Tarquin Follis OBE, Vice Chairman at leading cyber security provider, Reliance acsn, has previously served in government for over 30 years, first in the military and then in the Foreign and Commonwealth Office. He finished his career as a senior diplomat focusing on national security policy. Here, he shares his insight on the NCSC’s 2021 Annual Review and the most important points organisation should take forward into the new year.
The NCSC has published its 2021 Annual Review and it makes interesting reading. It highlights four key observations. There should be no surprise that the first concerns the bumper year criminal gangs have enjoyed with ransomware attacks. Much has been written on this as has the NCSC’s call to arms to improve the quality and quantity of our cyber skills base.
The two remaining observations are noteworthy because they have received less attention and yet are fundamental to our ability to counter the proliferation of cyber threats we face: building visibility and resilience is key; we have a collective responsibility to meet the challenge. What does this mean?
Having full visibility of our networks and systems is essential to identifying and mitigating the vulnerabilities that exist on them. But it goes further. Businesses that do not have visibility cannot understand the impact of the cyber threat to their operations, their reputation and the liabilities they own. They cannot judge their business risk and they cannot develop effective resilience. On a technical level this requires, at the very least, investment in monitoring, but it also needs buy-in from business leadership teams to comprehend cyber as an intrinsic part of their business risk. Threat intelligence that is ‘actionable’, as the NCSC points out, is vital, but most organisations struggle to understand what this is and what value it can add. Businesses should demand of their threat intelligence strategic impact: giving insights on threats specific to their organisation which have a key influence on how they manage their defensive posture and invest their finite resources most effectively.
Knowledge is key to any conflict. Our adversaries in the criminal world and those hostile states targeting us understand that only too well, which brings us to collective responsibility. The last year has demonstrated our dependence on complex and interdependent supply chain structures which are vulnerable to disruption. We are all impacted by cyber attacks. As a first step, making ourselves and our organisations as difficult a target as possible is logical. That means adhering to best practice, developing our online situational awareness and sharing information to enrich our understanding of the threat and to help those like the NCSC disrupt it. Not even the largest organisation can manage this challenge on its own. Collaboration and effective partnerships, harnessing the skills and expertise that brings, are critical to making ourselves resilient.