1. A Manifesto for
Cyber Resilience
Cyber DefinedUnknown
Unkowns
Fighting
Yesterday’s
battles Human Factor
Understand
whereyoustand
BYOD
Cyber Resilience Employee Threat
Revolutionaries
2. 2 3
Cyber Resilience Defined
Cyber increasingly describes our online work and
play; it’s a big and growing element of our real lives.
Today, some 2.4 billion global internet users, 34% of
the world’s population, spend increasing amounts
of time online.1
All our Cyber activity adds up to
a lot of online business making it an unstoppable
movement – the type that starts revolutions.
To some, the benefits of our Cyber lives and new
business models come with understandable and
acceptable risks. Others feel such mass movements
demand more considered responses. But there is
little time for debate. What we really need is a Call
to Action.
De-risking our Cyber lives means understanding four
opposing forces – all of which bring different Cyber
Risks and demand urgent management attention:
Democratization – ‘Power to the people’ as
organizations learn to work with customers via
the channels they dictate.
Consumerization – The impact of the many
devices, or more importantly the apps, which
span work and play in our Cyber lives.
Externalization – The economics of the cloud,
slashing Capital Expenditure and shaking up
how data moves in and out of organizations.
Digitization – The exponential connectivity
created when sensors and devices form the
‘Internet of Things’.
Solving Cyber Risk for one of these trends merely
raises the importance of the next in line. As with
most other ‘best-practices’, there are several right
answers meaning, at best, you can optimise your
organization’s environment to reduce its exposure.
Thanks to these powerful forces above, Cyber Risk
cannot be eradicated.
This Manifesto sets out a plan to reduce, not
eliminate, the real and growing risks we face as
individuals, businesses and governments. Its goal
is simple, to make us Cyber Resilient.
Democratization
Externalization
Digitization
Consumerization
3. 4 5555555555555555555555555
What We Know Today
Cyber makes the previously impossible, possible.
Without Cyber, our lives would literally resemble
the past. Consider:
• Which bank customers would give up the
freedom to move money across international
boundaries in milliseconds?
• What would force businesspeople back into
queues for airline tickets, phone booths or
to post parcels ?
• Why would anyone air-freight a component
which could be printed out for less?
The situation today is complex, fast-moving and
potentially devastating for organizations?While
just 15% of the world’s internet traffic is mobile
right now, that figure is growing thanks to five
billion mobile phones, and a third of them are
internet-accessing smartphones.1
Each day 500
million photos are shared and the average user
checks their messages 23 times a day.1
Cyber-attacks claim 1.5 million victims every day
and add up, conservatively, to $110bn of losses
each year.2
Malware, or malicious software
attacks, on the web increased 30% in 2012
and on mobile devices grew 139% in the same
period.3
Crucially, of the websites serving up
malware, 62% were from legitimate sites that
had been compromised.3
Worried yet?
These Cyber threats will only increase, as will
their sophistication. This is because older targets,
such as PC operating systems, are giving way to
new web-based and mobile platforms as well as
social apps. Changes to what security experts call
The Threat Landscape are hard to address. Without
levels of security, previously only seen in large
enterprises, you are exposed. As we shall see, size
is just one of our worries.
4. 6 7
The Unknown Unknowns
Understanding the future enriches lives. By
contrast in the world of Cyber, unknowable
intentions and unexpected consequences create
chaos. It is impossible to predict all the new Cyber
Threats which your organizationwill face – some
are yet to be dreamt up.
Whether disgruntled ‘hacktivists’ or Cyber
criminals, Cyber terrorists, or even state-sponsored
Cyber armies, most have the advantage of surprise
over us. Their motivations are wide-ranging, from
peaceful protest to malicious intent, political
gain to personal gain, or a combination of these.
However the means to create Cyber Risks at their
disposal are increasing exponentially, stacking the
odds against the unprepared.
More and more ready-made malware kits are
made available over the Internet, paid for with
virtual currencies far from prying eyes. The ‘Black
Economy’ of Cyber is thriving and there really
is honour amongst thieves. Their Centres of
Excellence, hidden behind very secure protection,
are where they can outlearn all but the most
knowledgeable of security experts. There they
can share data, stolen without the knowledge of
their victims, the original owners. For a price, they
share their secrets with other Cyber conmen. Your
law-abiding organization is unlikely to receive a
backstage pass.
