One of the key challenges of managing cyber security is that it is often seen as a low priority. Before a cyber incident occurs, many organizations do not prioritize cyber security, and may not allocate sufficient resources to it. This can make it difficult for the Information Security Officer (ISO) to get the support and attention they need to address cyber security issues.

Another challenge of managing cyber security is that the conversation often focuses on blame rather than solutions. When a cyber incident occurs, the conversation often turns to who was responsible, rather than how to respond to the incident and prevent future occurrences. This can create a culture of blame and finger-pointing, which can hinder effective responses to cyber security issues.

To address these challenges, it’s important to think of cyber security as a capability rather than just a deliverable. This means recognizing that cyber security is an ongoing process, rather than a one-time task. It involves building a culture of cyber security, investing in the necessary resources, and developing the skills and expertise needed to respond to and prevent cyber incidents.

By thinking of cyber security as a capability, organizations can better respond to and prevent cyber incidents, and can ultimately protect their business, their customers, and their reputation. It’s important to recognize that not every organization or business has the dedicated resources to address cyber security, but by prioritizing it and investing in the necessary capabilities, organizations can improve their cyber security posture and reduce their risk of cyber incidents.