Cyber exercise case study: Customer assurance
Suppliers are increasingly having to demonstrate evidence of their cyber security measures to their customers. This is a growing trend and will be an unwelcome additional cost of doing business. However it is also an opportunity for suppliers to differentiate themselves on their cyber security by being able to show they present less risk to their customers. This will allow them to maintain and increase market share while potentially also increasing their margins to account for the additional value they offer to their customers.
Cyber exercises provide a quick and effective way of providing this evidence. They allow suppliers to demonstrate how they would handle a cyber incident and how this would impact on their customers. By focusing on the impact of an incident they provide more usable information than cyber security surveys typically provide. They also allow a supplier to evidence their progress in improving their cyber security and so demonstrate their commitment to their customers.
Cyber exercises have been used by the military for some time. However they are a relatively new concept in the private sector. To help explain how they work and how they can add value this case study will consider how a fictional company could use them to demonstrate to their customers that they are prepared for a cyber incident. This is primarily aimed at companies engaged in business to business trade.
Example Ltd manufacture components in the automotive sector. They have a number of customers and are increasingly being asked by them to provide evidence of their cyber security measures. This has become a growing trend in recent years and while currently they are just requests, Example Ltd expect them to become mandatory requirements in the coming years.
Example Ltd’s leadership have identified this change in the market as an opportunity. They intend to gain additional market share by meeting this requirement ahead of their competitors. They are therefore looking for ways of demonstrating their cyber security to their customers.
They have considered a number of ways to achieve this such. Options include; gaining accreditation, such as ISO 27001 or Cyber Essentials, or by commissioning pentests or red team services. They see a high level accreditation such as ISO 27001 as a long term goal but want to demonstrate their cyber security more quickly. They recognise the value of standards but they are concerned that they may just become a tick box exercise within their organisation and will not reflect the reality of managing a real incident.
They have considered pentests but feel they don’t properly test the people and processes that use the IT infrastructure being tested. They do recognise the utility of pentests in verifying that software and hardware security measures are being implemented correctly but they want to test their organisations incident response in a more holistic way.
Example Ltd also considered red teaming but found the cost was high and that it would be challenging to systematically test each aspect of their incident response process. They also found that both redteaming and pentests highlight how your security measures are failing but do nothing towards building the teams to correct the issues.
Improvement through exercising
They instead decide to implement a programme of cyber exercises. They consider exercises to be the most cost effective way to provide pragmatic evidence that the whole organisation is ready for a cyber incident. They also feel that by involving people from across the whole organisation they can find a way to tailor their cyber security measures to their business.
Example Ltd are aware that improving their cyber security will not happen overnight. They therefore use cyber exercises to identify what they need to protect and to consider investments before they actually make them. They use routine exercises to maintain visibility of their progress. Further detail of how cyber exercises are conducted can be found here.
Commercialising good cyber security
After conducting a couple of exercises, Example Ltd are encouraged by the improvement shown in their ability to handle a cyber incident. Even though they have much work still to do they judge now is the time to share their progress with their customers. By having an independent, objective assessment of their ability to handle a cyber incident they are able to highlight the progress they have made and demonstrate their commitment to further improvement.
This proactive attitude towards cyber security, backed up with evidence allows them to begin to differentiate themselves from their competitors. The full value of this is realised when their customers start asking for more onerous assurances about their suppliers’ cyber security. Example Ltd are then able to show a historic record of assessment and improvement in their cyber security that few of their competitors will be able to match.
How cyber exercises helped
Cyber exercises have allowed Example Ltd to anticipate the market and to position themselves ahead of their competitors. The use of routine cyber exercises has allowed them to gradually build up their cyber security in a prioritised and focused way. This has reduced the impact to their overheads in any single quarter.
The routine use of cyber exercises has also engendered a cyber security culture in the company which is increasingly recognised by their customers. The combination of this culture and the historical records of cyber exercise performance provides a compelling argument that Example Ltd’s sales team can use to win new business.