Trying to address Cyber Resilience?
The UK regulators have continued their focus on Cyber Resilience in 2017 reportedly by issuing a questionnaire to circa 500 companies within the UK financial services industry. This comes as no surprise when you consider the well articulated Financial Conduct Authority (FCA) speech last year.
Key focus areas for cyber resilience within the questionnaire include: governance, identification, situational awareness, protection, detection, response, resumption and recovery, and testing approaches.
Last year I penned an article around resilience challenges with different approaches outlined. Reliance on technical controls often outweighs the emphasis that should be placed on the human factors within Cyber Resilience, don't lose sight of this important consideration. When cyber security controls start to fail your cyber resilience plan needs to be activated (at haste), this requires a different skill set from traditional cyber security practices.
Teams need to start talking to one another from business resilience, technology resilience, cyber security and crisis management disciplines whilst driven by business leaders considering risk. Typically these functions are run by many different individuals who may not talk the same risk language. Senior management should be seeking assurance there are clearly defined responsibilities, handoffs between different parties, scenario analysis, testing exercises and playbooks, with an established governance structure, metrics to measure performance and/or continuous improvement whilst demonstrating appropriate oversight. This is not purely technology issue, cyber resilience requires holistic view of your risk with treatment approaches agreed across the various business units.
Assigning personal liability for operational effectiveness in the time of crisis seems to be the approach the regulators are heading towards to ensure board members take action, this is already occurring in other jurisdictions.
Existing generic and industry agnostic methodologies and frameworks for operational resilience have not kept pace with the growing threats and risks, should you use them without tailoring these to your environments this may lead you down a dangerous path towards catastrophes larger than you can imagine. It's increasing important to understand your critical economic functions and associated supply chain while establishing situational awareness throughout the business.
We are currently working with several banks, insurers and FMIs on their cyber security and resilience programmes as they enhance their operational resilience capabilities and move from traditional information security to a cyber resilient posture i.e. accept breaches will occur; focus on detection, response and external communication approaches in order to build firm-wide response muscle memory, agree graceful degradation strategies, minimise financial impacts and establish rapid recovery processes that enable the timely resumption of critical operations.
This is not an easy task when there is a constantly evolving threat, weak existing control environments, outsourced data processing, other essential third parties and the focus on reducing capital expenditure in the current market climate. Automation, uncomplicated processes and collaboration are essential. Cyber Resilience will soon be seen as a highly competitive advantage when you appreciate we are not able to keep in front of internal and external threat actors.
This is my personal blog. The views expressed in these articles are mine alone and not those of my employer.