Cyber security, today, is often very technology-based with a focus on technical issues such as firewalls and virus scanning software.
While technology is an important part of the cyber defence, it is important not to neglect strategy in identifying what controls an organization needs with regard to cyber security. It can also mean omitting the design phase of cyber security which means many organizations ignore human resource controls, when the facts show that more than 90% of cyber incidents are employee-related! Clearly, cyber resilience requires a more holistic approach than just taking an IT-based perspective.
RESILIA Foundation course - what is it and who is this good for?
As an antidote to the prevailing types of cyber security learning, AXELOS’ RESILIA Foundation course provides people with an overview of cyber security and cyber resilience. It also identifies a lifecycle within which organizations can implement cyber resilience. This includes a structure that helps avoid the pitfalls of immediately turning to technology, without thinking about whether that technology will address any real or perceived cyber security problem.
It also gives organizations a risk management framework, if they don’t have that already, which provides an introduction to risk management from a cyber security point of view.
So, by way of demonstrating some of the areas and issues that RESILIA Foundation addresses, we’re going to look at some example questions from the exam. This will be useful for people already studying or planning to study RESILIA, but will also offer some wider learning points for anyone tasked with responsibility for their organization’s cyber resilience.
EXAMPLE QUESTION: Which is a stakeholder category for a cyber resilience strategy?
For this question, the multiple choice answer options are:
(a) Insurance underwriters
(b) Security standards bodies
(c) Target customer markets
(d) Legal and regulatory authorities
The right response is (d), but why?
Every business has to operate within the law and therefore needs to demonstrate to the legal and regulatory authorities that it has a cyber resilience strategy, which means having a clear approach to protecting important and sensitive information. Any organization handling public data, including personal details of individuals, needs to hold that data securely. While legal and regulatory bodies will take an interest in all organizations some are subject to greater oversight than others, such as banks and financial services businesses.
Going back to the other answer options, all three are related to cyber resilience but are not stakeholder categories.
- Security standards bodies provide standards that might be helpful to you and certain target customer markets might have a specific requirement for cyber security (e.g. the nuclear industry or defence industry clients) but are not stakeholder groups for cyber resilience strategy
- The same goes for insurance underwriters, though a company may choose to transfer risk to an insurance company via a cyber insurance policy
- You should be aware of the requirements of potential customers (who are stakeholders) in different target customer markets but the markets aren’t stakeholders.
See our RESILIA section for more information.
Read Matt's previous AXELOS blog post, A culture of success: the thread that links PRINCE2 Agile, RESILIA and ITIL Practitioner.
Read Matt Trigg's other RESILIA Foundation Examination Questions blogs
RESILIA™ exam questions: Part Two
RESILIA™ exam questions: Part Three - Protective controls