by Henry Elisher
Business Analysis (BAPL) Consultant
Cyber threats can and will affect all industries. The most current wave of digital transformation to hit the global economy has brought to us the IoT, (Internet of Things), which means now that nearly all organisations operate in a digitally interconnected ecosystem. Cyber security can therefore no longer be regarded as an individualised problem that can be fought at the digital and physical frontier of a single organisation. The cyber security vulnerability of anyone you do business with can now also be your vulnerability also, you too can inherit the risk.
Successful cyber-attacks on critical infrastructure have the potential to immediately threaten both national security and economic stability. The degree and nature of attacks now have the potential to cripple not just industries, but can also do untold damage to nations, as dependencies have risen through interconnectedness. One only needs to look at the NoTPetya cyber-attack on the Ukraine in 2017 to witness the ferocity, scale and damage of a cyber event with magnitude[i]. The scale and potential to create damage and harm is not lost on cyber threat actors either. Criminal groups, hacktivists with the aim of causing civil unrest, and even state-sponsored groups performing espionage activities, all understand the vulnerabilities of operating in an interconnected and interdependent environment where the consequences of a cyber-attack can easily cascade from one to many in an instant. The Ukrainian event will not be the last, and even though the degrees of attacks may vary it cannot be assumed that anyone is immune.
Combatting and managing this growing risk must now become the onus of business leaders. To understand, identify and build a robust and pervasive cyber resilience culture and further, ensure it is instilled within every person of an organisation means that actions and the activity of knowledge transfer, defence and culture needs to commence from the top down. Board members and chief executives are now obligated to take it upon themselves to proactively formulate strategies and ensure cyber resilience is interwoven into the fabric of their organisation.
The new interconnected world in which organisations operate necessitates leaders to fundamentally shift their mindset in two distinct ways[ii]:
- There needs to be the understanding that cyber-risk is a business and ecosystem-wide risk and not simply a component that fits within the remit of IT risk. Cyber risk management decisions must be integrated into all business decisions.
- Awareness that managing cyber-risk in an interconnected environment means that leaders need to look well beyond the boundaries of their own houses and understand their broader neighbourhoods of suppliers, customers, competitors, peers and regulators, amongst others[iii].
Knowing what needs to be protected is the first step in addressing the challenges of cyber resilience in a complex and interdependent operational universe.
Organisations usually have interdependent relationships with numerous stakeholders that can span multiple degrees of separation within an organisation. In order to ensure that cyber security and resilience are effectively adopted within the context of business strategy, leaders have the obligation to grasp both the breadth and depth of the connections within their operational sphere.
Being able to produce a logistical map of interconnected stakeholders is also of utmost importance. The identification has to start within the core value chain, specifically, identifying the connected infrastructure, and then, expanding that sphere of reference to the surrounding business ecosystem of suppliers, customers and peers. This then needs to be encapsulated and buttressed by a clear picture of what the extended ecosystemis.
The extended ecosystem is also known as the strategic layer and comprises policy makers, regulators, law enforcement, insurers and standards bodies.
As the digitisation increases so too does the complexity and interdependencies of the network layer, i.e., the computer systems[i] that interact with one another. Coming to an understanding of this layer early in the piece and getting ahead of the development will allow a better insight into obvious cyber vulnerabilities and will highlight how this layer can be utilised as a highway to propagate cyber-attacks, and further, how the effects can easily cascade across the ecosystem.
Understanding the network layer and also working both adeptly and with agility in the strategic layer is critical in becoming cyber resilient. Cyber security and resilience cannot be allowed to simply be regarded in isolation. Leaders must now take it upon themselves to recognise that a lack of security in their broader neighbourhood means that their own cyber integrity has the ability to be undermined. Cooperation is a key aspect to heightening cyber resilience. It is essential between members of a neighbourhood, from oversight bodies to suppliers, customers and employees, that cooperation through all operational spheres needs to take place in order to inform, identify and combat all perceived threats.
How to secure systems that will become increasingly more complex will inevitably be the ongoing challenge for any market. The ever-changing nature of technology and the shifting sands on which both the network layer and strategic layer are founded will mean collaborative and collective efforts will need to be sustained, indefinitely.
In 2017, to help facilitate board oversight and action in support of organisational cyber resilience, the World Economic Forum (WEC)[i], in collaboration with leading academics, developed 10 overarching principles[ii] for organisational cyber governance. The principles were put in place to assist boards in promoting cyber resilience as a key component of their overall organisational strategy.
The key cyber resilience principles are restated below in this blog. These principles have been lifted exactly as stipulated by the WEC
Principle 1 – Responsibility for cyber resilience – The board as a whole need to take ultimate responsibility for the oversight of cyber risk and resilience. This primary oversight may be delegated to an existing committee or new, dedicated committee.
Principle 2 – Command of the subject – Board members need to receive cyber resilience training upon joining the board and are regularly updated on threats and trends – with advice from independent external experts when requested.
Principle 3 – Accountable Officer – The board ensures that one corporate office is accountable for reporting on the organisations capability to manage cyber resilience and progress in completing cyber resilience goals.
Principle 4 – Integration of cyber resilience – The board ensures that management integrates cyber resilience and cyber risk assessments into the overall business strategy as and enterprise wide risk management, as well as budgeting decisions and resource allocation.
Principle 5 – Risk appetite – The board annually defines and quantifies business risk tolerance relative to cyber resilience and ensures that it is consistent with corporate strategy and risk appetite.
Principle 6 – Risk assessment and reporting– The board holds management accountable for reporting a quantified and understandable assessment of cyber risks, threats and events as a standing agenda item during its meetings.
Principle 7 – Resilience plans– The board ensures that management supports the officer for cyber resilience by creation, implementation, testing and ongoing cyber resilience plans, which are harmonized across the business.
Principle 8 – Community– The board encourages management to collaborate with stakeholders, as relevant and appropriate, in order to ensure systemic cyber resilience.
Principle 9 – Review– The board ensures that a formal, independent cyber resilience review of the organisation is carried out annually.
Principle 10 – Effectiveness– The board periodically reviews its own performance on implementation of these principles and seeks independent advice for continuous improvement.
To find out more about what’s happening in the world of Business Analysis follow us on LinkedIn
[I]‘The untold story of NoTPetya, the most devastating cyberattack in history’,accessed 23 APR 2019, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
[II]Boston Consulting Group, Whitepaper, accessed 12 APR 2019,’ Building cyberresilience into the electricity ecosystem’, https://www.bcg.com/publications/2019/building-cyberresilience-electricity-ecoysystem.aspx
[III]World Economic Forum, Whitepaper, accessed 15 April 2019, ‘Cyber resilience in the electricity ecosystem: Principles and guidance for boards’, https://www.weforum.org/whitepapers/cyber-resilience-in-the-electricity-ecosystem-principles-and-guidance-for-boards