Defence & Intelligence

Realising Cyber Resilience


Resilience Defined

Cyber attacks on business and government continue with regularity and increasing sophistication.  Some of these are well publicised (for example, the recent attack on UK Internet Service Provider TalkTalk) and considerable press hype ensues, making it difficult to understand what actually occurred and what actual damage was done.

It becomes increasingly clear that however much is spent on defensive measures, an organisations must figure that a breach will occur.  Whether this is from an insider threat or an external hack, it is no longer a matter of “if” but “when”!

So the ability to protect sensitive information and continue with critical operations whilst detecting and recovering from the attack will be key. This is referred to as RESILIENCE.

Resilience Unpacked

Any effective cyber security resilience approach must balance the core components of

  1. technology, including end point protection, cryptography, security incident detection
  2. process, such as the methods for reporting an incident or a new risk or vulnerability
  3. leadership, demonstrating the importance of holistic security to the top of the organisation
  4. education, starting with basic awareness and appropriate for all job roles in an organisation; regularly updated as technology and the threat changes

to each step in the cycle shown in figure 1 below.

Reslience Cycle

Figure 1 – Resilience Cycle

Cyber resilience is a key principle underpinning ISO 27001, and the wider issue of information technology’s role in business continuity is covered by ISO 27031.

Realising Resilience

Governments and industry realise that Cyber Resilience is increasingly important to maintaining business continuity, information privacy and reputation / brand value.  There are a number of interesting Government-led responses, including:

World Economic Forum launched an initiative to advance cyber resilience in 2012 with the goal of enabling the digital economy to grow and thrive in the face of determined cyber-attacks.   There are currently more than 100 organisations involved in this and the project currently focuses the impact of cyberthreats and creating risk assessment models so leaders can ask more sophisticated questions about the threats most relevant to their own industry.  WEF cite the UK Government’s  Ten Steps to Cyber Security booklet as “an excellent example of putting the principles in practice”.

US Government | Cyber Resilience Review – offers a combination of self assessment questionnaires and (optional) on site assessment to “evaluate an organization’s operational resilience and cybersecurity practices”.  This was created by the Department of Homeland Security partnered with the Computer Emergency Response Team (CERT) Division of Carnegie Mellon University’s Software Engineering Institute.  This is promoted by voluntary activities, which are often featured in academic and trade journals.

These are steps in the right direction for sure – but are they enough?  Or is there more / different that can be done by Governments (and Industry) to address this vital topic?  And what are the inhibitors to progress?

I look forward to exploring these questions – and more – in the Cyber Resilience Workshop at AFCEA’s Cyber Symposium in Sofia, Bulgaria on the 8th – 10th December 2015.  I will write a follow up blog post outlining what I learnt!

Director - Blockchain | National Security - CTO Team Europe

More stories

Does Taking the Long View Help?

Traditionally, U.S. federal agency plans last the length of a four-year presidential election cycle. But many challenges facing government are on a much longer cycle – such as building Defense weapon systems, adapting to climate change, and creating energy independence. In 1996, Congress mandated the Defense Department to conduct a “quadrennial defense review” (QDR) of […]

Continue reading

Defense Offsets – Obligation or Opportunity?

The Global Offsets and Countertrade Association (GOCA) conference just concluded in Montreal.  You may ask, “What is an offset and why is it important?”   Defense offset agreements are arrangements in which the seller of a product or service agrees to provide benefits such as buying local products or services from a country as an inducement […]

Continue reading

Predictive Maintenance – or, “Spend less, do more”

As a former submarine commanding officer and later as the US Navy admiral responsible for all submarine engineering, maintenance and certifications, I can assure you that I was a firm believer in making sure equipment worked correctly.  There was no margin for error, and the goal was always to make sure that the number of […]

Continue reading