Good cyber resilience needs collaboration
I attended the inaugural meeting of the Global Forum to Advance Cyber Resilience last week. I was particularly interested in this forum because of my role as lead author and chief examiner for RESILIA™ Cyber Resilience Best Practice. The forum was created by the Global Institute for Cybersecurity + Research (GICSR), headquartered at NASA's Center for Space Education at the Kennedy Space Center.
Over the course of a very long day I met many people from a wide range of public and private sector organizations. Some came from enormous US government agencies but others represented quite small private sector organizations, and some provided guidance for organizations so small that they don’t have the resources to employ any IT or cyber security staff of their own despite an urgent need for secure IT services. It was interesting to confirm that we all face the same cyber resilience challenges.
The constant theme of the forum was the need for collaboration, in many different ways and across many different collaborators. These are just a few of the things we discussed:
- Collaboration between IT service management and information security management
Many organizations have completely different people responsible for IT service management and information security management. This can be problematic because both are responsible for managing the information needed by our customers. We both need to manage and control the configuration of IT systems, and any changes to them, as well as responding to incidents and investigating root causes. If we work separately it is easy to end up at cross purposes and in conflict with each other. Working together to achieve our common goals can be much more productive.
- Collaboration between IT people and the customers we support
IT exists to support our customers’ organizations; it has to provide the information an organization needs to achieve its mission. If we design and implement security controls that are too onerous then our customers will find ways to work around them so they can meet their goals. This can result in a situation where putting controls in place actually increases risk. For example one organization restricted what documents could be sent by email, so customers simply started sending sensitive documents from their personal email accounts. We must work together across the organization to create an environment where security controls are appropriate for the level of risk, and, just as important, one where everybody understands, supports and complies with these controls.
- Collaboration between competing organizations that work in the same industry
We all need information about the types of security attack that are happening, how other organizations are defending themselves, and what breaches have happened. Everybody wants other organizations to share information, but few of us want to take the risk of sharing our own sensitive information. We need to develop a culture of trust, and to share information that will help us to resist attacks.
- Collaboration between public sector and private sector
Public sector organizations have developed many standards and best practices that are now also used by private organizations. Examples of this include:
These frameworks and standards were created by large numbers of people working together to share their knowledge and experience. They can be of enormous help to any organization, enabling us to build a management system based on the extensive experience of other people.
- NIST Framework for Improving Critical Infrastructure Cybersecurity 
- DESMF service management framework 
- ITIL® Best Practices for IT Service Management 
- Many international standards for information security management and IT service management produced by the International Standards Organization 
The forum is so new that it doesn’t even have a web site yet, but I will edit this article to add a link as soon as there is something I can link to. If the first meeting is representative of how the forum will develop then I am very hopeful that this forum will be of great benefit in the years to come, fostering collaboration between public and private sector organizations and helping us all to become more cyber resilient.
Edited on 15 Mar 2016 to add a link to Global Forum to Advance Cyber Resilience.
Image credit: Quinn Dombrowski
 NIST is the US National Institute of Standards and Technology. The NIST cybersecurity framework is intended for organizations that are responsible for critical infrastructure, but many of the recommendations are appropriate for any organization that wants to improve their cyber resilience.
 The US Department of Defence Enterprise Service Management Framework was developed for use within the US department of defence, but is available for use by any organization.