Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Cyber security being superseded by ‘cyber resilience’

Traditional cyber security is now inadequate for today’s threat landscape and must be superseded by ‘cyber resilience’, demanding more vigorous action from company boardrooms.

This was the main message of a panel of industry experts at the international cyber summit hosted by IT Governance in London on 8th May.

The event, ‘New Standards in the Global Cyber War’ included speakers from the Department for Business, Innovation and Skills, British Standards Institution (BSI), international professional organization ISACA, and AXELOS, a joint venture between the Cabinet Office and services group Capita plc that runs the Best Management Practice portfolio.

The conference attracted more than 60 delegates from across the UK.

Alan Calder, executive chairman of IT Governance and conference chair, told delegates: “Cyber security is no longer sufficient to ensure business sustainability. Yes, organizations need to defend themselves against potential attack, but they must accept that some attacks will inevitably succeed. Therefore, an organization’s cyber resilience is now the critical survival factor – its ability to recover quickly once an attack has taken place.

“Business continuity is unequivocally a boardroom responsibility, so directors will have to increase the attention and resources they devote to information security and resilience. For example, spending just 10 percent of the IT budget on security is no longer adequate to keep your organization in business.”

Mike Edwards, management systems tutor at BSI, continued: “Organizations need to converge their management of information security and business continuity. The good news is the best practice standards in each area – ISO 27001 for information security and the new ISO 22301 standard for business continuity – now work very well together, so policies and procedures can be dovetailed. Employing both standards in tandem is the key to cyber resilience.”

The UK government’s recently announced Cyber Essentials scheme was discussed by Richard Bach, assistant director for Cyber Security at the Department for Business, Innovation and Skills: “Cyber Essentials is complementary to the good work and value across several existing standards and frameworks. The scheme gives testable guidance on five areas of basic technical controls. When implemented, it will help organizations protect themselves from online cyber threats. Its principles apply to organizations of all sizes, from micro enterprises to large corporates. Our main aim is adoption – we want to see Cyber Essentials adopted as far and wide as possible. We want to see a step change in organizational cyber security behaviours."

Reflecting upon Bach’s remarks, Alan Calder welcomed the Cyber Essentials scheme, and said that to achieve cyber resilience organizations would need to employ complementary standards in parallel: “Anything that raises management awareness of cyber security is a good thing and we are delighted to see the government getting behind this issue.

“I would argue Cyber Essentials should be adopted in addition to, rather than instead of, ISO 27001. The ISO 27001 standard offers various additional benefits, key ones being its international recognition and role as pillar of cyber resilience. You can use Cyber Essentials to try to stop attacks succeeding, but, realistically, some will get through your defences. How you recover from an attack falls entirely outside the scope of Cyber Essentials, so additional measures are essential.”

Other speakers at the conference included Neira Jones, an independent expert on ISO 27001 and the PCI DSS standard, who gave an analysis of the devastating cyber breach suffered by US retailer Target; Bridget Kenyon, Head of Information Security at University College London, who highlighted the importance of ISO 27001 in providing structure to information security management; Nick Wilding, head of cyber resilience at AXELOS, who discussed ways for companies to assess their best practice compliance for cyber resilience; and Sarb Sembhi, chair of ISACA’s Government and Regulatory Advisory Regional Committee for Europe and Africa, who discussed the value of the COBIT 5 framework in aligning management system standards.


•Date: 14th May 2014 • UK/World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here