I’m going to hold my hands up right now and tell you that as resilience professional in 2015 I still feel like I know very little about cyber security and it really concerns me.
I was recently listening to a very interesting discussion during an interview with Ken Simpson and the wonderfully insightful Lyndon Bird (a guy who I’m constantly asked if he’s my father because of our similar name) on the Beyond the Black Stump Podcast Series (I highly recommend a listen) where Lyndon, who is often described as one of the founding fathers of BC, touches on a point that I’ve been contemplating for a long time. In summary he says…
“Has business continuity gone through its lifecycle of conventional Business Continuity Management Systems into a wider arena called resilience and are our traditional skills ready for that?…Business continuity has a limitation in so far as where it goes to next…Cyber to some extent doesn’t fit our model.”
You have to admit the guy has a point…and from what I can see at the moment professionals seem to be dividing in to 4 groups on this subject:
1) BC Professionals claiming to know their cyber stuff and are part of the growing pool of “Cyber Security Professionals”
2) BC professionals claiming to not know their stuff and are leading the discussion online and during conferences about how much we don’t know or appreciate the subject (there are many individuals but for example a great guy Drew Gibson, who did a talk on Cyber threats/security at the BCI World Conference in 2014 and will again this year and also recently completed his thesis on the same topic. A great source of information on our current levels of awareness.)
3) IT guys and girls who have spotted an opportunity and are flooding the job market by selling their IT background and adding BC to their CV. Much like the way the emergency management job market was flooded with ex Blue Light and Military types post-Civil Contingencies Act.
4) People who are too fearful of contributing at all and either say nothing or let you assume they understand the concept….fine for now but a dangerous approach in time!
Ultimately I’m concerned as a professional that if I don’t get to grips with this ASAP it might pass me by and I won’t have the skills to pay the bills as it were.
I spotted this popular picture on LinkedIn the other month and I think it perfectly resembles the feel in the resilience community about cyber and IT security to a point. Everyone really is talking about it and has been for a number of years and everyone assumes that others are doing it but without the slightest idea of how to do it. It’s clear to me that many resilience folks are conveying that they know more than they really do just now and we probably need to plug that gap. So I thought I’d devote this blog to signposting to a few sources of information for those like me who need briefing up!
Don’t get me wrong, like most people I understand the general concept of being attacked from either inside the organisation or from an outside threat and losing client data and being held to ransom for a plethora of reasons from wide range of groups and individuals. I’ve also got a fair idea of the basic physical and IT controls that a business can use to tighten things up…but I’m by no means comfortable with my knowledge and this is my worry. The BCI’s 2014 Horizon Scan featured cyber security and data breach in their top three and I think this indicates the level of concern and to me this is because of our lack of knowledge and experience – the fear of the complex and the unknown!
Thankfully there are a range of cyber security themed materials out there and I want to signpost you to a few that I’ve seen. I’m hoping this post will be commented on by seasoned professionals in our field who can signpost further background reading. Let’s plug this gap and be a bit more schooled up about this rapidly growing threat!
The BCI have made a great start on pulling things together at a central point so I would recommend starting here. For instance they have learning on:
Martin Caddick and William Beer released an article in Continuity Magazine about the need to be “cyber savvy” which I’ve found to be a very useful start! The very fact that these guys state that the concept is “still poorly defined and understood in many organisations, and is not matching the trajectory of growth that BCM has enjoyed” suggests my view is widely shared which is a relief!
It’s obviously a very topical issue because even a simple CTRL-F on cyber in the July issue pinged up 64 references made throughout the entire magazine!
Collaboration on Cyber
Two great articles from the December 2010 Continuity Magazine from Nigel Allen who discusses the need for greater collaboration from public and private organisations on cyber security and an then also the interview with Commissioner Cecilia Malmström discussing some of the changes to the EU legal standpoint on punishing these crimes. I know it was a few years ago now but I think by reading these you can get a feel for how long this has been going on. Everyone loves a bit of context! Take a look at both of these articles here.
What’s the Cyber Risk and What do we need to do about?
An interview with FERMA’s (Federation of European Risk Management Associations) scientific adviser Marie Gemma Dequae in early 2013 clearly shows that organisations still don’t fully understand the growing risk of cyber and what it actually looks like. More to the point if we don’t know what it is then we can’t prepare and mitigate for it! Thankfully in the same issue of Continuity Magazine Seth Berman, an MD in a digital risk company sets out how to initially deal with the challenge. My only criticism is that I wish he had written more because I found this pieice really useful with clear pragmatic advice on what to do. Take a look here.
There also seems to be a growing number of webinars on the subject which might be worth listening to but for me each time I've listened it usually turns into a sales pitch about 10 minutes in so if anyone has any better recommendations please let me know.
So do take a look at BCI’s resources they’ve done a really good job to capture as much as they can and it’s our job to read, share and discuss! As I mentioned earlier in the post I am hoping to use this as an opportunity to share across our community on the best resources out there so add your best link to a useful resource either below or via Twitter or LinkedIn.