A robust cybersecurity framework is said to revolve around the five Cs – change, compliance, cost, continuity, and coverage. Following these basic principles is crucial for all organisations keen to protect themselves and their customers from the omnipresent threat of a cyberattack. But what do these principles mean on a practical level?
Change
According to cybersecurity expert David McNamara, the founder of CommSec, the only certainty in cybersecurity is change. “Change is constant, from shifting business models to evolving threat landscapes,” he explains. McNamara points out that AI is now playing a larger role in attacks and defence, meaning organisations must seek to continually adapt by embedding cybersecurity into their change management processes. “This includes staying informed about emerging threats, adopting frameworks like ISO 27001, and consulting with cybersecurity experts to strengthen resilience.”
Stephen O’Keeffe, director, cyber, privacy & forensics with PwC Ireland, agrees with all of this. “It is critical that organisations keep pace with shifting threat landscapes by regularly updating software, patching vulnerabilities, and training staff on emerging attack techniques.” Convincing deepfakes of senior executives, malicious use of Generative AI and AI agents and new strains of ransomware are just some of the latest innovations from cyber criminals. “They will continue to innovate, and your security programme needs to be agile enough to keep pace.”
Compliance
Compliance is no longer optional. McNamara lists the growing number of regulations for organisations when it comes to cybersecurity: NIS2, DORA, the Cyber Resilience Act, the AI Act. “Soon a new standard called Cyber Fundamentals aimed at SMEs will come into play,” he says. “Staying ahead means embedding regulatory requirements into your operational and governance structures now.”
READ MORE
O’Keeffe notes that the last decade has seen an unprecedented uplift in digital regulation, especially with respect to cybersecurity and privacy. “Organisations need to keep pace to protect their brand, avoid fines and maintain stakeholder trust,” he says. Europe has led the way in this regard, but global organisations must navigate the evolving regulations in territories like the US and China, he adds. “It is essential that organisations have a full understanding of the compliance requirements relevant to their sector or industry, proactively establish the capability required and demonstrate accountability with the right level of supporting evidence.”
Cost
An effective cybersecurity solution does not come cheap, and McNamara admits that, for many organisations, cost is a significant concern. “Organisations must determine where to invest for the most effective outcome.” A risk-based approach is key, he says. “By identifying your most critical threats and areas of exposure, you can allocate budget wisely.” He points out that financial supports from Enterprise Ireland, Local Enterprise Offices and other state programmes can help ease this burden.
“Leadership must seek to secure their organisations to the highest extent possible within realistic commercial constraints,” O’Keeffe adds. It is essential to prioritise effectively, focusing on projects or solutions that will move the needle most in terms of enhanced security posture for every euro invested, he says. “This can be challenging to quantify when compared to traditional investment appraisal, but the best chief information security officers and security leaders have a good feel for ‘value for money’ in this space.”
Continuity
Continuity essentially means keeping operations running during and after a cyber incident. “As the world continues to become more digital, and supply chain complexity increases, continuity is increasingly becoming one of the most critical success factors in business,” O’Keeffe says. Indeed, significant downtime can be an existential threat in some industries.
“Ransomware can bring a business to a halt, so measures such as encrypted, off-site, immutable backups are essential,” McNamara says. Continuity planning must also account for cloud environments. Simply assuming providers like Microsoft or AWS are secure is not enough. “Misconfigured settings can still leave you vulnerable.”
“Equally important are robust recovery plans that are regularly tested in realistic simulations so that muscle memory can be relied upon in a crisis,” adds O’Keeffe.
Coverage
Coverage is all about visibility. “Do you know your public-facing exposures? Are your systems protected and monitored consistently across all locations, local and international? Do you have 24/7 monitoring in place? Risk assessments can reveal coverage gaps and help prioritise the right controls,” McNamara advises.
Comprehensive coverage is key, O’Keeffe agrees. “It may sound obvious, but clearly identifying an organisation’s boundary is becoming more difficult in a world with greater reliance on cloud, on third party managed services, on GenAI large language models and more,” he says. “It is absolutely critical that security is not a paper-based exercise, or a suite of policies and standards that are disconnected from the reality on the ground. The best security leaders really understand the application of their security programme across the estate and ruthlessly hunt out non-compliance.”
