A Framework for Managing Cybersecurity Effectiveness in the Digital Context

摘要

The pace of digital transformation and new technology development and the growing sophistication of cyber criminals result in organisations facing greater scope and severity of cybersecurity attacks on a daily basis - estimated to cost between $375 and $575 billion per annum. It is anticipated that as more devices, systems, and infrastructure become interconnected and interdependent, and as more interfaces between customers, suppliers, and partners are leveraged, the IT 'attack surface' will continue to expand. Organisations vary in their approaches to attempting to prevent cybersecurity breaches: some are overly restrictive, making even routine business activities difficult, while others are too relaxed with poor oversight and inadequate protocols and procedures, creating unnecessary exposures. However, applying appropriate cybersecurity controls is now a particular necessity where digital leaders often have a higher tolerance and appetite for risk-taking and experimentation to identify key opportunities for the future. Organisations now need to rethink their cybersecurity management approaches, and recognise that traditional access control and perimeter defences alone are no longer sufficient. Rather holistic and proactive approaches that continually evolve and adapt to counter emerging threats and minimise the potential negative consequences of exposure are required. Understanding how effective the organisation is in its cybersecurity efforts is a prerequisite for ensuring controls remain abreast with, and appropriate for, the changing IT threat landscape. This paper presents a cybersecurity conceptual framework that can be used by organisations to provide a holistic analysis of their cybersecurity approaches. It details the key factors or management themes underpinning cybersecurity effectiveness and how the insights gained through assessing performance against these factors or management themes can be practically used to improve cybersecurity effectiveness.