Announcing: new British Standard for cyber risk and resilience

  1. Brink's Avatar
    Posts : 33,785
    64-bit Windows 10 Pro build 18282
       04 Apr 2018 #1

    Announcing: new British Standard for cyber risk and resilience


    Technology is an integral part of the fabric of everyday life. There is almost no organization that does not rely on digital services in some way in order to survive. The opportunity that technology provides also brings with it more vulnerabilities and threats as organizations and data become more connected and available. This trend results in a common gap found in the decision-making process at large organizations. Often information security and cybersecurity have been viewed as a function of IT and therefore, the information security departments have been managed outside of normal business decision-making processes. This is an approach we no longer have the luxury of indulging.

    Organizations need a holistic approach to implement digital transformation projects to safeguard their security. This involves focusing on both the opportunity and the threat of any change. To do this effectively the accountability for cyber risk and resilience needs to sit firmly with executive management and the governing body. However, a skills gap exists at this level with many governing body members having started their careers before the internet era. Even when willing to adopt responsibility for building a cyber resilient organization, senior executives are often confused by the technical language that risk management and cybersecurity professionals speak. As well, they may also encourage cybersecurity professionals to speak directly to the board. Therefore, we also need to equip board members with the tools to ask the right questions and ensure the correct levels of risk to build cyber resilient organizations.

    That is why, nearly two years ago, the BSI Risk Management Committee started working to develop new guidance aimed at helping executive leadership better understand and manage the technology risks to their organizations. I was asked to lead a group of government executives, regulators, professional bodies and technical experts with a goal of directly addressing the realities and challenges of managing cyber risk in a digital world. This goal led us to draft the new British Standard BS31111. The standard aims to provide guidance to enterprise organizations regarding cyber risk and resilience, and to address the gap in IT decision making.

    The standard includes:

    1. Parameters to build concrete guidelines into governing bodies
    2. Identification of areas of focus an organization should have in order to build a cyber resilient enterprise
    3. Assessment questions management can ask to challenge the organization regarding how it is building cyber resilience into the business

    Cyber risk and resilience needs to be driven from the top of the organization to ensure that the right culture is set across all business decision making. Executive management must ensure that there is a clear risk and resilience strategy set across the organization, as well as ensuring that there is a strong management structure in place that details the responsibilities and expectations of everyone to maintain security. As Microsoft’s own CEO Satya Nadella has said, “Cybersecurity is like going to the gym. You can’t get better by watching others, you’ve got to get there every day”. Satya’s comments underline the reasoning behind this standard, emphasizing the need to build cyber resilience into day to day operations and not treat it as a standalone project or program.

    Engaging with risk management and cyber resilience principles can be complicated and it is easy to get bogged down by technical jargon. To help, we created a visual (figure 1) intended to illustrate the areas required to develop cyber resilience and the key responsibilities of the board.


    Source:BS3111:2018 Figure 1

    Key tenets:

    • The responsibility of any Board of Directors is to clearly set the direction of business activity. They ultimately sign off on major decisions and investments and need to ensure that activity is sustainable for the business.
    • Executive management and the governing body are mostly responsible for the roof and foundation, with oversight on the activity of the pillars. Any building is only as good as its foundation and the same is true for building cyber resilience.

    The importance of culture for security

    Without a strong culture of security, it is easy for decisions to be made that expose an organization. Many of the major breaches witnessed in recent years can be traced back to a lack of ownership and leadership regarding the need for strong cybersecurity measures across the organization, along with ill-informed investment decisions. The executive management and members of the board need to clearly focus on the benefits of any digital investment AND the level of security outcomes required to support that investment. Hopefully, the new British Standard BS31111 will provide best practice aims and expectations for the responsibility and accountability of boards and executive leadership to drive change.

    The publication of the standard is only the first step. It will be important to promote the need for every organization to safeguard their enterprise and their customers, more than we do today. Many boards and governing bodies are becoming more “cyber aware” and understanding their need to build cyber risk into their decision making. This publication aims to enable leadership teams and boards to build awareness and decision-making protocols across the organization.

    In my short tenure with Microsoft, I have already witnessed a strong internal security culture, focused on building resilient and secure cloud platforms. I look forward to working with my customers to help them develop their own cyber resilient foundations and cultures, ensuring that Microsoft’s capabilities support them in that endeavor.

    SIÂN JOHN,
    Executive Security Advisor, Strategic Enterprise and Cybersecurity Group


    Source: Announcing: new British Standard for cyber risk and resilience Microsoft Secure
    Last edited by essenbe; 05 Apr 2018 at 08:55.
      My ComputersSystem Spec


 

Related Threads
Hi, after I upgraded to the CU a few weeks ago, I noted that the GUI was US English, but I had had British English applied when using the Anniversary Update. In Settings it looked as if the UK pack was still installed. I removed it, set US...
Source: The cloud powers greater cyber resilience - Microsoft on the Issues
Read more: Microsoft perspective on cyber resilience | Microsoft Secure Blog
Announcing .NET Standard 2.0 in Windows 10 News
Read more: Announcing .NET Standard 2.0 | .NET Blog
I have been trying to set up Outlook 2013 on Win 10 for the last week with no success at all. I log on to BT mail and change my password. The last screen is as follows: QUOTE: IMPORTANT Do you also use a mobile device, tablet or email program...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 15:17.
Find Us