NCSC: ‘Good enough’ cyber security
We’ve talked in the past about how ‘good enough’ security is good enough for many organisations.
It’s a view reiterated by The National Cyber Security Centre (NCSC), a government agency that provides advice and support for the public and private sector in how to avoid computer security threats.
The NCSC published its Annual Review, reporting on how it’s making the UK the safest place to live and do business online. The organisation was created in 2016 as part of the government’s five-year National Cyber Security Strategy.
In the review, CEO Ciaran Martin talked about the active cyber defence (ACD) initiative and how automation can be used to reduce some of the most common weaknesses in cyber security defences.
“The ACD programme shows what government can do directly to improve cyber security. But getting ahead of the problem involves equipping every organisation, however large or small, with the tools they need to protect themselves as best they can,” he said in his overview.
He added that getting the right cyber security capabilities for an organisation starts with a better understanding of the risks.
“No one is asking British citizens and businesses to have cyber defence capabilities akin to those of a nation state. They just need to be good enough to fend off what an organisation can reasonably assess to be the risks it faces. Defences also need to be good enough to contain attacks that do get through, as some inevitably will,” he said.
NCSC has started publishing guidance to boards on the types of questions they can ask their cyber security teams about how they are managing risk. More will follow to help leaders understand enough technical detail to make the right decisions.
Cyber security is now integral for organisations. It’s no longer just governance or just a process – it should be embedded in the whole business. For example, we use DevSecOps when delivering projects. It enables us to ensure security is built in from the start and not bolted on at the end.
‘Good enough’ isn’t a poor cousin to gold-plated. Good enough means you understand your risks, your data, the impact of cyber breaches and then implement security that is good enough to protect your organisation.
Here’s our Head of Sales, Andrew Hawkins with more: