Each critical infrastructure and vital service represents a unique instance of a complex socio-technical–economic system. Resilience in complex systems is an emergent behaviour that occurs from interactions between components and is not easily predictable from understanding each component in isolation. Yet, cybersecurity practice and maturity models still focus on the robustness of separate components: organizational units, firms, or IT applications. Such a fundamental mismatch between theory and tools is among the causes of pervasive cyber insecurity. We introduce the sectoral capability maturity model to enable a comprehensive improvement of systemic resilience. The promoting global cyber resilience for sectors cyber-capability maturity model incorporates the science of complex systems, cybersecurity frameworks, and two decades of CIP operations experience. The model was successfully applied in resilience assessment projects in a dozen countries. Real-life experience emphasizes the benefits of the sectoral approach to cyber resilience: creating feedback loops within the sector, integrating supply chain and third-party risks, facilitating information flows between stakeholders, enabling cooperation with and among ministries, departments and other authorities, weighting in the links and processes between actors in cybersecurity issues. The established value of the sectoral approach calls for applications that will improve the resilience of essential services while lowering sector-wide cybersecurity expenditures.
Read full abstract