teissTalk: Defining and assessing your cyber resilience

teissTalk host Geoff White was joined by as main guest;  Ben Lindgreen, Head of Cyber Resilience, PAY.UK as main guest; Steve Brown, Cyber Security Director, Mastercard; Kevin Duffey, Managing Director, The Cyber Rescue Alliance.

 

Views on news

 

Following a series of high-profile cyber-attacks, the UK government is consulting on proposals for legislative changes which would drive up levels of cyber resilience, particularly in organisations which play an important role in the UK economy, like managed IT service providers.

 

What is often missing from a cyber resilience focus is that a business has to understand what its critical processes are to ensure that what it gets from a provider will fit its actual needs. Therefore, small organisations would need some help to determine what sort of service models and configurations would suit their business requirements. The new legislation may end up being a sort of checklist including benchmarks and standards.

 

Do we need a legislative mandate at all?

 

 A small firm may be able to implement the Cyber Essential elements but that doesn’t address the risk assessment aspect of the exercise, which is a key element for small and large businesses alike, enabling them to put the right controls in place. Frameworks such as IASME might do more in terms of helping SMEs assess their cyber security maturity than government legislation. As for the challenges of targeting the right groups by legislation, the Online Harms Bill is a good example, as it sets out to control Facebook/Meta but may eventually affect smaller players as well.

 

In some cases, business organisation may not be able to patch their software thanks to their criticality, and although they could have other compensating controls, Cyber Essentials doesn’t allow for that. Legislating for safety is a long process by nature – safety belts took about twenty years to get mandatory – which suggest that we’ll have the right legislation for cyber security as well at some point. It just takes time. The Cyber Security Rescue Alliance’s role in promoting cyber security is to advise COOs and CROs on what the risks to their organisations are and what they can do to be more resilient.

 

There is still close collaboration between the EU and the UK when drafting new legislation. Where there definitely needs to be alignment between the two blocks is certifications, as well as the technological security standards that devices on the two markets need to comply with. A completely different state level approach to cyber resilience can be seen in Singapore, where a CEO or CISO  can go to gaol for not protecting critical infrastructure properly from cyber-attacks. 

 

Why you need more legislation is that following a tide of outsourcing to cloud services, IoT and multi-tier supply chain, associated  risk has been outsourced as well. Therefore, accountability and due diligence needs to be brought back to the main corporation. (see DORA). Although the industry has made some great strides in cyber security, legislation is needed to accelerate progress and provide cyber security experts with some leverage when they negotiate budgets with the board.

 

Forums where actionable intelligence on attackers and incidents is shared between key players, who otherwise may be competitors, is key to making corporate information security systems more efficient.