Posts Tagged ‘management’

Cyber Resilience: Part Four Companies’ Plans Must Include Both Resistance and Resilience

Resistance to cyber attack is undoubtedly valuable and can produce effective outcomes. However, resistance is expensive and there is a law of diminishing returns on the investments made in resistance, Moreover, because the preparations and mitigations employed in resisting attacks are often specific to particular, point-in-time threats, ongoing resistance is both complex and fragile — unexpected shifts in attacker tactics can bypass existing defences and leave organisations struggling to deploy new controls at an appropriate pace. Faced with the total capabilities of nation-state attackers or state-sponsored cybercriminals, many organisations are unable to deploy effective controls quickly enough or spend enough money to completely mitigate the totality of the threats they face.

“Financial firms should assume they will be subject to destructive attacks and develop capabilities and procedures to resume operations. Financial firms also need to be ready to quickly restore computer networks and technology-enabled operations in response to known or unforeseen threats that could cause catastrophic disruption.” Financial Stability Oversight Council (FSOC) 2015 Annual Report

(more…)

Cyber Resilience: Part Three What is Cyber Resilience?

Cyber Resilience is an organisation’s preparation for business disruption caused by cyber attacks; its ability to recover from these disruptions; and its systemic capability to adapt and grow from each attack it experiences.

Cyber resilience requires that, while organisations strive to prevent incidents, they also understand their internal operating environments and digital ecosystems well enough to develop and deploy processes that:

  1. Accelerate the detection of successful attacks; and
  2. Contain and respond to identified attacks.

(more…)

Cyber Resilience: Part Two Resistance

Cybersecurity has traditionally and overwhelmingly focused on resistance to cyber attack: development and deployment of cyber controls that limit the extent and mitigate the impact of attacks, with the core assumption being that the organisation will be able to prevent most attacks, and at worst, continue to function near-normally during an incident and be able to resume normal operations with minimal delay.

Robust cyber resistance frameworks such as the NIST Cyber Security Framework have emerged, but in reality, good practices that are being developed every day in the field aren’t making their way back into the standards quickly enough in order to make these frameworks practically useful in the fight against cybercrime. At the same time, we also see leading organisations that have successfully mapped out good practices, but struggle to meet their own aspirations across all affected areas of the enterprise.

(more…)

A Rising Tide of Cyber Regulation?

I don’t envy regulators their task of ensuring the firms they supervise are managing their cyber risk well.

The increasing dependence of firms and whole sectors on information technology (IT) and operational technology (OT) was always a creeping concern but has accelerated dramatically as a result of the ‘digital’ movement in  large firms and the oncoming storm of the ‘Internet of Things’ (IoT). Governments around the world  have woken up to the potential  systemic and infrastructural threats to national security and national economies and have tasked regulators with ensuring these risks are appropriately addressed.

(more…)

ICI Global Cybersecurity Forum 2015 Keynote: Cyber Resilience

Yesterday I was lucky enough to be given the opportunity to deliver the keynote for the ICI Global Cybersecurity Forum in London. It was a great event with some seriously considered debates, some well run panels and lot of practitioners I hadn’t met before. I’ve decided to publish my speaking notes here, I rambled all across these notes and embellished in many places but these reflect the main body of my speech. I was especially pleased with the level of engagement after I spoke, mostly to prove I wasn’t as bad as I feared, but also it showed I had touched a nerve with many on the room.

I include my speaking notes below, these borrow heavily from a draft whitepaper I have been writing and sharing with clients and other stakeholders for their comments.

  (more…)

Twitter RSS