Cyber threats are real. And the cyber threat level is
uncomfortably high, especially when compared to vulnerabilities in people,
process, and technology. High? Yes, but more or less stable too, as threats
primarily show evolution, not revolution. Due to monitoring
and research, we’re gaining more and more insight into the threat landscape
and how it evolves.
Despite this insight, however, in most organizations the growing
dependence on Information and Communications Technology (ICT) is not yet met by
a matching level of cyber resilience. This means that if incidents happen, they
cause damage to the organization, its clients, stakeholders, or all three.
In April 2013, the Netherlands was hit by numerous Denial of
Service attacks on websites of banks, airlines, and even the government
(including the central e-authentication system DigiD). These attacks clearly demonstrated
the threat and the necessity of adequate response measures. But that’s not all:
they also pointed to the very real need to ensure an organization can use the
counter measures it has invested in. Now, it has become more difficult to deny
that cyber threats are real.
The key question is not how cyber security should prohibit
use of ICT because, in general, the benefits of digital transformation are far
too attractive. So the key question should be: how can we offer valuable
digital services securely while at the same time maintaining regard for privacy?
This is likely to mean that additional security
functionality should be added to ICT projects. Why? To safeguard availability,
integrity, and confidentiality of data and functionalities. Yes, we’re talking
about security and privacy by design. So far, such requirements seldom make it
into the plans and business cases, although there’s no doubt they should be in
So what is the consequence of not incorporating security in
the business case from the start? During a period in which budgets are being
squeezed hard, the main consequence may well be a bitter pill to swallow. It is
that the costs will come later and they will potentially be multiplied and
Think about the costs of response, repair, and reputation
after successful DDOS attacks on your retail or e-government website. Being
pennywise and pound foolish by not investing in cyber security and then absorbing
an even bigger long-term cost is not the way forward. It is time to make cyber
resilience part of every best practice business case; I cannot see it any other
a comment or opinion on this post? Let us know @Microsoft_Gov. Or e-mail us at firstname.lastname@example.org.