Taking cyber out of its silo
Helen Braithwaite, Head of Standards, Training and Exercising at the UK’s National Cyber Security Programme, and Member of CRJ’s Advisory Panel, has been responsible for the design, development and delivery of the Cyber Pathfinder Training Programme; highlights some of its early successes to Anouk Roeling.
“The aim of the Cyber Pathfinder Programme is to achieve a collective building of knowledge and understanding of cyber incident preparedness, response and recovery among a diverse group of people including emergency planners, business continuity planners, IT departments and resilience officers,” Braithwaite explains. “Cyber is recognised as a risk, but people have said that they don’t know what to do about it. Too often, a cyber incident is seen as purely a technical issue. However, experience has shown managing cyber crises requires a whole organisational response.
“So we took up the challenge to transform the topic of cyber threats, planning, response and recovery into a non-technical training programme for a diverse group of participants.”
Changing daily practice
The two-year Cyber Pathfinder Programme is part of the National Cyber Security Programme, with the small team residing within the UK Ministry of Housing, Communities and Local Government. The training is free of charge for all participants and consists of six separate training days delivered at eight locations across England. Training covers: Cyber Landscape: Guidance and Support; Cyber Threats & Core Resilience Capability; People, Process & Technology; Resilience Preparedness, Planning & Embedding Awareness; Incident Management, Crisis Management & Communications; and Business Continuity & Recovery from Cyber Incidents. So far, more than 1,500 delegates from over 350 organisations have attended – 86 per cent of participants say they are doing things differently as a result of the training, Braithwaite says with pride.
Take people on a journey
“We called the programme Pathfinder to recognise that we wanted to take people on a journey,” Braithwaite continues. “We wanted to build knowledge and understanding, starting from the basics and going all the way up to multiagency incident management and recovery. In the training, we focus on using the same terminology, and on gaining a common understanding of risks and threats. Of course, we address some technical issues, but we make sure to turn ‘tech speak’ into a common language everyone can understand.”
The training sessions are set up in such a way that the tasks and opportunities enable participants to learn from each other and share experiences and knowledge. “It is very helpful to hear from delegates what they are doing back home, and we incorporate those examples in the next training to keep the content relevant and up to date. Operating a continuous improvement model means that the content in Pathfinder 1 training we delivered in Newcastle in May was not the same as the one we started with in London last February. The threat is ever-changing and policy is constantly developing, we must ensure we reflect this in our training.”
Across the United Kingdom there are effective and well tested structures to respond to and recover from crises, Braithwaite says: “We have been keen to demonstrate these structures are fit for responding to the cyber threat as well. We want people to become less afraid of the cyber word. Cyber is not just for your IT team. It requires the same corporate and multi-agency response as any other incident, with the IT department brought in to support and provide technical guidance.”
The programme ends in March 2020, so Braithwaite’s team members are currently working on creating legacy, she says. “We are adopting low tech options to make all of the content and material – including speaker notes and presentations –available through a dedicated resilience platform called Resilience Direct, which is a secure site that enables us to share information within the resilience community. This site will also host all central government policy and guidance, along with materials developed as a result of the programme, including an incident response plan, the cyber incident preparedness standard, a self-assessment guide and the cyber technical advice cell guide. On top of that we recently made a bid for some additional funding, to review all of the materials and turn parts of the training into an e-learning course.”
The approach the UK has taken is certainly something that can be adopted elsewhere. However, the Pathfinder Programme itself is focussed on UK-specific structures, guidance and policy, Braithwaite explains. From her experience, she shares some recommendations: “Make sure you are backed up by a national voice of authority. In our case it helped that we are part of the National Cyber Security Programme and work very closely with the National Cyber Security Centre and other nationally recognised cyber technical specialists. You need to recognise that cyber is a multi-agency, corporate issue – a team sport. It should not sit in an individual silo; it needs strategic corporate leadership across agencies. So I would advise organisations to break down the technical language and show participants how they can bring cyber into their corporate governance structures.
“The technical bit of a cyber incident is rather straightforward. Managing its wider consequences is far more challenging.”
More information available here
Helen Braithwaite, 19/12/2019