As a victim, unlike the natural world, being a small
fish in a big pond does not help. In fact it makes
it worse, with 31% of Cyber-attacks affecting
organizations with just 1 to 250 employees.2
While large enterprises are well used to Cyber
Threats, their smaller suppliers are much more
attractive to those with bad intentions. Infiltrating
a major company’s supply chain is best achieved
from below, rather than above.
5. 8 9
The Human Factor
While 84% of data breaches take hours or less to
complete, discovering them takes months, in 66%
of cases, and containment takes months or years
for 22% of us.4
Why is this?
You might think the difference between a Cyber-
Resilient organization and the ones open to
exploitation is better computers, software or
faster telecommunications. Sadly, it is almost
never the case. It may well be necessary to have
the very best technology you can get to secure
your organization. However, necessary may not
be sufficient. Newer, faster, shinier pieces of kit in
isolation seldom save the day.
The weakest link in Cyber Security is the person
reading this manifesto – You and I.
IT is the beating heart of all modern organizational
processes infiltrating every department and IT has
traditionally been responsible for Cyber Security.
However its former role, as the lead purchaser
of technology, is fast-changing to one of trusted
adviser. Recent research has shown 14% of cloud
storage, 13% of social media and 11% of office
productivity software is purchased without the IT
department’s knowledge.5
Gartner data shows the movement of IT budget
away from its traditional ‘owners’ to other
departments is already well under way. The
marketing department is a front-runner and due
to outspend the IT department on technology
by 2017.6
All of this means the human element
of Cyber Risk is likely to be highest within your
organization but outside the IT department.
Today, concentrating Cyber Security knowledge
solely within the IT department is not business
as usual, but just a way to add Cyber Risk to your
organization. To err is human so why keep the
burden of Cyber Resilience solely within one (IT)
department? It’s high time to move to a security
culture which is all-inclusive.
initial compromises
take hours or less
breaches are
not discovered
for months
breaches take
months or longer
to contain
84%
66%
22%
6. 10 1111
Risk 1 Businesses Are Small
Compared to the Threat
Globally, few organizations have the resources
to stay on top of all the Cyber threats a highly-
motivated team can mount. Even multinational
organizations can only employ relatively small
teams. The bad guys are also smart guys. They
learnt long ago how to collaborate by forming
virtual teams across national boundaries for
mutual benefit. They selltheir tricks to each other
and trade stolen identities, to defeat security
systems mostly built for a pre-Cyber, pre-mobile
and even pre-Web, nation-based set of risks.
Cyber attacks themselves remain comparatively
unsophisticated, but scale alone is not the issue.
Most organizations already have the basics of
Cyber Security right and this limits to 10% the
number of Cyber attacks which could be carried
out by the average user. It is the next level which is
hard, because 78% use only the ‘basic’ resources
available online and no customization.4
One issue could be approach. The natural reaction
of a traditional security professional is to buy more
security tools, but such a piecemeal approaches
fail at scale. It would be better to get fuller
visibility into where their organization is today and
react accordingly.
In the future Cyber Attackers will likely have even
more to aim at. As the drive for efficiency means
linking ever more systems together, using smart
meters to manage energy use, sensors to control
production lines and RFID tags to track shipments
means the largest users of Cyber are no longer the
IT department, nor are they even human.
With threats global in their nature, only a privileged
few organizations, mostly in the defence sector,can
spend all their time fighting Cyber wars. The rest of
us still have the day job, be it sorting out insurance
claims, selling shoes or servicing cars. We have to
spend wisely to become more Cyber Resilient. What
chance then for the smaller guys? The answer for
security professionals is to ‘club together’ just as
their attackers have already done. Pooled resources
and shared knowledge about the severity of threats
could even up the fight.
7. 12 1313
Risk 2 Fighting yesterday’s
battles loses the war
As Cyber Risks have become more subtle,
personalized and distributed, detecting them has
become increasingly hard. So hard, it would be
a brave person who would claim any IT systems
connected to the Internet (virtually all commercial
systems) were impregnable.
Historically, ‘walls of steel’ have a bad history–
human intelligence bypasses them. Today’s
smarter Cyber threats are seldom full frontal
assaults but are more personalized and attack
many vulnerabilities simultaneously making them
more devastating.
