Cyber security and Cyber resilience are hot topics. Driven by the growing importance of and dependency upon information technology fuelled by high profile, highly damaging security breaches are making news headlines. In the latest IT Trends study by the Society for Information management it scores number 1 on the list of CIO worries.
The latest Cybersecurity findings from Cisco also reveals that attackers are shifting their emphasis from ‘…seeking to compromise servers and operating systems to seeking to exploit users’.
In this simulation game: “The owner of the Bank of Tokyo has decided to exhibit three world renowned objects. The ‘Star of Africa’, the ‘Jewish Bride’ and a ‘Bugatti 59’. The challenge for the team is to bring the objects to Tokyo, on time, safely and securely, and to have them exhibited, however, there are rumors that Ocean’s 99 a criminal organization wants to steal the objects… In the game the various stakeholders make use of information systems for planning, for managing, for transporting, for monitoring the objects and for booking and selling tickets, there are many opportunities for Ocean’s 99 to exploit vulnerabilities.
During game preparation the delegates must design a security policy and strategy, perform a risk assessment and invest in security countermeasures. Then the game starts and the objects must be transported to Tokyo. Are the countermeasures good enough to prevent Ocean’s 99 to attack? If an attack occurs how quickly can the team detect and respond?
In the simulation game, he delegates were confronted with numerous threats and attempts to gain access to information so that Ocean’s 99 could steal the objects. The team had to apply best practices, and ensure everybody maintained security discipline.
Reflections from the cyber security simulation:
- An IT Security strategy MUST be part of the business strategy. This requires business engagement, involvement, alignment and ultimately convergence of strategies; Business first strategy – focus on business goals; big picture MUST be kept in mind at all times at all stages; make clear connection between company’s goals and IT security to gain resources for investing and protecting key assets. (9)
- Critical assets must be identified (and agreed) with the business; identify the real “crown jewels” not the commonly ‘assumed’ ones, this MUST be agreed with the business owners.
- Involve the board from the beginning, and in every step (Policy, Risk, Strategy); no success without business commitment; Have ALL important business roles in the discussion or you can forget about it (only as strong as the weakest link).
- Lack of leadership leads to chaos (clearly defined role and responsibilities for both business & IT in terms of cyber security. NOT just IT). Having Leaders and managers involved doesn’t mean success – It is engagement, involvement, and commitment from ALL; clearly defined responsibilities of EACH person in Cybersecurity
- The simulation should be training for all employees involved in security; Today’s simulation showed how 11 different voices were translated into 1 coherent strategy, addressing business needs and threats; the simulation helped us look at the problem from different perspectives – different teams, different stakeholders including the business;
- It was a very valuable way of learning and experiencing; a great way to observe how people behave and interact; interesting experience – direct cooperation of key stakeholders, ability to assess current capabilities.
- To convince the business to invest in security solutions we must make the business case very carefully, in relation to the critical assets and business impact, not IT terms and IT impact; find the right balance between IT ‘asset’ protection (general) and business ‘asset’ protection (specific), agreed with the business
- IT needs to play the role of ‘Glue’ in the Cyber Security area (linking technology components to critical assets and risk mitigation countermeasures); IT to become a facilitator – dialogue with the business; leadership/facilitation is a critical success factor; Use an external facilitator for the dialogue between IT and the business (if the IT maturity or relationship isn’t aligned)
Finally Delegates were asked, “Would this type of event help you gain senior management commitment to cyber security”? 70% agreed it would, however 30% thought not. Either because top managers were already engaged or because ‘senior management has delegated this’ – as can be seen in recent scandals, board room awareness and commitment is critical. It is not something that can be delegated away. EVERYBODY has a responsibility for Cybersecurity and Resilience.
100% of the delegates found that the use of a simulation is a powerful way of bringing people together (across the delivery chain) to create awareness. It clearly shows the importance of roles and responsibilities; allows people to see, feel and experience from different perspectives – such as business & IT, management and operational; it clearly demonstrates the need for a holistic approach (People, Process, Product, Partner); It shows the need for balancing opportunity against risks – which is why senior commitment is mandatory in helping shape policy and influence priority and decision making.
So what has been your experience on creating a comprehensive cyber security strategy and obtaining desirable benefits? Reach us at firstname.lastname@example.org if you want to play the Oceans99 Simulation for your teams.