The document discusses cybersecurity standards and managing cyber risk at the business level. It provides context on the evolution of cybersecurity standards over time from BS 7799 in 1995 to current standards like ISO 27001 and newer frameworks like Cyber Essentials. However, it argues these standards only provide basic technical capabilities and that businesses need to view cyber risk as a core business risk, requiring engagement from the board level and a risk management approach integrated with business objectives. The document advocates for the principles in the new BS 31111 standard which aims to better connect cyber risk management with overall business strategy, governance, culture and operations.

1. Cyber Essentials and BSI
standards - managing the
business risk
Russell Price
chairman of Continuity Forum and the BSI
Risk Management Committee

2. All rights reserved © 2018 Continuity ForumJISC slide 2 of 29
Cyber Essentials & British Standard BS 31111
Managing the business risk
slide 2 of 29

3. All rights reserved © 2018 Continuity ForumJISC slide 3 of 29
“I think there is
a world market
for maybe five
computers”
Thomas Watson,
President of IBM, 1943
Home Computers
slide 3 of 29

4. All rights reserved © 2018 Continuity ForumJISC slide 4 of 29
“There is no
reason anyone
would want a
computer in
their home”
Ken Olsen
Digital Equipment Corp,
1977
Tech Explosion
slide 4 of 29

5. All rights reserved © 2018 Continuity ForumJISC slide 5 of 29
A technology explosion
New devices
are connecting
to the Internet
at the rate of
328
million/month
Digital Britain 1

6. All rights reserved © 2018 Continuity ForumJISC slide 6 of 29
Digital Britain
Reality Check
91%• UK G20’s most cyber-dependent
economy
• £600bn online spending in 2018
• Tech Sector now £184bn
• Growing at 3X the rate of other sectors
Digital Britain 2

7. All rights reserved © 2018 Continuity ForumJISC slide 7 of 29
7
Digital Britain
Reality Check
91%In the last 12 months we learned …
• 43% had a Cyber Breach
• 74% said Cyber security was a priority
• 75% don’t have formal cyber policies
• Probably underestimated?
Cyber Risk Cartoon

8. All rights reserved © 2018 Continuity ForumJISC slide 8 of 29
“Risk of financial loss, operational disruption or reputational damage to
an organisation due to a failure of its information technology systems
from a broad spectrum of causes”
Me
Cyber risk
Definition of sorts

9. All rights reserved © 2018 Continuity ForumJISC slide 9 of 29
Russell Price
• Chairman of BSI UK Risk Management Committee RM/1)
• Member ISO TC 262, 292 & BSI CAR/1
• Founding member & current Chair of Cyber Risk & Insurance Forum (CRIF)
• ISO 22301, 22316, 31000, 31010, 270XX & Strategic Advisory Group
• British Standard 31111, 65000 & 31100
• BIS Sector UK Cyber Security Review Chair -> Cyber Essentials
• CBEST – ANSI/ASIS – EU – UNSIDR
Risk Life Cycle

10. All rights reserved © 2018 Continuity ForumJISC slide 10 of 29
Risk Life Cycle
Issue Management
Early Issue Identification
Pressure/Cost/Impact
Opportunity to Influence
Difficult to Influence
Potential Current Crisis DormantEmerging
Period of Increasing Awareness
Origin Development ResolutionImpact
Time / Development Cascade
Too late!

11. All rights reserved © 2018 Continuity ForumJISC slide 11 of 29
BS7799

12. All rights reserved © 2018 Continuity ForumJISC slide 12 of 29
Information Security Management System
Standards
1995 Twenty two years ago
BS 7799 was published
ISMS Standards

13. All rights reserved © 2018 Continuity ForumJISC slide 13 of 29
Information Security Management System
Standards
Source: ISO/IEC 27000: 2016
Vocabulary standard
4.2
Requirement
standards
4.3
Guideline
standards
4.4
Sector specific
standards
4.5
Control specific
guideline
standards
4.3
27000
27001
27002
27013
27010
2703x
27006
27003
27014
27011
27009
27004
TR 27016
27015
27005 27007 TR 27008
27017 27018 27019
2704x
Good Practice

14. All rights reserved © 2018 Continuity ForumJISC slide 14 of 29
Meeting the standards
Demonstrating Good Practice
BSI Standard makers 2016
Nailed down?

