This page contains a Flash digital edition of a book.
The European Commission recently announced plans to create a European cybercrime center, operating at the direction of Europol

across the organization, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organization, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.

By reacting quickly and positively to a cyber attack, organizations can not only minimize reputational damage, they could potentially turn the situation into a positive one, if the reaction is seen as honest and sensitive to the best interests of customers and stakeholders.

One key element of building cyber resilience is to establish a governance framework with board-level buy-in for monitoring cyber activities – including monitoring partner collaboration, and the risks and obligations in cyber space. Organizations should have a process for analyzing, gathering and sharing cyber intelligence with stakeholders. They also need a process for assessing and adjusting their resilience to the impacts from past, present and future cyberspace activity. In addition, organizations should apply the same partnering approach internally – sharing knowledge and best practice across business units and functional groups. In the drive to become cyber resilient, organizations need to extend their risk management focus from pure information confi dentiality, integrity and availability to include other risks, such as those to reputation and customer channels, all the while recognizing the unintended business consequences from activity in cyberspace.


Establishing more robust cybersecurity alone is not enough either. Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of risks in cyberspace is outpacing this approach, and it no longer provides the required protection. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any negative impacts of cyberspace activity. Cyber resilience anticipates a degree of uncertainty: it’s diffi cult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, because organizations will be subject to cyber attacks regardless of best efforts to protect themselves. Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.

AUTHOR PROFILE Michael de Crespigny

Michael de Crespigny is CEO of the ISF, an independent, not-for-profit association of leading organizations from around the world. His mission for the ISF is to help business leaders understand what they need to do from an information security perspective to keep their businesses safe. Prior to

joining the ISF, the London- based de Crespigny was a partner with PwC. He joined the ISF in January 2010 as COO/CFO, reporting to then-CEO Howard Schmidt. He was named CEO in July 2010, following Schmidt’s appointment as President Obama’s cybersecurity co- coordinator.

May/June 2012

The ISF’s online store allows member organizations to download the Forum’s latest research and reports at no additional cost. Non-members can also pay a per-item fee for access to this research. In addition to the ISF’s ‘Cyber Security Strategies’ report, you can also fi nd:

• The 2011 Standard of Good Practice for Information Security

• Threat Horizon 2014 • Securing Consumer Devices • Federated Identity and Access Management

• Infosec for External Suppliers

The concept of intelligence sharing and partnering – both within an organization and outside – forms the foundation for the Information Security Forum (ISF) Cyber Resilience Framework, part of the ‘Cyber Security Strategies’ report.

By adopting a realistic, broad-based, collaborative approach to cybersecurity and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond appropriately.

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52