{"id":81437,"date":"2018-04-04T09:00:35","date_gmt":"2018-04-04T16:00:35","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=81437"},"modified":"2023-09-26T09:12:54","modified_gmt":"2023-09-26T16:12:54","slug":"announcing-new-british-standard-for-cyber-risk-and-resilience","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/04\/04\/announcing-new-british-standard-for-cyber-risk-and-resilience\/","title":{"rendered":"Announcing: new British Standard for cyber risk and resilience"},"content":{"rendered":"

Technology is an integral part of the fabric of everyday life. There is almost no organization that does not rely on digital services in some way in order to survive. The opportunity that technology provides also brings with it more vulnerabilities and threats as organizations and data become more connected and available. This trend results in a common gap found in the decision-making process at large organizations. Often information security and cybersecurity have been viewed as a function of IT and therefore, the information security departments have been managed outside of normal business decision-making processes. This is an approach we no longer have the luxury of indulging.<\/p>\n

Organizations need a holistic approach to implement digital transformation projects to safeguard their security. This involves focusing on both the opportunity and the threat of any change. To do this effectively the accountability for cyber risk and resilience needs to sit firmly with executive management and the governing body. However, a skills gap exists at this level with many governing body members having started their careers before the internet era. Even when willing to adopt responsibility for building a cyber resilient organization, senior executives are often confused by the technical language that risk management and cybersecurity professionals speak. As well, they may also encourage cybersecurity professionals to speak directly to the board. Therefore, we also need to equip board members with the tools to ask the right questions and ensure the correct levels of risk to build cyber resilient organizations.<\/p>\n

That is why, nearly two years ago, the BSI<\/a> Risk Management Committee started working to develop new guidance aimed at helping executive leadership better understand and manage the technology risks to their organizations. I was asked to lead a group of government executives, regulators, professional bodies and technical experts with a goal of directly addressing the realities and challenges of managing cyber risk in a digital world. This goal led us to draft the new British Standard BS31111<\/a>. The standard aims to provide guidance to enterprise organizations regarding cyber risk and resilience, and to address the gap in IT decision making.<\/p>\n

The standard includes:<\/p>\n

    \n
  1. Parameters to build concrete guidelines into governing bodies<\/li>\n
  2. Identification of areas of focus an organization should have in order to build a cyber resilient enterprise<\/li>\n
  3. Assessment questions management can ask to challenge the organization regarding how it is building cyber resilience into the business<\/li>\n<\/ol>\n

    Cyber risk and resilience needs to be driven from the top of the organization to ensure that the right culture is set across all business decision making. Executive management must ensure that there is a clear risk and resilience strategy set across the organization, as well as ensuring that there is a strong management structure in place that details the responsibilities and expectations of everyone to maintain security. As Microsoft\u2019s own CEO Satya Nadella has said, \u201cCybersecurity is like going to the gym. You can\u2019t get better by watching others, you\u2019ve got to get there every day\u201d. Satya\u2019s comments underline the reasoning behind this standard, emphasizing the need to build cyber resilience into day to day operations and not treat it as a standalone project or program.<\/p>\n

    Engaging with risk management and cyber resilience principles can be complicated and it is easy to get bogged down by technical jargon. To help, we created a visual (figure 1) intended to illustrate the areas required to develop cyber resilience and the key responsibilities of the board.<\/p>\n

    \"\"<\/p>\n

    Source:BS3111:2018 Figure 1<\/em><\/p>\n

    Key tenets:<\/p>\n