15. All rights reserved © 2018 Continuity ForumJISC slide 15 of 29
So we have it nailed down?
NO!
WEF 10 Global Risks

16. All rights reserved © 2018 Continuity ForumJISC slide 16 of 29
World Economic Forum
Major Cyber Incident

17. All rights reserved © 2018 Continuity ForumJISC slide 17 of 29
Scenario modeling
One Major Cyber Attack
• Lloyd’s of London catastrophe modeling research
• 15 US States including NYC and Washington DC affected
• 93m people without power
• $243bn impact on the global economy
• $21.4bn claims
Heat Map

18. All rights reserved © 2018 Continuity ForumJISC slide 18 of 29
Cyber Risk
Must be better understood
Connects & spreads between
organizations
Not a tech issue, a core BUSINESS
RISK!
Cyber essentials
Critical societal risk!

19. All rights reserved © 2018 Continuity ForumJISC slide 19 of 29
The Basics

20. All rights reserved © 2018 Continuity ForumJISC slide 20 of 29
A first step
• Boundary Firewalls and gateways
• Secure Configurations
• Access Control
• Malware protection
• Patch management
Cyber Essentials
Cyber Essentials is
intended only to provide the
most basic of technical
capabilities.
It is aimed at those who have
IT knowledge.
It is meant to be a starting
point. CE Flowchart

21. All rights reserved © 2018 Continuity ForumJISC slide 21 of 29
What do we need to do?

22. All rights reserved © 2018 Continuity ForumJISC slide 22 of 29
What do we really need to
do?
Cyber Risk & Resilience
Business Conversation

23. All rights reserved © 2018 Continuity ForumJISC slide 23 of 29
Cyber Risk | the business conversation
• Awareness of the real business risks
• Board understanding it is their responsibility
• Create an expectation of dynamic capability
• Process, Performance, Productivity & Profit
• Convergence and change
• Demand action…
BS31111

24. All rights reserved © 2018 Continuity ForumJISC slide 24 of 29
Expectations of a Director

25. All rights reserved © 2018 Continuity ForumJISC slide 25 of 29
Expectations of a Director
… to promote the success of the company, directors must consider the
impact of the company’s operations on the community1.
The duty to exercise reasonable care, skill and diligence requires
directors to exercise the same care, skill and diligence that would be
exercised by a reasonably diligent person with the knowledge, skill
and experience that may be reasonably expected of: (i) a person
carrying out the same functions in relation to the company as the
director; and (ii) the actual director in question.2
Sections 172 & 174 , Companies Act
Board Org Chart

26. All rights reserved © 2018 Continuity ForumJISC slide 26 of 29
Culture
• Risk Ownership
• Responsibility &
Accountability
• Knowledge, Skills,
Attitudes & Behaviour
(KSAB)
Capability
ACTIVE MONITORING, SECURITY TESTING, HORIZON
SCANNING & REVIEW
• Cyber Landscape Intelligence
• Protection
• Detection
• Response & Recovery
Board engagement & responsibility
Risk Management
• Understanding Context
• Risk Identification
• Risk Analysis
• Risk Evaluation
• Risk Treatment
• Scanning & Review
Governance
• Evaluate
• Direct
• Monitor
• Communicate
• Assure
Operational management & accountability
BS3111 Risk Management

27. All rights reserved © 2018 Continuity ForumJISC slide 27 of 29
BS 31111 | Integration with the business
Establishing context
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
A clear strategy with your business objectives clearly stated.
Should include all the internal & external uncertainties across the organisation.
Risk Identification process that expects connection of the cyber environment to
business objectives, whether or not they are under the influence of the firm.
Develop a clear financial and operational understanding of the business effects of
the risks identified quantified in a relevant commercial context. Intelligent analysis &
prioritized actions based on context & relationship with business objectives.
• Identifying the Risk Owner in the business not just IT
• Describes the options & the controls available & assesses effectiveness
• Test & review the control
• Risk treatment agreed - Document the treatment plan
• Assign to appropriate owner - Set completion or review timetable
• Document expected change to the risk identified
BSI Standard makers 2017
Cyber Temple

28. All rights reserved © 2018 Continuity ForumJISC slide 28 of 29
The Cyber Temple
Sum up Learning Experience
“The Principles described
connect and support
other standards and
good practice
frameworks and helps
the business boost value
and integration in
planning and develop
real world capabilities”
Benefits & Outcomes
Realised
Governance & Accountability
Culture
RISKMANAGEMENT
ENGAGEMENT
COLLABORATION
ADAPATABILTY
MONITORING
THREAT
INTELLIGANCE
INCIDENT
RESPONSE
ASSURANCE
Ownership
& Leadership
Trust
& Transparency
Informed Making
Decision
Commitment &
Regulation

29. All rights reserved © 2018 Continuity ForumJISC slide 29 of 29
A question of priorities
The learning experience
1860’s 1970’s
Close and Questions

30. All rights reserved © 2018 Continuity ForumJISC slide 30 of 29
Summary & Questions
Contact | russell.price@continuityforum.org Phone | +44 (0) 7770 666004