Embed Size (px)
Citation preview
Smart Cities Cyber: Part 2
Collaborating to secure the Smart City
By Pete Stoddart and Steven O’Sullivan
Part 1 of this short series looked at some key factors and viewpoints that should shape the way in which a cyber-team should approach the many aspects that will be incumbent upon them during this programme.
In Part 2 we look at:
• The Triple Helix Model of Academia/Industry/Government to map the macro interactions in a Smart City
• How this collaboration on a macro scale will enable the cyber team to succeed
• How to ensure that the cyber team is central to Smart City infrastructure
• A step by step checklist to best practice
Reading time: 5-8 minutes.
Technological progress is like an axe in the hands of a
pathological criminal
-Albert Einstein.
“ “
Smart City cyber security cannot be successfully implemented without the co-operation and collaboration of everyone within the ecosystem. A key model that illustrates this point - and emphasises the strategic centrality of a cyber strategy – is the Triple Helix Model1. This model may not be something that is well known, certainly not in the cyber community, so why does it have relevance in the overall ecosystem of a smart city? And how does this help with its success? One word…Collaboration.
What do we mean by the Triple Helix?
The Triple Helix Model, established by Etzkowitz and Leydesdorff [1], is a model, which brings together Academia- industry- Government interaction and the development toward aknowledge society.
The importance of collaboration outside of the cyber team
1 The triple helix model of innovation refers to a set of interactions between academia, industry and governments, to foster economic and social development. This framework was first theorized by Henry Etzkowitz and Let Leydesdorff in the 1990s.
Assertion 2: Cyber teams charged with securing the smart city should begin to engage all these stakeholders and entities in the broader ecosystem of build out as soon as possible.
How does this fit with smart cities and cyber?
Here SA Group make two assertions:
Assertion 1: Overall smart city success depends on the synergistic action by the triple helix key factors: government, academia, and industry.
The model below outlines how the helices wrap through the smart city ecosysytem:
Cyber and privacy teams are often siloed within organisations and seen as a cost centre, and an entity that has to be placated and assured to get to the next hurdle.Whilst we believe that this is wrong, it can often work and does work across many organisations that SA Group have worked with over many years.
A number of reasons exist for this, and we have listed a few below:
1. Cyber team deal with non-functional aspects - therefore can be percieved as being of limited value.2. They write policies and procedures and make our life more difficult.3. They are an insurance function who sit away from the main teams in the corner. 4. The smart city/business will operate without them.
In the case of managing a smart city cyber programme the role of the cyber and privacy team cannot be underestimated. SA Group believe the cyber team should be positioned such that they are seen as a key silver thread across all functional areas, and as run and operated as a cyber-profit centre2.
How to change the culture and mindset to elevate the role of the cyber team?
We believe this should begin with:
• Explicit communication and support of their roles. This should come from the overall board or committee charged with the delivery of the programme.
• Promotion of and setup of cyber and privacy governance forums and working groups to underpin this status.
• Open communications and interlock with the various stakeholders across the ecosystem.
The role of a Cyber Aware Programme Manager
Here at SA Group we believe that given the pressures on the cyber team to deliver rapidly a multitude of services, and communicate these, a good programme manager is essential as it would be with any large scale cyber transformation project.
The programme manager should operate from an Cyber P3M™ model3 and should understand the need to drive and deliver alongside the cyber lead, the various work streams and ensure that all stakeholders are taking part in the overall governance functions and education and training.
Bringing people together for success
2 A Cyber profit centre can be defined as…. The positioning of cyber security and privacy capabilities as competitive differentiators to help build a new kind of customer relationship that is increasingly profitable and secure for both.3Cyber P3M™ is a SA Group hybrid concept that aligns both strong P3M skills with a high level of cyber awareness.
Useful insights to guide you on your way
As you start to build your programme and define your cyber strategy, you need by this stage to have developed a simple checklist (see below) to keep you and your plethora of interested parties aligned and connected together.
We have added a simple guide below for you to use and adapt as you see fit.
