Good cyber resilience needs collaboration

2016 02 22 Good cyber resilience needs collaboration

I attended the inaugural meeting of the Global Forum to Advance Cyber Resilience last week. I was particularly interested in this forum because of my role as lead author and chief examiner for RESILIA™ Cyber Resilience Best Practice[1]. The forum was created by the Global Institute for Cybersecurity + Research (GICSR), headquartered at NASA's Center for Space Education at the Kennedy Space Center.

Over the course of a very long day I met many people from a wide range of public and private sector organizations. Some came from enormous US government agencies but others represented quite small private sector organizations, and some provided guidance for organizations so small that they don’t have the resources to employ any IT or cyber security staff of their own despite an urgent need for secure IT services. It was interesting to confirm that we all face the same cyber resilience challenges.

The constant theme of the forum was the need for collaboration, in many different ways and across many different collaborators. These are just a few of the things we discussed:

  • Collaboration between IT service management and information security management

    Many organizations have completely different people responsible for IT service management and information security management. This can be problematic because both are responsible for managing the information needed by our customers. We both need to manage and control the configuration of IT systems, and any changes to them, as well as responding to incidents and investigating root causes. If we work separately it is easy to end up at cross purposes and in conflict with each other. Working together to achieve our common goals can be much more productive.
  • Collaboration between IT people and the customers we support

    IT exists to support our customers’ organizations; it has to provide the information an organization needs to achieve its mission. If we design and implement security controls that are too onerous then our customers will find ways to work around them so they can meet their goals. This can result in a situation where putting controls in place actually increases risk. For example one organization restricted what documents could be sent by email, so customers simply started sending sensitive documents from their personal email accounts. We must work together across the organization to create an environment where security controls are appropriate for the level of risk, and, just as important, one where everybody understands, supports and complies with these controls.
  • Collaboration between competing organizations that work in the same industry

    We all need information about the types of security attack that are happening, how other organizations are defending themselves, and what breaches have happened. Everybody wants other organizations to share information, but few of us want to take the risk of sharing our own sensitive information. We need to develop a culture of trust, and to share information that will help us to resist attacks.
  • Collaboration between public sector and private sector

    Public sector organizations have developed many standards and best practices that are now also used by private organizations. Examples of this include:
  • NIST Framework for Improving Critical Infrastructure Cybersecurity [2]
  • DESMF service management framework [3]
  • ITIL® Best Practices for IT Service Management [4]
  • Many international standards for information security management and IT service management produced by the International Standards Organization [5]
These frameworks and standards were created by large numbers of people working together to share their knowledge and experience. They can be of enormous help to any organization, enabling us to build a management system based on the extensive experience of other people.

The forum is so new that it doesn’t even have a web site yet, but I will edit this article to add a link as soon as there is something I can link to. If the first meeting is representative of how the forum will develop then I am very hopeful that this forum will be of great benefit in the years to come, fostering collaboration between public and private sector organizations and helping us all to become more cyber resilient.

 Edited on 15 Mar 2016 to add a link to Global Forum to Advance Cyber Resilience.

Image credit:  Quinn Dombrowski



[1] RESILIA is a framework for Cyber Resilience Best Practice, developed by Axelos.

[2] NIST is the US National Institute of Standards and Technology. The NIST cybersecurity framework is intended for organizations that are responsible for critical infrastructure, but many of the recommendations are appropriate for any organization that wants to improve their cyber resilience.

[3] The US Department of Defence Enterprise Service Management Framework was developed for use within the US department of defence, but is available for use by any organization.

[4] ITIL was originally developed by the UK government. It is now owned and managed by Axelos.

[5] ISO is an independent, non-governmental international organization with a membership of 162 national standards bodies. The ISO/IEC 27000 series of standards address information security management, and the ISO/IEC 20000 series address IT service management.

comments powered by Disqus

Optimal Service Management Ltd.

7 Ingatestone Road, Woodford Green,
Essex, IG8 9AN, UK

Registered No: 8791379 England

Phone: +44 20 8504 2002

Recent Posts

  • 2022 02 15 Risk appetite
    Defining your risk appetite

    How to create simple definitions of risk appetite levels, and then assign these to each of your organization’s projects, services, business units or any other clearly identifiable part of your work.

  • 2021 11 25 Mentoring inage
    Mentoring 101

    Mentoring is a great way to develop both professionally and personally, and the mentor can gain as much from the relationship as the mentee. This blog gives an overview of how you can get started as a mentor, or as a mentee.

  • 2019 09 11 A great customer journey has to be planned from end to end
    A great customer journey has to be planned from end-to-end

    Have you tried mapping out your customers’ journeys? If not, then it’s an exercise well worth doing.

Latest Tweets