With 100 per cent security just an unachievable dream, organisations must embed cyber resiliency within their organisation, the Information Security Forum (ISF) urged today.
In doing so, companies need to look at how to prepare for the unforeseen, alongside integrating strategies for information sharing in post-breach scenarios, the ISF said.
"There is going to be a range of attacks you can't protect yourself from," said ISF chief executive Michael de Crespigny during a press briefing this morning. "We've concluded the real issue is to create cyber resiliency.
Security as a concept isn't owned by IT
"It's not about more control, not about more cost, it is about anticipation of unpredictability."
It is hugely difficult to predict how the threat landscape will evolve in the future, de Crespigny added, pointing to Anonymous' tactic of recruiting unwitting Twitter users into a distributed denial of service (DDoS) attack last week by simply posting links.
The hacktivist group embedded JavaScript into specially-crafted sites, which would have visitors repeatedly attempt to access a targeted website, thereby including them in a DDoS attack.
Essential collaboration
"Organisations must embrace uncertainty and develop resiliency. It's essential to collaborate and share information," de Crespigny added. "You can't act alone."
As an example of how effective collaboration could be enacted, the ISF CEO pointed to the global coordination over dealing with the H1N1 virus otherwise known as bird flu.
"There was a lot of international collaboration, huge amounts of communication," he added. "But if you look at Sony there were long periods where there was very little communication and delays in response time."
Sony was heavily criticised for not speedily disclosing a data breach involving its Playstation Network, which saw information on over 100 million of its customers compromised.
EMC-owned security giant RSA was also panned for not telling customers information on its SecurID product had been placed in jeopardy thanks to a hack attack.
In building resiliency, businesses need to look at who would be impacted by a breach of its network, which organisations it could cooperate with and when to disclose information, the ISF said.
This includes the need to connect functions internally, as well as externally across the business' supply chain. To support this a facilitator is required to bring together different parties, according to the ISF, which itself can act as if companies want to recruit an external body to mediate.
Despite IT being a key part of a cyber resilience strategy, they should not lead it, the ISF said. Instead, the body repeated the adage that "cyber security is a business issue."
"Security as a concept isn't owned by IT," de Crespigny said.
The ISF has released a report and tools to help companies create cyber resiliency.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
RSAC Conference 2025: The front line of cyber innovation
ITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
RSAC Conference 2025: AI and quantum complicate securityOrganizations are grappling with the complications of adopting AI for security
-
RSAC Conference 2025 was a sobering reminder of the challenges facing cybersecurity professionalsAnalysis Despite widespread optimism on how AI can help those in cybersecurity, it’s clear that the threat landscape is more complex than ever
-
RSAC Conference day three: using AI to do more with less and facing new attack techniques
-
"There needs to be an order of magnitude more effort": AI security experts call for focused evaluation of frontier models and agentic systemsNews Evaluating the risks of dynamic, evolving AI networks is slow work for cybersecurity analysts
-
Cyber defenders need to remember their adversaries are human, says Trellix research headThere's a growing overlap between nation-state actors and cybercriminals, but these attackers are real people who make mistakes
-
RSAC Conference day two: A focus on new hacking tacticsFrom quantum to AI, experts discussed how new and experimental technologies could be used by hackers to access and decrypt sensitive data
-
RSAC Conference Day One: Vibe Is 'All In' on AI for SecurityNews Artificial intelligence took center stage as RSAC Conference looks at how the discussion has moved from generative AI to agentic AI
