Is cyber resilience part of your business case yet?

Cyber threats are real. And the cyber threat level isuncomfortably high, especially when compared to vulnerabilities in people,process, and technology. High? Yes, but more or less stable too, as threatsprimarily show evolution, not revolution. Due to monitoringand research, we’re gaining more and more insight into the threat landscapeand how it evolves.

Despite this insight, however, in most organizations the growingdependence on Information and Communications Technology (ICT) is not yet met bya matching level of cyber resilience. This means that if incidents happen, theycause damage to the organization, its clients, stakeholders, or all three.

In April 2013, the Netherlands was hit by numerous Denial ofService attacks on websites of banks, airlines, and even the government(including the central e-authentication system DigiD). These attacks clearly demonstratedthe threat and the necessity of adequate response measures. But that’s not all:they also pointed to the very real need to ensure an organization can use thecounter measures it has invested in. Now, it has become more difficult to denythat cyber threats are real.

The key question is not how cyber security should prohibituse of ICT because, in general, the benefits of digital transformation are fartoo attractive. So the key question should be: how can we offer valuabledigital services securely while at the same time maintaining regard for privacy?

This is likely to mean that additional securityfunctionality should be added to ICT projects. Why? To safeguard availability,integrity, and confidentiality of data and functionalities. Yes, we’re talkingabout security and privacy by design. So far, such requirements seldom make itinto the plans and business cases, although there’s no doubt they should be inthere.

So what is the consequence of not incorporating security inthe business case from the start? During a period in which budgets are beingsqueezed hard, the main consequence may well be a bitter pill to swallow. It isthat the costs will come later and they will potentially be multiplied anduncontrollable.

Think about the costs of response, repair, and reputationafter successful DDOS attacks on your retail or e-government website. Beingpennywise and pound foolish by not investing in cyber security and then absorbingan even bigger long-term cost is not the way forward. It is time to make cyberresilience part of every best practice business case; I cannot see it any otherway.

Havea comment or opinion on this post? Let us know @Microsoft_Gov. Or e-mail us at

Patrick de Graaf
Senior Consultant, Capgemini Consulting

About the Author

Patrick de Graaf | Senior Consultant, Capgemini Consulting

Patrick works with clients on strategic cyber security issues including strategy and policy, organization and security awareness. Read More