Late last year, the UK government announced its National Cyber Strategy for 2022, a wide-ranging plan that intends to ensure “a more secure and resilient nation, better prepared for evolving threats and risks.”
While some consider the plan “bullish,” the strategy is a remarkable and thoughtful blueprint for cyber resilience that governments and organizations worldwide can learn from.
Let’s look at the five pillars that the UK government intends to achieve by 2025 and how others can learn from the UK’s approach.
The UK has already made significant strides to increase its cyber workforce and encourage cyber talent. This pillar takes that strategy a step further by investing in people, skills, and deepening the partnerships between the government, academia, and industry.
Notably, the UK government stresses that cyber resilience must be built on a self-sustaining model that isn’t dependent on government intervention. In light of this, the country will transition from funding a range of largely bespoke and centrally-managed skills and innovation programs to a more sustainable, systemic, and regional approach – based on “cyber clusters” and “resilience centers” across the UK.
It will also reform the skills and education systems needed to support and inspire more people to pursue a cyber career and bring together industry, academics, law enforcement, and more to support the cyber ecosystem, how cyber is taught in schools, and more.
Until now, the UK’s approach to cyber resilience has hinged on legislation and the establishment of a National Cyber Security Centre (NCSC), a resource for cybersecurity advice, guidance, tools, and incident response for the public sector, industry, SMEs, and the public. Yet, despite these measures, increased digitization and a growing attack surface mean that gaps in the nation’s cyber resiliency remain.
With its new strategy, the UK government recognizes that a holistic, whole-of-society endeavor is needed to achieve national cyber resilience. While the government has a role to play, the strategy stresses that “...what happens in the boardroom or the classroom matters as much to our national cyber power as the actions of technical experts and government officials...”
To build a more resilient UK, the government will publish guidance on effective risk management processes across the public and private sector, including more comprehensive monitoring of systems, networks, and services. Per the plan, operators of critical national infrastructure must also assume a more sophisticated understanding of cyber risk and manage that risk more proactively.
In addition, the government proposes improvements to corporate reporting of resilience to risks, including cyber threats. This will give investors and shareholders better insight into how companies are managing and mitigating material risks to their business.
Finally, this pillar emphasizes the deepening globalization of supply chains and the imperative of mitigating supply chain risk.
A key objective of the UK cyber resilience strategy is to pursue strategic advancements through technology and data.
Led by the NCSC, the UK plans to identify areas of technology critical to cyber resilience, invest in research and development, and encourage trustworthy and diverse supply chains. The UK government will also take steps to exploit and protect the growing volume of data generated by and driving innovation in emerging technologies.
Ransomware attacks have been rising at an alarming rate — with victims ranging from one of the largest fuel suppliers in the United States to Ireland’s Department of Health. Download our ebook to learn more about:
The UK is already one of the top three global exporters of cyber solutions and expertise and plans to take a more activist role in promoting its interests and values in cyberspace. This includes strengthening the cybersecurity resilience of its international partners, increasing collective action to disrupt and deter adversaries, develop and implement international governance standards, and support export opportunities of UK-developed cybersecurity solutions.
To address the growing sophistication of cyber threats and the alarming ransomware trend, the UK will use a full range of levers to impose costs on its adversaries, pursue and disrupt perpetrators, and deter future attacks. This multi-faceted approach includes bolstering the UK’s ability to conduct offensive operations against antagonists, investing in law enforcement to prevent and detect serious cyber criminals, and stepping up data sharing across government.
The primary force of each of these pillars is cyber resilience. And the best way to do that? Take a more proactive, data-driven approach to understanding the risks that the public and private sector face. Only then can leaders, executives, and security professionals make informed decisions about what action to take. Indeed, the UK strategy stresses the power of threat insight based on “objectively-measurable standards, evidence and data and moving from gathering to acting on that data.”
Bitsight is on a mission to enable these insights and can help UK organizations meet the requirements outlined in the UK cyber resilience strategy. Through our solutions, we provide data-driven measurement and understanding of organizational cybersecurity performance derived from objective, verified data sets that enables security teams to rapidly identify, quantify and reduce risk exposure.
For instance, organizations and critical infrastructure operators can use Bitsight’s powerful data and analytics platform to check one of the key boxes outlined in the UK cyber resilience strategy—comprehensive monitoring. The Bitsight platform continuously and automatically monitors an organization’s digital environment for risk, including the vulnerabilities and gaps in security controls that threat actors exploit.
They can also leverage Bitsight’s reporting tools to clearly communicate the organization’s security performance and cyber resilience in terms executives, investors, and shareholders easily understand—increasing transparency into security performance and uniting the boardroom and C-suite to make effective cybersecurity decisions.
Furthermore, Bitsight reveals hidden risk in the supply chain making it easy to reduce the risk posed by third and fourth parties. With Bitsight’s risk management tools, organizations get an immediate, near real-time view of each third-party’s overall security posture—eliminating the need for costly, time-consuming assessments during onboarding and for the life of those relationships.
Backed by £2.6 billion in funding, the National Cyber Strategy is now UK policy, but the document also forms a remarkable blueprint for cyber resilience for organizations around the world.
It’s vital that security leaders shift their focus from prevention to resilience in order to empower their organizations to build stronger cybersecurity programs, protect their assets and reputation, and thrive in this new paradigm.
Indeed, each of the cyber resilience approaches outlined above is a necessity for any cybersecurity program. Combined, they help organizations take a more proactive approach to risk management and build a program based on a data-backed view of entire network performance. Only with this insight can organizations (and nations) get their arms around the challenge of becoming confident, capable, and resilient in today’s fast-moving digital world.