Is cyber resilience part of your business case yet?

28 August 2013 | Patrick de Graaf , Senior Consultant, Capgemini Consulting

Cyber threats are real. And the cyber threat level is uncomfortably high, especially when compared to vulnerabilities in people, process, and technology. High? Yes, but more or less stable too, as threats primarily show evolution, not revolution. Due to monitoring and research, we’re gaining more and more insight into the threat landscape and how it evolves.

Despite this insight, however, in most organizations the growing dependence on Information and Communications Technology (ICT) is not yet met by a matching level of cyber resilience. This means that if incidents happen, they cause damage to the organization, its clients, stakeholders, or all three.

In April 2013, the Netherlands was hit by numerous Denial of Service attacks on websites of banks, airlines, and even the government (including the central e-authentication system DigiD). These attacks clearly demonstrated the threat and the necessity of adequate response measures. But that’s not all: they also pointed to the very real need to ensure an organization can use the counter measures it has invested in. Now, it has become more difficult to deny that cyber threats are real.

The key question is not how cyber security should prohibit use of ICT because, in general, the benefits of digital transformation are far too attractive. So the key question should be: how can we offer valuable digital services securely while at the same time maintaining regard for privacy?

This is likely to mean that additional security functionality should be added to ICT projects. Why? To safeguard availability, integrity, and confidentiality of data and functionalities. Yes, we’re talking about security and privacy by design. So far, such requirements seldom make it into the plans and business cases, although there’s no doubt they should be in there.

So what is the consequence of not incorporating security in the business case from the start? During a period in which budgets are being squeezed hard, the main consequence may well be a bitter pill to swallow. It is that the costs will come later and they will potentially be multiplied and uncontrollable.

Think about the costs of response, repair, and reputation after successful DDOS attacks on your retail or e-government website. Being pennywise and pound foolish by not investing in cyber security and then absorbing an even bigger long-term cost is not the way forward. It is time to make cyber resilience part of every best practice business case; I cannot see it any other way.

Have a comment or opinion on this post? Let us know @Microsoft_Gov. Or e-mail us at

Patrick de Graaf
Senior Consultant, Capgemini Consulting