2. Stroz Friedberg
2
Leading experts on cyber defence - pragmatic, evidence-
driven, strategies and tactics that work
World class response to digital trouble – and advice on how
to prepare for cyber attacks
Discrete global advisors when it matters
3. Why are we worrying about Cyber attacks?
3
“The focus on credit, market and liquidity risk over the last
five years may have distracted attention from operational,
and in particular cyber risks, among financial institutions
and infrastructures. This is a rapidly rising area of risk with
potentially systemic implications.” Andrew Haldane, Bank of
England, 2013
“Current preventative and disaster recovery measures may
not be able to stand up against a large-scale and co-
ordinated attack” IOSCO, 2013
“DTCC expects cyber-attacks to escalate and become more
sophisticated in the future.” DTCC, 2013
4. Why are we worrying about Cyber attacks?
4
Digital
Growth
Organisations are currently under attack.
Those attacks have either succeeded or will succeed.
What remains in question is:
• Understanding your adversaries – preparation for the attack
• Ability to identify that attack early – situational awareness
• Understanding your critical assets – the damage the attack will cause
• Ability to withstand that damage – the ability to re-establish normal operations
DamageCaused
Probability of Attack
Core
Asset
Damage
Serious
Disruption
Major
Theft
Data
Breach
Institutional
Impact
5. What are the key issues?
5
• There is an undeclared war in cyber space
• Cyber failure is silent
• Risk analysis and modelling is deeply challenging
• Cyber risk is systemic
• Many firms are below the “cyber poverty line”
• Effective practices are developing faster than standards
7. Residual Risks and Big Risks
7
• Drivers of residual risk
– Constant and rapid organisational change
– Aggressive job market for cyber professionals
– Technical cyber solutions increasingly specialised
– Changing adversary tactics and innovation
• Big risks
– Systemic risks too big to manage
– Outside individual organisation boundaries
– Sector-wide risks – “we’re okay if everyone is affected”
8. What is Cyber Resilience?
8
Security Initiative
& Problem Solving
Pace of
Decision
Making
Diversity
of Cyber
Capacity
Organisational
Readiness &
Business Problem
Solving
Cyber
Resilience
Situational
Awareness
Technical
Agility
&
Adaption
9. Challenges
9
• Technical Agility & Adaption + Diversity of Cyber Capacity =
Reduced efficiency
• Highly optimised and efficient organisations are more fragile
• Straight redundancy isn’t the answer anymore
• Recovery Time Objective for Cyber?
10. Key components for resistance and resilience
10
Consciously
Secure Design
Mature Controls
Environment
Good Cyber
Risk Decisions
Cyber Threat
Hunting
Experiential
Learning &
Threat
Simulation
Security Initiative &
Problem Solving
Pace of
Decision
Making
Diversity
of Cyber
Capacity
Organisational
Readiness & Business
Problem Solving
Cyber
Resistance
Cyber
Resilience
Situational
Awareness
Technical Agility
& Adaption
Specialist cyber practices
Developing ahead of standards
Organisational capabilities
Cannot be driven from security
11. Key characteristics of successful cyber programmes
11
• Effectiveness – of the management of the risk
• Appropriateness – to the risks the firm faces
• Proportionality – to the scale and the margins of the firm
• Feasibility – Of planned improvements in terms of
timescales and the capability the firm currently has
12. Role of Regulators and Boards in managing systemic cyber risk
12
• Regulators
– Curated markets for cyber capabilities
– Outcomes-based testing
– Cyber competent persons
– Primary legislation
• Boards
– Specialist cyber NED
– Dedicated cyber risk sub-committee
– Limits of fiduciary duty vs national security
– Capability sharing
13. Key takeaway
13
“Cyber is not a minority sport for technologists only.”
Andrew Gracie, Bank of England, 2015