It is a challenging time to be a CISO at a European utilities and transport provider. Ciaran Martin, CEO of the NCSC, has openly declared he is in little doubt the UK will experience a Category 1 attack in the near future, one that causes sustained disruption to essential services and could lead to loss of life. State-sponsored attacks on public services are becoming more evident, cyber-physical risk on industrial control systems is increasingly in the spotlight, and boards are starting to ask difficult questions about cyber defences and investments. And then there is the Networks and Information Systems Directive (NIS Directive).Read More
Don’t expect leadership to engage if you don’t make it easy to understand the risk
The concept is over half a decade old. Yet, beyond the banking sector, critical national infrastructure organisations have been slow to embrace cyber resilience. Security is binary and difficult to measure. On the other hand, the language of cyber resilience facilitates board-level engagement of cyber risk. It’s time to stop aiming for total security and start aiming for resilience. It doesn’t need to be a huge, paralysing programme. Start simple: baseline your cyber resilience, get your board’s buy-in, then work systematically towards improving it over time, based on your risk appetite and the budget you can unlock.Read More
Don’t take it personally. Cybercrime is just business. The “entrepreneur” may be after money, glory, attention or some other objective, but in the end competition and economics prevail. Is it easier to break into your home or your neighbour’s to achieve their objective? What is the easiest way in?
If your conclusion is to throw a tonne of resources at building an impenetrable fortress, then you may have missed the point. Walls can be scaled. If you reinforce your windows, that will simply incentivise your attackers to try the hatch in the roof. Where does the spending end?
A more sensible strategy is to make calculated, adaptive, timely choices. The risk of cyber attacks is just that, a risk. And like any business risk, the appropriate response is to manage it with an appropriate amount of resources. Total prevention is ideal, but often does not support the economic argument. On the other hand, mitigation costs significantly lower than recovery. Early intervention minimises the impact of cyber attacks. Your attackers have broken through your roof hatch and are fumbling in the attic. Nothing has been stolen. Now pack up the valuables and calmly leave the building.Read More