Introduction
Imagine an organisation experiencing super heavy demand. Everyone’s supporting and juggling multiple roles – working together to get the job done, with no designated lead, and an assumption that everything is covered. Then it happens…
A suspicious email is delivered – undetected. A staff member clicks it. Malicious software begins to spread across the network, causing havoc as systems crash. Files encrypt. Confusion causes delays. No one knows who should lead the response, what data has been affected, or who needs to be notified. The damage worsens. Operations stop altogether.
This introduction is based on a real-world event. In this article, we focus on the theme of organisational structure – we reference a specific case study, provide general guidance, and make recommendations.
What is Organisational Structure?
Cyber security organisational structure is about having a clear structure for effective and successful security – a suitably skilled leader making decisions based on risk. By implementing security measures relating to the organisational structure, organisations can demonstrate cyber resilience. Major incidents can also be avoided.
Relatable Case Study
- Organisation: UK National Health Service (NHS)
- Incident: In 2017, many organisations were severely impacted by the global WannaCry ransomware attack. Widespread reports were referenced for the NHS based on the malicious software spreading across systems, encrypting files and disrupting patient care. Hospitals and surgeries were forced to cancel appointments, delay operations, and revert to pen-and-paper
- Financial Implications: the attack didn’t directly target the NHS, however 80+ trusts were affected. It was estimated to cost millions in terms of lost productivity and emergency costs
- How it Links to Organisational Structure:
- Undefined roles and ownership – lack of clarity over who is responsible for cyber security can lead to ineffective operational activities and major incidents
- Leadership accountability – fragmented governance can lead to a lack of unified incident response
- Supply chain and asset management gaps – lack of asset management can lead to operational issues and security incidents
- Source Information:
General Guidance – For Organisational Structure
- Having a clear organisational structure is a good foundation for security
- Commitment, funding, and accountability from the ‘top’ of the organisation is key
- Consider roles and responsibilities, skills, leadership and escalation path
- Organisational structure links with incident handling, disaster recovery and risk management – it extends to the supply chain and associated service level agreements
Recommended Actions – For Organisational Structure
- Keep it simple and secure
- Use a risk assessment to determine appropriate action
- Establish clear leadership and accountability for information security
- Define roles and responsibilities – investing in skills and training
- Align security with risk, using risk appetite and assessments to support decision making
- Demonstrate accountability and responsibilities through policy and job descriptions
- For suppliers and partners – check contracts. data protection roles and service levels
- Seek guidance and support from a Certified Information System Security Professional (CISSP) and IASME Certification Body for Cyber Assurance – such as RB Consultancy Ltd
How We Help
At RB Consultancy Ltd, we support organisations by:
- Providing templates, guidance and experience to support
- Explaining what security measures are available and how they can help
- Collaborating to implement security controls
- Assessing and issuing certifications – such as Cyber Essentials and Cyber Assurance
- Contact us for consultancy and certification support
Conclusion – Why Organisational Structure Matters in a Cyber Security Crisis
Having a clear structure within the organisation for effective and successful security can help avoid major security incidents. A suitably skilled leader making decisions based on risk is the recommended way to operate. A risk-based approach can help identify the specific security controls, measures and steps to take for an organisation of any size.
The 2017 WannaCry ransomware incident highlights the consequences of having undefined roles, and outdated systems. To prevent these risks, organisations can appoint skilled leaders, assign clear responsibilities, and align security with risk management.
RB Consultancy Ltd helps organisations understand the importance of organisational structure – we support the implementation of appropriate measures to help build cyber resilience. We are an IASME Certification Body and NCSC Assured Service Provider who provide services to empower and protect organisations. Holding CISSP and ISO 27001 lead implementer certification, you can Contact Us for assistance with cyber security resilience.
This blog is written by Remo Belisari, Managing Director of RB Consultancy Ltd. He is an experienced cyber security professional and cyber advisor. Remo holds certifications in CISSP, ISSAP, ISO 27001, Cyber Essentials, and IASME Cyber Assurance. He has many years of experience in IT and cyber security. He has supported organisations worldwide. His work includes helping a Fortune 500 company in the USA and over 100 organisations across the UK. The views in this blog are his own. They do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliates. The content is for general information only.