UK cyber resilience: it’s all about leadership

Andrew Cooke | 18 May 2016 | Comments

Andrew Cooke shares his thoughts on why leadership is an essential element in the ongoing battle to ensure the UK is ‘cyber resilient’.

Last week the BBC reported on the Government’s new £1.9bn investment in preventing cyber-crime. The report came with a survey that revealed that two thirds of big companies have suffered a cyber breach in the last year.

Is this really news? The former MI5 chief’s recasting of Benjamin Franklin’s quote that: “There are now three certainties in life: death, taxes and a foreign intelligence agency on your network,” is never more true.

The survey doesn’t provide a great deal of granularity, referring to breaches in “UK big businesses” without detail of impact, organisational scale or sector.

Making the nation cyber resilient means protecting critical national infrastructure first. Infrastructure is waking up to the threats to industrial and process control systems, which are still considered to present softer targets despite the significant potential operational impact if compromised.

Furthermore, the survey appears to not consider the UK’s growing small and medium-sized enterprise (SME) community, which represents an increasingly critical component of any resilient nation.

In order to make sure that UK plc is not put at risk by cyber-attack it needs to make itself more resilient to the threats that it faces. This means focussing on the risks that impact greatest on the successful operation of the UK. There are three things we can highlight to help take us there:

1. Focus on critical infrastructure: Cyber sits very much at the heart of UK plc, but its infrastructure represents the vascular system carrying its lifeblood, communications and energy and carrying away waste products. Many of the companies supplying these services are not UK businesses at all.

2. Supply chain vulnerability: It is all very well considering the threats to large businesses but inevitably one of the biggest vulnerabilities that all organisations have is their supply chain. Every big business will have a hundred or more smaller companies representing critical links in their supply chain. Any business’ resilience is dependent on the resilience of those within its supply chain so the Government cannot ignore SMEs and just focus on the big players.

3. Cyber resilience is about leadership: Creating a cyber resilient organisation has to start at the top and work down. What is it that is important to the organisation and what needs protecting? To determine that you need to start with the top level organisational objectives. There are few businesses now for which cyber is not a key enabler; maybe none. Effective cyber security needs to be an objective on the CEO’s list of top level objectives.

The key thing for organisations is not investing a fortune in trying to preventing attacks but instead ensuring that their important assets are well protected once they are attacked or even breached. It’s essential to create organisational cyber resilience by understanding what is most important to delivering your mission and goals and converting that into a clear and simple set of controls to ensure that your critical physical and information assets are protected.

As Baroness Dido Harding, CEO of Talk Talk and perhaps the UK’s highest profile victim of cyber-attack, would testify, making your business cyber resilient is all about leadership and not about attempting to hold back the tide.

In a piece in the FT (paywall) she explained: “The danger is we are asking the wrong question: are we safe? It's a lazy question because the only really safe way is not being online. We tend to see security as a technology issue not a business one.”

The strength or weakness of our cyber security has the potential to impact everything we do. It therefore goes without saying that the person who is responsible for running and leading an organisation – regardless of size - should be caring most about it.