Announcing: new British Standard for cyber risk and resilience

Brink

Administrator
Staff member
Local time
3:47 AM
Messages
74,928
Location
Oklahoma
Technology is an integral part of the fabric of everyday life. There is almost no organization that does not rely on digital services in some way in order to survive. The opportunity that technology provides also brings with it more vulnerabilities and threats as organizations and data become more connected and available. This trend results in a common gap found in the decision-making process at large organizations. Often information security and cybersecurity have been viewed as a function of IT and therefore, the information security departments have been managed outside of normal business decision-making processes. This is an approach we no longer have the luxury of indulging.

Organizations need a holistic approach to implement digital transformation projects to safeguard their security. This involves focusing on both the opportunity and the threat of any change. To do this effectively the accountability for cyber risk and resilience needs to sit firmly with executive management and the governing body. However, a skills gap exists at this level with many governing body members having started their careers before the internet era. Even when willing to adopt responsibility for building a cyber resilient organization, senior executives are often confused by the technical language that risk management and cybersecurity professionals speak. As well, they may also encourage cybersecurity professionals to speak directly to the board. Therefore, we also need to equip board members with the tools to ask the right questions and ensure the correct levels of risk to build cyber resilient organizations.

That is why, nearly two years ago, the BSI Risk Management Committee started working to develop new guidance aimed at helping executive leadership better understand and manage the technology risks to their organizations. I was asked to lead a group of government executives, regulators, professional bodies and technical experts with a goal of directly addressing the realities and challenges of managing cyber risk in a digital world. This goal led us to draft the new British Standard BS31111. The standard aims to provide guidance to enterprise organizations regarding cyber risk and resilience, and to address the gap in IT decision making.

The standard includes:

  1. Parameters to build concrete guidelines into governing bodies
  2. Identification of areas of focus an organization should have in order to build a cyber resilient enterprise
  3. Assessment questions management can ask to challenge the organization regarding how it is building cyber resilience into the business
Cyber risk and resilience needs to be driven from the top of the organization to ensure that the right culture is set across all business decision making. Executive management must ensure that there is a clear risk and resilience strategy set across the organization, as well as ensuring that there is a strong management structure in place that details the responsibilities and expectations of everyone to maintain security. As Microsoft’s own CEO Satya Nadella has said, “Cybersecurity is like going to the gym. You can’t get better by watching others, you’ve got to get there every day”. Satya’s comments underline the reasoning behind this standard, emphasizing the need to build cyber resilience into day to day operations and not treat it as a standalone project or program.

Engaging with risk management and cyber resilience principles can be complicated and it is easy to get bogged down by technical jargon. To help, we created a visual (figure 1) intended to illustrate the areas required to develop cyber resilience and the key responsibilities of the board.

SourceBS31112018-Figure-1.png

Source:BS3111:2018 Figure 1

Key tenets:

  • The responsibility of any Board of Directors is to clearly set the direction of business activity. They ultimately sign off on major decisions and investments and need to ensure that activity is sustainable for the business.
  • Executive management and the governing body are mostly responsible for the roof and foundation, with oversight on the activity of the pillars. Any building is only as good as its foundation and the same is true for building cyber resilience.
The importance of culture for security

Without a strong culture of security, it is easy for decisions to be made that expose an organization. Many of the major breaches witnessed in recent years can be traced back to a lack of ownership and leadership regarding the need for strong cybersecurity measures across the organization, along with ill-informed investment decisions. The executive management and members of the board need to clearly focus on the benefits of any digital investment AND the level of security outcomes required to support that investment. Hopefully, the new British Standard BS31111 will provide best practice aims and expectations for the responsibility and accountability of boards and executive leadership to drive change.

The publication of the standard is only the first step. It will be important to promote the need for every organization to safeguard their enterprise and their customers, more than we do today. Many boards and governing bodies are becoming more “cyber aware” and understanding their need to build cyber risk into their decision making. This publication aims to enable leadership teams and boards to build awareness and decision-making protocols across the organization.

In my short tenure with Microsoft, I have already witnessed a strong internal security culture, focused on building resilient and secure cloud platforms. I look forward to working with my customers to help them develop their own cyber resilient foundations and cultures, ensuring that Microsoft’s capabilities support them in that endeavor.

SIÂN JOHN,
Executive Security Advisor, Strategic Enterprise and Cybersecurity Group


Source: Announcing: new British Standard for cyber risk and resilience Microsoft Secure
 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
A lot of words to say very little.
 

My Computers My Computers

  • At a glance

    7 X64i5 84002x8gb 3200mhz
    Computer type
    PC/Desktop
    OS
    7 X64
    CPU
    i5 8400
    Motherboard
    gigabyte b365m ds3h
    Memory
    2x8gb 3200mhz
    Hard Drives
    various
    PSU
    pure power 11 400w cm
    Case
    Coolermaster
    Cooling
    cryorig m9i
  • At a glance

    7x64g54008gb ddr4 2400
    Computer type
    PC/Desktop
    OS
    7x64
    CPU
    g5400
    Motherboard
    ga b365m ds3h
    Memory
    8gb ddr4 2400
    PSU
    xfx pro 450w
Back
Top