Building cyber resilience: The benefits of a community-based approach

In collaboration with Wolfpack Information Risk.

Join Andre Swart, Managing Director of Ziyasiza, and Craig Rosewarne, Managing Director of Wolfpack Information Risk, as they discuss the benefits of a community-based approach to building cyber resilience. Watch the video and read the conversation that follows.

 

 

Follow the conversation:

Andre Swart:

Cyber resilience is an important intersection for the C-Suite of any company. This critical nexus for risk management, business continuity, cybersecurity, finance, and technology, requires a joint leadership commitment. A common error often is to assume that cyber resilience is about technology, and that couldn’t be further from the truth.

At Ziyasiza we’ve partnered with Wolfpack to help organisations embed cyber resilience into the organisation’s culture and operations.

I’m joined today by Craig Rosewarne, the Managing Director of Wolfpack to have a conversation around this very critical element of business today.

Craig, can you just for the sake of an introduction, give us a brief description about what it is that Wolfpack does?

Craig Rosewarne:

Sure. So, I started Wolfpack back in 2011 and really, it’s an organisation that provides consulting, cybersecurity training, awareness to three tiers of clients. So, we deal with governments and deal with things at a national level. We deal with companies in terms of business risk. And then we also work with the community typically those, you know, individuals, schools, charities that no one is really looking after, and we provide quite a few pro bono services to assist them with our victims of cybercrime.

Andre Swart:

So, you assisted them with once they’ve been attacked from a from a cyber perspective as well?

Craig Rosewarne:

Yes, we do. So, we obviously try and raise awareness to help them prevent falling victims. But when they do when they go and report to the police station and they are feeling helpless then we get stuck in.

Andre Swart:

OK excellent. So, if we bring the topic then to cyber resilience as it were, in your view who is responsible for leading that charge, for building cyber resilience within an organisation?

Craig Rosewarne:

So, there’s a textbook answer and there’s a real answer that needs to happen in the world. So, you know, if we take the step back, the board / executives are accountable. They should be delegating it down to the business areas who actually are responsible. But the ball seems to be bypassing business and being thrown to IT cybersecurity risk areas, for example, to actually do the work. But business is actually responsible for this.

Andre Swart:

So, it’s not the job of the CIO necessarily?

Craig Rosewarne:

The CIO will be responsible for certain of the more technical areas and also, they are the custodians of information. But it is actually the business that needs to roll up the sleeves and actually define what are the core assets, what needs to be done by when and look to those other areas and external companies for assistance in helping them with their challenge.

Andre Swart:

So how would how would an organisation then go about building that community-based, broad-based approach to cyber resilience?

Craig Rosewarne:

So, I like the word ‘community’ because you know, no company on the own can try and deal with this thing. It’s far too big. No country or no government on their own can try and deal with this. So, you know, our guidance is always to a company to say you’re part of an industry, join hands with other companies in your industry. There’s quite a few forums established with this in mind.

And then look at your overall team and your organisation. What skills have you got? What gaps are there, for example, that you don’t have? And then partner with other organisations that can help you other develop skills or provide skills and solutions in the short term as well.

Andre Swart:

Do you have an example for us where you’ve seen this working well? Where you’ve seen this in action?

Craig Rosewarne:

There are, there are quite a few good success stories. I mean one of our clients in the financial services sector and the banks, for example, are part of a group called SABRIC, the South African Banking Risk Intelligence Centre. And they collaborate and work together on cross sort of company crimes, frauds etcetera.

And then they also partnered very well with other organisations and also have what are called BISOs or ISOs, information security officers, across the different areas of the business and also across different geographies as well. And with a strong awareness and training program linked to that you’re actually able to cover all the key areas of the business and make sure that you are as resilient as possible.

Andre Swart:

OK. And is it only in financial services? I mean financial services is generally the sector that, in my experience, are quite good when it comes to cyber, cyber protection, cyber resilience because it is a highly regulated industry and because they are dealing with the money of Joe Public out there. But what about the other industries that are not as regulated that perhaps, I mean I hear it often, don’t talk to us about security like we’re a bank because we’re not a bank yet. Cyber criminals don’t bother about whether you’re a bank or not.

Craig Rosewarne:

Exactly. They’ll take your money irrespective of if you’re a pensioner or a non-profit. So, the other sectors are coming together now. 

