Cyber Security and Operational Resilience
Building the right capability and culture
1
Increasing cyber threats
Operational resilience is the capability of organisations to continue to deliver critical services in the face of evolving threats to technology assets. The range and sophistication of cyber threats, from nation states, hacktivists and organised criminals, is having a profound effect on how organisations achieve operational resilience. When considered alongside increasing digitisation of technology (Internet of Things) and more familiar business challenges such as dealing with legacy technology estates, it is arguably more difficult than ever before to operate as a genuinely resilient organisation.
The best response to the growing cyber security threat is not to simply bolt a cyber security function next to existing capabilities. Instead, organisations should use cyber security as a lens through which to improve overall resilience capabilities. For example, the tools, techniques and cultural responses to cyber security can also be used to strengthen traditional business continuity capabilities.
Achieving operational resilience requires a broad spectrum of interventions, from initial strategy definition through to delivering change and continually improving. AVAP Agile has worked with clients across this spectrum. We have set cyber and resilience strategy, conducted health checks of ongoing resilience change projects and helped our clients execute cyber security driven change initiatives.
2
Developing operational resilience
Cyber security fears have bred a proliferation of frameworks and point solutions. Too often, however, these are used as silver bullets. Technology alone cannot be relied upon to deliver true operational resilience to cyber threats. When providing cyber security consulting to clients, from formulating resilience strategies through to delivering tangible change to their cyber security capabilities, our advice is:
Know the business – what’s important versus what’s critical? What are the inherent organisational cyber security strengths and weaknesses?
Don’t let great be the enemy of good – it’s easy to be seduced into attempting a leap to the gold standard. Before attempting wholesale organisational change, first ask “How good are we at the basics of cyber security?” It’s not glamourous but it’s essential.
Judgement over theory – with cyber security, it’s impossible to analyse your way to success. True operational resilience is achieved by being pragmatic – iterating through focused thinking, delivering meaningful change in manageable steps.
People are as important as machines – too often cyber security is characterised as a technology arms race, but developing operational resilience relies as much on cultural and behavioural change within your business
Get in to the heads of the decision makers – governance, organisation and ownership are everything. Effective operational resilience should come from the top down, not the side in nor as an after thought.
By adopting these principles, which contextualise cyber security interventions, organisations will maximise the value they get from frameworks and point solutions.
3
How we can help?
For the last thirty years, we have been supporting our clients with their most complex, critical and legacy leaving challenges, by deploying small teams of highly experienced people. Over the last five years, an increasing number of our clients have been turning to us to support them with their cyber security and resilience challenges. As a result, we have developed a breadth of experience in financial services, logistics, consumer goods and media sectors where we have set cyber strategy and delivered associated change programmes.
We offer our clients a range of services to tackle cyber security and operational resilience challenges:
Our recent cyber security and operational resilience assignments range from upfront strategy and risk management assessment:
Developing the recovery and resilience strategy for a central bank operated piece of critical national infrastructure (and mobilising the programme to deliver this).
Working for a financial services regulator to develop a programme that assessed the operational resilience of firms in a range of sectors.
Through to existing change portfolio assessments and delivery:
Leading significant information security programmes for a global consumer goods company, a global logistics provider and a financial services regulator.
Managing the recovery programmes for a major media and advertising company in response to a ransomware attack, including developing a step change in capabilities for managing future cyber incidents.
If you’d like to hear more about how we’re supporting our clients in this space or if you would like to share perspectives, we’d be delighted to hear from you