Traditional approaches to information security typically focus on an organization’s ability to prevent and detect cyber-attacks on its information and assets. But the widely-held belief that cybersecurity can be achieved through a series of largely technical controls is now outdated. The nature and frequency of cyber-attacks has evolved to the point of inevitability.
The new emphasis on cyber-resilience reflects this evolution in focusing efforts on how organizations can resist, respond to and recover from a cyber-attack effectively. But will certification in cyber-resilience really make an impact on an organization?
Why is a Certification in Cyber-Resilience Necessary?
Poor cyber-resilience is now a critical risk at board and senior management level, as well as for security, IT and risk teams. The C-suite is aware of the security skills shortage and is looking for competent, expert practitioners who understand threats, vulnerabilities and risks and are able to talk about the business impacts.
Traditional cybersecurity accreditations have focused on identifying and preventing attacks. In contrast, AXELOS recently launched RESILIA, a portfolio of publications, training and awareness tools aimed at building cyber-resilience from the boardroom down. It is underpinned by the Cyber Resilience Best Practice guide and comprises Foundation and Practitioner certifications, organization-wide awareness learning, and a cyber-resilience pathway tool that assesses and proposes appropriate improvement action plans.
RESILIA certifies people to build cyber-resilience through exams that test knowledge and develop cyber-resilience business skills and a common language, with the potential to facilitate behavioral change within organizations.
Accreditation has two tiers: Foundation and Practitioner. Foundation is an ideal level for roles within departments such as HR, commercial, finance, procurement and training, as well as security, technology and IT service management, who all have a part to play in ensuring resilience. The Practitioner tier builds on the Foundation level and is more targeted at specialist security roles.
RESILIA-certified training focuses on providing an effective balance between people, process and technology and helps build effective collaboration between security, technology and IT service management. It has been designed to complement existing technical security training courses.
"People must sit at the heart of any effective cyber-resilience strategy"
Both individuals and organizations will benefit from undertaking RESILIA training and certification. Individuals gain from being able to demonstrate subject matter expertise through certification, differentiating themselves within the fast-growing area of information security and resilience, where skills are at a premium. Stakeholders will also benefit from the greater collaboration with colleagues across different functional silos as effective cyber-resilience management systems become embedded across the organization.
Organizations can expect benefits to include: greater organizational competence in handling cyber-resilience thanks to well-trained specialists; protection against threats by ensuring well supported controls; and integrated and efficient critical processes such as incident management covering cyber-risks.
A Common Understanding to Limiting Risks
Training a handful of people in cyber-resilience will do little to safeguard organizations from cyber-threats. Increasingly, threats target the greatest vulnerability within any organization – their people. A recent IBM study highlighted that 95% of cyber-attacks succeed because of the unwitting actions of a member of staff.
People must sit at the heart of any effective cyber-resilience strategy. Engaging, adaptive and measurable ‘all staff’ awareness learning must play a fundamental role in mitigating risk. It is essential to plan for ongoing training and involvement of everyone across the organization in cyber-resilience.
A robust cyber-resilience strategy should incorporate technical, process and personnel controls. Ensuring employees are trained to recognize a cyber-risk, and react accordingly in a timely manner is essential. The wider focus must be on aligning strategic priorities, service management tools, operational systems and architectures with ongoing training and involvement of people across the organization.
It is vital to get people, processes and technology working in concert to protect, detect and respond to cyber-threats and attacks. The RESILIA Best Practice framework for cyber-resilience, in conjunction with existing service management systems such as ITIL and project and program management frameworks that include PRINCE2, enables organizations to create a proactive, balanced and collaborative approach to identifying and managing cyber-risks while giving them the capability to detect and recover from cyber-attacks more quickly, minimizing reputational or financial damage.
About the Author
Panagiotis Fiampolis is research and development director of PEOPLECERT, which partners with multi-national organizations and government bodies for the development and management of globally recognized certification schemes and the delivery of standardized exams in over 140 countries.
This article was originally published in Infosecurity Magazine, September, 2015. For more information visit http://www.infosecurity-magazine.com/opinions/can-certification-make-a-difference/