Their payloads, whether arriving by web, email
or mobile, wait patiently and silently as resident
botnets on infected systems and can then awake
from their slumber on command – even after the
infection was detected and the ‘door has been
shut’. Yesterday’s thinking on Cyber Security is of
limited value.
Given this fiendish amount of cat and mouse, the
best strategy is not the isolated removal of threats,
but a slow, determined and ongoing process of
Cyber Resilience. Cyber Resilience accepts there
is no silver bullet, no cure for the common cold
and certainly no cavalry coming over the hill. It
counsels but that the best offense is a considered
defense. Its objective is to create an uneven playing
field, where accessing your systems is tougher and
less profitable than others.
With better informationcomes better decisions.
After all, taking no risks can be just as risky a
decision in today’s business environment. Having a
clearer view of the threats your organization faces
is the best way to build upyour Cyber Resilience.
8. 14 15
Risk 3 Ignoring the role of Employees
Employees are often cited as the greatest asset an
organization has. The reality is they can also be
the greatest liability from a security point of view.
Identity theft and the physical theft of unprotected
devices, often encouraged by today’s generous
BYOD policies, greatly complicate matters.
Where once security was the sole responsibility
of IT professionals, today it cannot be left to
them alone. One person’s ‘Shadow IT’, or non-
sanctioned technology spending, is another’s fast
track to innovation. Aggressively cracking down
on what others regard as productivity tools, is a
sure way for IT professionals to remove themselves
from future discussions – we already discussed
yesterday’s battles.
Employee attitudes do need to change a little too.
Surveys show 53% of employees believe it is OK to
take corporate data because ‘It doesn’t harm the
company’.7
But is that their call?
Surely better to empower non-technical employees
and reduce non-intentional malpractice. This
will give them the knowledge to increase the
organization’s Cyber Resilience through their
technology decisions and the processes they
enforce. Important when such behaviour accounts
for 35% of all data breaches and, unsurprisingly,
such immorality spikes up steeply as individuals
prepare to exit companies.8
Far from being an abdication of responsibility
by IT, here is a chance to convert IT expertise
into competitive advantage. There is a new deal
to be struck between non-IT professionals and
their more technical IT colleagues, showing
them how Cyber Resilience can increase their
organization’s potential. In Cyber, ignorance
is not bliss – it’s a communication and an
organizational challenge. In other words an
untapped commercial opportunity.
9. 16 17
How To Become Cyber Resilient 1
Understand where your organization stands
A well-known management saying is you cannot
manage what you cannot measure. However most
Cyber attacks are unnoticed, let alone measured,
as are the risks they pose.4
How can we then assess
how at risk we are?
The answer hated by schoolchildren, loved
by quality organizations globally, is external
assessment. More precisely for organizations at risk
of Cyber attack, a comprehensive Cyber Assessment
of people, processes and products is essential.
Honesty, boring as it may be to some, is the start of
the journey to Cyber Resilience.
Of course, an independent audit of vulnerabilities,
base lining the technology and processes at use in
your organization is a good start. But this is just
a start to the journey. How about a benchmark
to relate your score with that of your peers? How
about some practical recommendations based on a
gap analysis of where you are and where you want
to be? Now IT is becoming genuinely strategic.
Armed with such information, the path to Cyber
Resilience becomes clearer. Better still, when those
Unknown Unknowns we mentioned start to become
visible action items, not just for the IT department,
but across an entire organization. Such insights
then become your unfair advantage.
Even though Cyber Resilience does not equal
immunity from Cyber-attack, the very point of
Cyber Resilience is to make your organization’s
vulnerabilities less appealing to attack. But only
once there is a baseline and a corporate-wide goal,
can you prioritize and start work on the toughest
Cyber issues facing your organization first.
10. 18
Once upon a time a small number of people
were responsible for IT. This worked well when
computers were locked up in rooms by computer
scientists. Now critical confidential data is walking
around in employee’s pockets and sometimes the
pockets of your organization’s partners and their
partners and so on…
Things have changed. For one, your Unknown
Unknowns mean the genie is out of the bottle. Best
practices for on-premise Cyber Security can only
protect your organization to the extent that the
weakest, least secure member of your team, or
extended supply chain, practices them.
So while you may do a fine job writing and even
enforcing password policies or locking down
devices and complying with ISO standards, this
will not make you Cyber Resilient. Unless you can
assure similar standards are maintained from your
contract cleaners to your auditors, your external
caterers to your lawyers.
