Cybertech Global TLV | EIS President on Building Cyber Resilience
Paul Williams, the President of the UK’s Electric Infrastructure Security Council, spoke about the crucial need for a mind shift
Mandi Kogosowski
| 09/04/2024
Photo: Gilad Kavalerchik
“Cyber is a dynamic and intelligent threat, unlike most operational risks firms may face, and this is important when discussing what can be done. Cyber is wrongly perceived as exclusively technical – but it’s actually a business problem, and quite often this gets missed,” said Paul Williams, the President of the UK’s Electric Infrastructure Security Council (EIS).
Speaking on the main Cybertech Global stage this afternoon (Tuesday), Williams shared insights from his 35-year career, noting that “From my experience, most firms are woefully underprepared for cyber-attacks. Most firms are very complex organizations, built through M&As, with integrated technological infrastructure – horribly complicated and highly interdependent, which increases the risk and fragility of the organization. For most financial service firms, there’s little they can do about the threat – they can do most about vulnerability detection and mediation.
“When you manage a cyber incident, you have to manage both the technical impacts and business consequences,” Williams added. “When a cyber incident occurs, there are many questions concerning the what, who, why, where, and when. Tough decisions during the recovery process such as evidence preservation versus business recovery.
Williams noted that resilience is “the ability to absorb a shock, not to contribute to it, adding that “You can’t get to resilience with a focus on risk management, which has a probability of 1 – not if an attack will happen, but when. The key to building resilience is moving the mindset beyond risk management to acknowledge that bad things will happen.
“The question should be “Do we have sufficient resilience for what we need?” This will prompt the organization to think about what is really needed, and what the organization cares most about.”
Regarding important actions that need to be taken, Williams noted governance, education and exercising, scenario testing, collective action, and information sharing.
Paul Williams, the President of the UK’s Electric Infrastructure Security Council, spoke about the crucial need for a mind shift
Photo: Gilad Kavalerchik
“Cyber is a dynamic and intelligent threat, unlike most operational risks firms may face, and this is important when discussing what can be done. Cyber is wrongly perceived as exclusively technical – but it’s actually a business problem, and quite often this gets missed,” said Paul Williams, the President of the UK’s Electric Infrastructure Security Council (EIS).
Speaking on the main Cybertech Global stage this afternoon (Tuesday), Williams shared insights from his 35-year career, noting that “From my experience, most firms are woefully underprepared for cyber-attacks. Most firms are very complex organizations, built through M&As, with integrated technological infrastructure – horribly complicated and highly interdependent, which increases the risk and fragility of the organization. For most financial service firms, there’s little they can do about the threat – they can do most about vulnerability detection and mediation.
“When you manage a cyber incident, you have to manage both the technical impacts and business consequences,” Williams added. “When a cyber incident occurs, there are many questions concerning the what, who, why, where, and when. Tough decisions during the recovery process such as evidence preservation versus business recovery.
Williams noted that resilience is “the ability to absorb a shock, not to contribute to it, adding that “You can’t get to resilience with a focus on risk management, which has a probability of 1 – not if an attack will happen, but when. The key to building resilience is moving the mindset beyond risk management to acknowledge that bad things will happen.
“The question should be “Do we have sufficient resilience for what we need?” This will prompt the organization to think about what is really needed, and what the organization cares most about.”
Regarding important actions that need to be taken, Williams noted governance, education and exercising, scenario testing, collective action, and information sharing.
