Abstract:
Governments and businesses recognise that absolute cyber security is neither possible nor practical. In the public sector the risks are in part addressed by the adoption of various compensating controls that align with various protective marking schemes. The nations which have adopted these controls have also developed resilience
strategies, in some cases for nearly a decade [1] [2] [3] [4] [5], both at a national, and increasingly a local government level [6], to help outline expectations of the public and private sector outside of these protective marking schemes.
resilience
noun
The quality or fact of being able to recover quickly or easily from,
or resist being affected by, a misfortune, shock, illness,
etc.; robustness; adaptability.
Oxford English Dictionary
More recently we have seen regulators [7] [8] [9], predominantly in financial services, also recognise that cyber security is not a binary state of being secure or insecure, but rather that incidents will happen, that they will be both internal and external in origin, and that some will be accidental and others malicious. Given how critical these organisations and their services are to the stability and competitiveness of nations, making them resilient to cyber threats is the only realistic way to address the problem. So what are the modern expectations of resilience? Broadly speaking, they are that an organisation will have credible blended countermeasures designed to stop attacks from occurring, and that when attacks aren’t stopped, the impact on the organisation, its operations and its customers is minimised, while the organisation remains competitive (and in the case of private-sector organisations profitable).