Secondly, as we have seen, analysts predict non-IT
staff will shortly spend more on technology than
those with ‘IT’ let alone those with ‘IT Security’ in
their job titles. So it’s time to think outside of the
box, outside of the IT department, outside of job
descriptions and outside of your organizational
boundaries. Thirdly, while you may have spent a
career in IT, it is unlikely your experience to date
has prepared you for the role of Cyber is assuming
in our lives today.
While you are struggling to benchmark which
Cyber Risks you are exposed to and where to start
the journey to Cyber Resilience, for some an even
tougher challenge looms. Dropping the tech-speak.
How To Become Cyber Resilient 2
Coaching your colleagues, ALL of them
Reaching out to colleagues is crucial but you will
fail without one simple skill. The ability to unlearn
decades of IT and IT Security jargon. It is not only
unnecessary, it weakens your point. Truly, jargon is
the enemy of Cyber Resilience.
11. 20
As we have seen, working alone on Cyber Resilience
is a futile exercise. Cyber Risk comes from unseen
and clever enemies, made up of cells who can form,
dissolve and reform fluidly. Matching this ability is
neither practical, nor desirable and besides, who
would do your day job?
Philosophers tell us “Those who do not learn lessons
from the errors of the past, will repeat them”. But
you are not alone. There is strength in numbers in
Cyber. Why suffer while your organization decides
which Cyber Resilience strategy to get onboard
with? Much smarter to join up with others who
share the same beliefs as your organization, pooling
intelligence and developing strategies
Your skillset makes you ideally placed to help
your organization become more Cyber Resilient.
Some would say this is the only strategy which can
succeed given the constant nature of the threat.
Imagine a nerve centre of Cyber Intelligence, like
a highly stimulated virtual brain, pulling together
billions of small observations from the Cyber
issues facing many thousands of organizations and
millions of users, to create a clear overview of the
Cyber threats faced by your organization.
Compare that future role, one at the heart of a
Cyber Resilient organization out-performing its
competition with today’s view of IT as who to
blame when things go wrong. This is not to say
the basics are unimportant, the information from
existing security controls really matters.
IT’s new role is as the Centre of Excellence for
Cyber Risk assessment. To provide new signposts
for executive leaders to gauge their organization’s
Cyber Resilience. Cyber Risk transcends IT,
departmental and even national boundaries. Cyber
Resilience is a team sport played by leaders. Like
you. Catch the train now, it is ready to depart.
How To Become Cyber Resilient 3
Make Cyber Resilience your
competitive advantage
12. 22 23
Conclusion
The results of the move to Cyber are already
impressive and we have only just begun. Amazingly
this progress only requires the ability to send
and receive data securely. Unfortunately this is a
complex technological feat and as Arthur C. Clarke,
a futurist and writer, said “Any sufficiently advanced
technology is indistinguishable from magic”.
Cyber is too important to be just ‘magic’. On a
personal level, Cyber Risks question our identity and
our privacy. On a global level, Cyber Risks threaten
the stability of our government and banking
systems. Cyber needs to be understandable by
businesses and public organisations leaders in the
same way as power, water, talent and other vital
real-world inputs. Today it is not treated this way.
No top-down edict will succeed. Cyber is too fast
moving. Only a grass roots movement, informed but
flexible, has a prayer of success. IT professionals
have a critical role here only if they can:
1. Effectively baseline where their
organization’s Cyber Resilience is today.
Faster and with more rigour than previously.
2. Make their people part of Cyber Resilience.
Educate everyone in their organization’s supply
chain to balance the innovation they want with
the Cyber Resilience they need.
3. Use Cyber Resilience for long-term strategic
competitive advantage in their organization.
Hopefully the ‘idea grenades’ lobbed in this
Manifesto will start the chain reaction your
organization needs to get to Cyber Resilience. If
it has you might want to join up with the experts
at Symantec whose Cyber Assessment, security
products and services are helping millions of users,
to help thousands of Chief Executives to make their
organization Cyber Resilient.
Cyber
Resilience
Define
Cyber
Baseline
BYOD
Cloud
IT
Business
Supply Chain
Today
On Premise
Core IP
Educated
Workforce
Future
Supply Chain
Cloud
Outsourced
Transition
Tomorrow
Cyber
Threats
Impact
Evolution
Legacy
Approach
Strategic
Resilience