Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Resilience

212 views

Published on

A slightly extended version of this presentation given to the London South Branch of the British Computer Society on the 18th November 2015.

Published in: Leadership & Management
  • Be the first to comment

  • Be the first to like this

Cyber Resilience

  1. 1. Cyber Resilience: Managing Cyber Shocks Phil Huggins
  2. 2. Stroz Friedberg 2 Leading experts on cyber defence - pragmatic, evidence- driven, strategies and tactics that work World class response to digital trouble – and advice on how to prepare for cyber attacks Discrete global advisors when it matters
  3. 3. Why are we worrying about Cyber attacks? 3 “The focus on credit, market and liquidity risk over the last five years may have distracted attention from operational, and in particular cyber risks, among financial institutions and infrastructures. This is a rapidly rising area of risk with potentially systemic implications.” Andrew Haldane, Bank of England, 2013 “Current preventative and disaster recovery measures may not be able to stand up against a large-scale and co- ordinated attack” IOSCO, 2013 “DTCC expects cyber-attacks to escalate and become more sophisticated in the future.” DTCC, 2013
  4. 4. Why are we worrying about Cyber attacks? 4 Digital Growth Organisations are currently under attack. Those attacks have either succeeded or will succeed. What remains in question is: • Understanding your adversaries – preparation for the attack • Ability to identify that attack early – situational awareness • Understanding your critical assets – the damage the attack will cause • Ability to withstand that damage – the ability to re-establish normal operations DamageCaused Probability of Attack Core Asset Damage Serious Disruption Major Theft Data Breach Institutional Impact
  5. 5. What are the key issues? 5 • There is an undeclared war in cyber space • Cyber failure is silent • Risk analysis and modelling is deeply challenging • Cyber risk is systemic • Many firms are below the “cyber poverty line” • Effective practices are developing faster than standards
  6. 6. What is Cyber Resistance? 6 Consciously Secure DesignMature Controls Environment Good Cyber Risk Decisions Cyber Threat Hunting Experiential Learning & Threat Simulation Cyber Resistance Situational Awareness Technical Agility & Adaption
  7. 7. Residual Risks and Big Risks 7 • Drivers of residual risk – Constant and rapid organisational change – Aggressive job market for cyber professionals – Technical cyber solutions increasingly specialised – Changing adversary tactics and innovation • Big risks – Systemic risks too big to manage – Outside individual organisation boundaries – Sector-wide risks – “we’re okay if everyone is affected”
  8. 8. What is Cyber Resilience? 8 Security Initiative & Problem Solving Pace of Decision Making Diversity of Cyber Capacity Organisational Readiness & Business Problem Solving Cyber Resilience Situational Awareness Technical Agility & Adaption
  9. 9. Challenges 9 • Technical Agility & Adaption + Diversity of Cyber Capacity = Reduced efficiency • Highly optimised and efficient organisations are more fragile • Straight redundancy isn’t the answer anymore • Recovery Time Objective for Cyber?
  10. 10. Key components for resistance and resilience 10 Consciously Secure Design Mature Controls Environment Good Cyber Risk Decisions Cyber Threat Hunting Experiential Learning & Threat Simulation Security Initiative & Problem Solving Pace of Decision Making Diversity of Cyber Capacity Organisational Readiness & Business Problem Solving Cyber Resistance Cyber Resilience Situational Awareness Technical Agility & Adaption Specialist cyber practices Developing ahead of standards Organisational capabilities Cannot be driven from security
  11. 11. Key characteristics of successful cyber programmes 11 • Effectiveness – of the management of the risk • Appropriateness – to the risks the firm faces • Proportionality – to the scale and the margins of the firm • Feasibility – Of planned improvements in terms of timescales and the capability the firm currently has
  12. 12. Role of Regulators and Boards in managing systemic cyber risk 12 • Regulators – Curated markets for cyber capabilities – Outcomes-based testing – Cyber competent persons – Primary legislation • Boards – Specialist cyber NED – Dedicated cyber risk sub-committee – Limits of fiduciary duty vs national security – Capability sharing
  13. 13. Key takeaway 13 “Cyber is not a minority sport for technologists only.” Andrew Gracie, Bank of England, 2015
  14. 14. strozfriedberg.com Phil Huggins, Vice President phuggins@strozfriedberg.com T: +44 207 061 2299 ©2015 Stroz Friedberg. All rights reserved.

×