Seven steps to designing a resilient Cyber Security Programme

The reality for most organisations is that, despite their best cyber defences, they are going to experience a cyber-attack at some point. A resilient cyber security programme is all about the ability to not only deter and resist attacks – but also to detect and recover from them, returning to normal operation with minimal downtime.

Government has urged all sectors of the UK business community to improve their resilience to cyber-attacks and has introduced several initiatives to support this – such as the Cyber Essentials Scheme (CES). Of necessity, these initiatives are supportive in nature – it is still down to individual organisations to put into place the necessary strategy and technology to improve their resilience to cyber-attack.

Of course, cyber security requirements will vary greatly from one organisation to another. That’s why to do this effectively will require the organisation to appreciate a number of factors and address them specifically.

Here are seven steps to address in designing a programme that meets your organisational needs.

Step 1: Your threat profile

The threat facing each organisation may differ widely, depending upon the degree of exposure or dependence upon Internet services (such as cloud or web presence). For example, an organisation whose core business is based on e-commerce is going to have a completely different threat profile to one whose Internet usage is limited to email and web browsing.

What threats apply to your business model and the sector you operate in?

Step 2: Your existing information security provision

The maturity and scope of your existing information security provision is also a key factor. You may be surprised to discover that an organisation with an effective Information Security Management System (ISMS) certified against ISO 27001:2013 does not necessarily have an effective level of cyber resilience.

The Cybersecurity Capability Maturity Model C2M2 can be used to perform a gap analysis to understand the shortfall in your existing provision. It defines ten domains for analysis and four maturity indicator levels.

Step 3: Your regulatory requirements

The regulatory requirements for organisations vary widely and may be dependent on the business sector (financial services, nuclear power, telecommunications) or the nature of information being processed (data protection, government supply chain).

What regulatory requirements apply to the sector you operate in?

Step 4: Your customer expectations

Customer expectations are increasingly a major factor, with the growing awareness of cyber security risks within supply chains. The arrival of structures such as the Cyber Essentials Scheme (CES) or the MOD Defence Cyber Protection Partnership (DCPP), although primarily created for the public sector, have a widespread effect throughout the supply chain. It is likely that similar requirements will be put into place by large private-sector procurers in the future.

Step 5: Your level of risk

The likelihood of a risk happening is related to threat – where there is a significant threat, the likelihood of an event is potentially higher. For example, social engineering (such as a phishing email) represents a high threat because, without training, it is likely that average users would be coerced by such an attack. Phishing emails happen daily or weekly, so the likelihood is high.

It is, therefore, a good idea to consider the current risk (reduced by existing controls such as ISO 27001/2) and to determine the appetite for accepting the risk, which is the desired risk level. The US National Institute for Standards and Technology NIST framework can be used directly to perform a risk assessment by understanding the likelihood and impact of an absence of each of the categories identified by the framework. This will generate about 30 high-level risks and several sub-categories.

Step 6: Your people and training

You’ve heard the line that “people are the weakest link in cyber security”. It is a common mistake to focus exclusively on technical controls to support cyber resilience. It ignores the high level of dependency on people “doing the right thing” and we know that they often don’t. This means that user education and awareness training is a key control that should be put in place as early as possible.

User awareness training has two dimensions: That provided to all staff and the specific training requirements for staff with direct responsibility for cyber security (such as systems administrators, help desk staff and procurement officers). Some form of training needs analysis (TNA) is recommended to understand who needs training, for what purpose and how often.

Step 7: Your policies and governance

To support awareness, there is a need for policies to define what is needed or permitted by the organisation. Policies support governance, which in part can be considered as the measurement of compliance. To permit this, policies should be designed so that compliance can readily be measured. The same approach applies to technical or procedural controls – these should be designed so that effectiveness and compliance can be measured.

In summary

There is no “one size fits all” cyber security strategy; the requirements (and starting point) for each organisation may differ radically even between those organisations that operate in the same industry.

The development of a resilient cyber security programme must be tailored to meet the needs of an organisation, ideally, this should be based on a realistic assessment of risks and risk appetites.

Further guidance on developing a Cyber Security Programme

This blog is based on a paper by Ascentor which explains an approach to the development of a cyber security strategy, using widely-available information that can be tailored to suit each organisation.

The paper explores off-the-shelf toolkits available to support the entire lifecycle of a cyber security programme and identifies three such toolkits that should address virtually every aspect of delivering cyber resilience.

Download the paper from Ascentor’s resources page.

For further information

If you have found this article of interest, you might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.

If you’d like to discuss how our consultants could advise on any aspect of cyber security, please contact Dave James, MD at Ascentor.

Written by


Receive the latest Cyber Security News and Content

Fields marked with an * are required


Ascentor Ltd is committed to protecting and respecting your privacy, and we'll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow Ascentor Ltd to store and process the personal information submitted above to provide you the content requested.

Green Bird - White top right

Contact Us

Your cyber security challenges and our pragmatic approach – we could be the perfect fit.
Contact the team at Ascentor for an informal chat.

Get in Touch