SA Group Checklist
• Ensure you have a roadmap for recruitment in place as soon as possible based on your defined needs. CSOC manager, Cyber Resilience, Security Architecture et al. Don’t wait until the last minute to try and find these people. It’s always better the team have an early insight into the programme than a last minute mad rush.
• Cyber Programme Strategy and Key Cyber Polices: We know as cyber professionals that putting this key roadmap in place is a core foundational action for any significant cyber project. However, this can frequently be put to one side due to pressure from senior people who want to see tangible results ASAP. So, infrastructure and toolsets are put in place before the bigger picture is understood and agreed - even though this may lead to duplication of effort or investment in the wrong approach.
SA Group advocate that you seek to ensure that you do both in parallel:
(a) Top down strategy and governance activities for the smart city programme.
(b) Operational actions, e.g. selection and implementations of technical tools and applications.
If this is not done together, you will forever be playing catch-up and be unable to truly enforce any form of governance and accountaility.
• Suppliers: You will be swamped by vendors offering services. Do not let personal bias sway your decision. You have to decide on how you will go to tender via Request for Information (RFI) and Request for Proposal (RFP). Ensure you get these out early and they are pragmatic and realistic or you may find a no bid response which delays your programme.
• Be realistic of your suppliers and how they will work with you. Adopt a Business to Business (B2B) philosophy. Don’t expect them to change their world to meet your exact needs, or to take on large risks with impossible SLAs and financial penalties. Give and take is always best.
• Engage all your key stakeholders via a triple helix model or similar in the cyber programme to build support, connections and academic insight to ensure a true synergistic approach. SA Group believe this will pay dividends as your programme evolves.
• Develop your reporting dashboard with pragmatic metrics that show clearly the current status of your programme. This should be monthly at a minimum. You should consider a broad range of metrics, and each of these must have a clearly defined link back to business risk and impact.
Summary
In this second article, we have discussed some of the high level essentials that need to be considered when seeking to balance a cyber-programme, with the demands for success e.g. implementation of hardware and software, operations and providing an effective cyber defence.
The role of collaboration, be it via a triple helix model (Academia-Industry-State), or some other, cannot be overstated. This interaction links together the key stakeholders by emphasising the vital role these entities play in the end product and its evolution.
Finally, having an effective Cyber P3M, (Project, Programme and Portfolio) management process in place is essential when your cyber team is small, and evolving. This helps to take away the burden on the cyber team and run these as part of structured plan.
Part 3 will look at more specific Smart City Cyber aspects such as Cyber and Physical Convergence, Education and Training, Cyber Resilience, Vendor security, Privacy, Cyber Defence Centers/SOC and more.
• Proof of Concept-Micro City Cell: With all large scale projects such as this it is always prudent to have a proof of concept where you can start small and scale up. This maybe a micro cell where you are building out a smart, IoT based model within a set area. Assuming you have the infrastructure in place you will want to ensure that this micro area can identify, detect and respond to all forms of cyber related events and incidents and report these back to a command and control (C&C) centre. Let’s call this an interim Cyber Defence Centre for sake of argument.
• Cyber Awareness and Culture Change: Last but not least comes cyber security training, education and awareness. One simple approach here is to adopt the view of “we can buy these from a Gartner Top 20 supplier of such services, off the shelf and ready to go via a super Learning Management System (LMS)”.
While this is understandable and doubtless provides a sense of reassurance, we believe it to be a flawed approach. Cyber awareness can and will lead to cultural change, but only in part alone. It requires a dedicated multi-pronged strategy which wraps around and supplements this model. For real success this requires a dedicated multi-pronged strategy. Do not underestimate the work and time to do this and remember to practice the mantra we all hear:
“Our people, including our suppliers’ people, are our key to success and true cyber defence.”
In the context of Smart City Cyber... this is even more important.
https://en.wikipedia.org/wiki/Triple_helix_model_of_innovation
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2480085
https://ieeexplore.ieee.org/document/7427555
https://securingsmartcities.org/
For reference and more information, please see the following:
1
2
3
4
SA Group is a Cyber Security, P3M and Technical consultancy working in Defence, Security plus broader public service and blue chip commercial markets.
www.sa-group.com03333 583340
