and new project development.
Cyber security is not a stand-alone issue—it affects the entire organisation, and business strategies need to reflect this. Good security is designed in the beginning of a project to facilitate and enable success. It should never be an afterthought.
The more cyber security is integrated into planning, the more staff will recognise its importance and relevance to their work. This will greatly contribute to a cyber-secure organisational culture.
Your organisation’s attitude is a critical factor in how well cyber security is managed in your business. And it’s something that can always be improved!
Read more about developing and testing incident response plans.