Enduring Cyber Resilience

Article by Malcolm Warr OBE, Chairman of CNI Scotland

Back then, it was pretty clear that the devices that provided information and those responsible for managing “technology” were directly connected to those using it. The relationship was simple and straightforward.

Not so nowadays. The average user of technology is bombarded with all sorts of acronyms and strange, mid Atlantic terms.

They are assailed with a cacophony of sometimes well-meaning but confusing advice and training regimes. There are dire warnings of the repercussions should technology fails or is infiltrated by cyber invaders.

We need to get real. Yes! There are some very clever adversaries out there who are quite capable of implementing an attack in response to our often-blunted defence posture.

However, too much gobbledegook clouds the issues in responding and deflects practitioners in OT from collaborating effectively with their IT cousins and developing the right relationship with the people who use technology.

As a result, what do many people do to protect themselves?

Almost nothing. Or sometimes the wrong thing.

But all is not lost. Many of the dominant cyber adversaries exist within a cult of personality centred on the Leader. The leader sets direction and everyone else executes it. Often repeating patterns by doing exactly what they are told. I have seen examples of this in the security industry and during the Cold War. This form of predictability can be defeated by good training and collective rethinking; intertwined with first class leadership.

In democracies, counter measures can be worked up. Ideas about how to act against both present cyber attacks and help prevent future occurrences can be funnelled by teams and individual contributors. This allows more room for feedback and discussion leading to far better outcomes potentially. There is room for individualism and allowances can be made for human error — and human error plays a critical part.

According to a study by IBM, human error is the main cause of 95% of cyber security breaches. Therefore, if we can improve human resilience and greater security awareness, the likelihood is that we can reduce cyber driven breaches.

One might assume that involvement in high-tech and high-risk industries, like technology and banking, would bring greater security awareness. However, verified research has shown that this isn’t necessarily the case.

Among the industries that face the most human error are technology companies and financial services. Employees in technology industries are the most likely to click on links in phishing emails. 45% of employees in banking and finance also admitted to clicking on phishing emails.

Our company’s senior psychologist tells me that new procedures often fail because humans like to get things done but they also fear making mistakes. Many find change difficult — when something stands in the way of progress, humans either concede defeat or circumnavigate the first line of defence. Good aspiration: bad cyber resilience.

Good training and awareness programmes can introduce the tenable cyber threats into employees’ working lives. The best programmes often provide real-time simulations that demonstrate what a threat can look like, and how employees should react. This is partnered with continuous education of the workforce because the threat landscape doesn’t just stop evolving when an employee’s cybersecurity training is done.

So where does IT and OT play a part?

If you Google definitions of IT and OT you will get a cat’s cradle of responses.

If you bundle these together, the difference between IT and OT systems is that IT is focused on data and communication, whereas OT is focused on behaviours and outcomes.

However, I have an added a third dimension which is TU. Technology User is defined by lawyers “as someone who uses technology to access and use information or carry out a task that involves the use of digital technology”.

All three are linked inextricably.

Over the years, I have led or participated in a number of major transformation programmes and reviewed complex technology projects, some with downstream get well programmes.

In 2020, McKinsey Digital wrote a useful article on a technology-transformation approach that works.

McKinsey reported that technology leaders who have pursued this new approach that is comprehensive enough to account for the myriad inter linkages of modern technology joined at the hip, have shown considerable improvements in business effectiveness and technology resilience.

So where do we go from here?

In 1958 the Royal Navy, set up a transformation programme to train the crews in operating their equipment and give them experience in dealing with every eventuality likely to be met at sea. The McKinsey approach aligns with this transformation.

Starting with a baseline, “Work Up” proceeds with basic safety and awareness training, and progresses through various scenarios to more advanced training on a collective basis involving different “units”.

Common sense plays a big part and it’s accepted from the outset, that all participants can learn from mistakes.

Training is delivered to the same standard whoever, the customer although it can be tailored to meet specific requirements.

It draws heavily on experience gained over 65 years and promotes best practice. It is recognised as a world leader in the international Naval community.

So how do we develop this Work Up in the civilian cyber environment?

The key components are all available in the UK and many other countries. Basic check: setting the requirement, exercising-real and simulated, training and mentoring, feedback leading to revision of an incremental approach.

It just needs to be joined up.

The strengths of this Work Up approach include a less silo relationship between IT and OT Teams and individuals, and across business sectors. People find themselves working more closely together to manage converged technology and the human being plays a central role.

For businesses, a positive flow-on impact of this is reduced development, operational, and support costs and a confidence that any attack on technology systems can be dealt with authoritatively and with practicality.

Good training and awareness programmes can introduce the tenable cyber threats into employees’ working lives.