So, ASISA, we see the insurance sector, COMRiC is where the telecom sector for example, has come together and created a sort of an industry CIRT, which is a cybersecurity incident response team, academics, even government for example, has got various elements where they are coming together and started to calibrate a lot better.

Andre Swart:

OK, excellent. So, what are some of the tips or guidelines that you would give to a company to enable them to start this journey, to build a deeper awareness of cyber resilience as a topic.

Craig Rosewarne:

So don’t wait until it’s a problem, until you react. You know cybersecurity actually needs to be baked into the company at all levels, you know right at that executive level where, for example, you may be wanting to buy another organisation.

So, mergers and acquisitions as part of due diligence, you should be looking at the cybersecurity, privacy, resilience risks, for example that you are bringing into the group right across to the business where I mentioned earlier that they’ve got to be involved.

You know key areas such as HR, in terms of people, we’re dealing with technology, but it still is very much a people, buy-in change management issue, that needs to be dealt with.

And you know even areas such as marketing for example. Marketing deals with the brand, with social media of the organisation. And if you look at the impact that a cyber incident can have to an organisation’s brand and reputation, it is massive.

So yes, this is something that’s got to be done right from the strategy all the way down to the operational level of any organisation.

Andre Swart:

I guess key here is don’t forget about the people. The people element is really important.

Craig Rosewarne:

So important and not only your own people, also your outsourced people as well. You know right from contractors, third parties that you’re involved in, customers that you’re involved in because you know companies nowadays are integrating their systems with their clients, integrating with their suppliers. So, the ecosystem that needs to be managed is so much bigger as well.

Andre Swart:

All right, excellent. And Craig bringing it a bit closer to home now, and talking about Ziyasiza and Wolfpack working together, would you mind just giving a few insights as to what it is that that you see the benefit in in our two organisations working together and you know why is it that we do this?

Craig Rosewarne:

So, linking back to that ‘community’ word once again, you know, we are focused on cybersecurity, privacy and resilience consulting, training, and awareness and that’s what we do and what we do best. 

It’s great having partnerships luck with Ziyasiza that, you know, you guys do other elements that can complement our business such as IT, internal audit fraud for example. So, partnerships are crucial and obviously I enjoy working with you as well! So, it’s a good thing all around all round! 

Andre Swart:

Excellent.

And then I guess the last one. If I was to ask you for a call to action. If there’s a company out there that’s battling to get this right, what should their call to action be? How do they get their people involved and driving this cyber resilience agenda.

Craig Rosewarne:

So, we did a recent benchmarking exercise with about 118 companies to ask them all kinds of sensitive questions that you know, we were amazed to see even some large organisations, 5,000, 10,000 employees, don’t have a dedicated security office on board.

So, it really starts with having the right people structures in place to deal with this.

Look at your partnerships in terms of who you can bring in to plug your main risks.

You know, because you’re going to have limited resources in terms of time, money, and attention span, at the end of the day, that you can devote to this.

So, focus on what is critical to your business, your Crown Jewel assets, put the right resources behind that. You make sure that those are at least protected from incidents taking place or be able to respond to an incident should it, should it happen as well and grow it and mature it from there to other areas of the business.

You’ve got to start somewhere.

Andre Swart:

All right, excellent. I’ve enjoyed this conversation.

And then just kind of wrapping up, the whole call to action, the approach that companies should take:

• Number one, make it, don’t try and do everything yourself and reach out to other organisations in your industry.
• It’s not about technology, it’s actually more about people almost than it is about technology. Sure, the security elements around your technology are important, but they’re probably the big focus on the people element.
• And lastly, start, don’t sit back and wait. Get started, do something, take some kind of action, and get cracking on this programme.

Do you agree with that?

Craig Rosewarne:

Even if some companies haven’t budget, you know budget is often the one that is thrown, “We haven’t got money for this now.” There’s a lot of open-source tools, there’s training, for example, that people can go on online. A lot of it is actually free or very, very cost effective. So, you can start with the basics and build on from there as we said.

Andre Swart:

All right, great.

So, we, we believe that we can achieve more together and that’s why we work with other specialist consulting firms such as Wolfpack. We will continue to put our heads together with other organisations on how we solve major business challenges.

Please contact us. Look us up on LinkedIn, on our website, ziyasiza.com and please follow the conversation.

Thanks everybody for watching. And Craig, thank you very much for the time. Thanks, Andre.