Posts Tagged ‘regulation’

Cyber Resilience: Part Six Recommended Reading

 

Here are the sources used when developing the thinking behind this blog series:

(more…)

Cyber Resilience: Part Five What next?

Cyber resistance clearly requires leadership and operational intervention from specialised cyber professionals.  However, Cyber Resilience requires a broader institutional response that encompasses all aspects of the business.  As such, it needs to be owned by the entire executive management of an organisation.

The Department encourages all institutions to view cyber security as an integral aspect of their overall risk management strategy, rather than solely as a subset of information technology.” Benjamin Lawsky, Superintendent of Financial Services, New York State Department of Financial Services, December 2014

(more…)

Cyber Resilience: Part Four Companies’ Plans Must Include Both Resistance and Resilience

Resistance to cyber attack is undoubtedly valuable and can produce effective outcomes. However, resistance is expensive and there is a law of diminishing returns on the investments made in resistance, Moreover, because the preparations and mitigations employed in resisting attacks are often specific to particular, point-in-time threats, ongoing resistance is both complex and fragile — unexpected shifts in attacker tactics can bypass existing defences and leave organisations struggling to deploy new controls at an appropriate pace. Faced with the total capabilities of nation-state attackers or state-sponsored cybercriminals, many organisations are unable to deploy effective controls quickly enough or spend enough money to completely mitigate the totality of the threats they face.

“Financial firms should assume they will be subject to destructive attacks and develop capabilities and procedures to resume operations. Financial firms also need to be ready to quickly restore computer networks and technology-enabled operations in response to known or unforeseen threats that could cause catastrophic disruption.” Financial Stability Oversight Council (FSOC) 2015 Annual Report

(more…)

Cyber Resilience: Part One Introduction

This blog series is a re-tooling of a white paper I drafted in May 2015 while working at Stroz Friedberg. I want to thank Stroz Friedberg for the support and time to develop these ideas and specifically want to thank Bill Trent and Simon Viney from Stroz Friedbergs London office for their assistance and review. I also recieved valuable feedback from David Porter at Resilient Thinking and Dave Whitley at BAE Systems.

Introduction

The prevalence of digitally-enabled businesses, Internet-dependent customers and Internet-connected supply chains creates near unlimited opportunities and points of entry for cyberattacks, and significantly increases the potential for cybercrime to damage a company’s ability to maintain operations. This has created an environment in which cyberattacks by criminals, hacktivists and state-sponsored actors are more frequent and more damaging than ever.

(more…)

A Rising Tide of Cyber Regulation?

I don’t envy regulators their task of ensuring the firms they supervise are managing their cyber risk well.

The increasing dependence of firms and whole sectors on information technology (IT) and operational technology (OT) was always a creeping concern but has accelerated dramatically as a result of the ‘digital’ movement in  large firms and the oncoming storm of the ‘Internet of Things’ (IoT). Governments around the world  have woken up to the potential  systemic and infrastructural threats to national security and national economies and have tasked regulators with ensuring these risks are appropriately addressed.

(more…)

Twitter RSS