Information and communication technology (ICT) dependencies are found in every realm of our current societies. Failures or disruptions may affect many million functions (systems) and even more people, SMEs and large organisations. Understanding the cyber risk is increasingly important, but there are so many risk factors that it is difficult to oversee what the cyber challenges are. In addition, new ICT innovations emerge at a quick pace. This means that it is not enough to look at what happened today or yesterday. Take the lessons identified yesterday and learn them tomorrow. 

Consider what you need to do to understand the cyber risk. What keeps you up at night? What are the assets (‘crown jewels’) that you want to protect at any cost? What does this mean for the people, processes, technology and governance in your organisation and the organisations in your network? 

Everything starts with awareness about the cyber risk. Awareness is needed at all levels from the boardroom all the way down to the shop floor. People need to be aware and people need to know what actions to take. It is important to create a culture in which cyber security and cyber resilience is the norm. It is not enough to create awareness, but more importantly it is about: becoming aware, being aware and staying aware! 

It has limited value to be aware on your own. Awareness will only pay off if it is fostered at all levels and in your ecosystem, including at third parties. Make it possible to discuss cyber security incidents, don't be afraid to be vulnerable.

Nowadays, people are used to work with ICT and being connected 24/7. This does not mean, however, that they are fully prepared for the risk associated with this connectivity. What happens when connections fail? Moreover, ICT is often hidden in smart functions (cars, TVs, etc.). People do not realise that they are in fact dealing with networked computer systems.

 Educating people about good online behaviour and the cyber risk is imperative. Not only for people who currently work in our organisations but for everybody, at all levels, starting in the schools of our children up to the elderly citizens. ICT is here to stay and it is about time that teaching digital skills and behaviour at all ages becomes part of education systems all over the world. 

Addressing the cyber threat is not something that a single organisation can do alone. Every organisation and every individual should take their responsibility. Response needs to be fast because of the pace of digital innovations and increasing connectivity. There is no time to waste: everybody needs to act now.

Taking actions in your own organisation is not enough because you closely operate with other organisations. Cyber resilience is essentially a networked problem: the entire cyber security chain is as strong as the weakest link. It is not enough to focus attention on the resilience of a single organisation, all partners in the chain should be involved and act.

Start working together as a responsible community. It is time to break through the persistent taboos and be open about cyber security incidents: start timely sharing of actionable cyber security information. There is still a lot of sensitivity about sharing information about cyber security incidents. Because of the reputational risk, most organisations do not like to speak about incidents. Nevertheless, sharing experiences is imperative to increase knowledge about threats, vulnerabilities and consequences as well as lessons identified. We need to realise that we cannot face the cyber risk alone. Let’s cross the bridge and join in the battle against those groups and individuals who are aiming to disrupt our ICT-based functions and services.

Until now, national and international collaborations to address cyber threats were based on best effort collaborations of the willing. Facing the fast emerging new cyber threats and challenges, it is now time to end the period of loose non-binding collaborations. We need to attain a next level of collaborative cyber resilience. This requires true partnerships that move beyond collaboration and in which all partners are committed to take their responsibility. 

Partnerships are more than collaboration, it is all about commitment.

Share resources, work together, perform experiments. Work together at the strategic, tactical and operational level and create added value.

Partnerships are key to increase cyber resilience. It is important to foster a climate and culture of security in which public-private partnerships can flourish. 

In order to reach the next level, we need to foster a climate and culture of security in which true partnerships (public-private) can flourish. These partnerships should be based on: 

• Effective and timely sharing of actionable cyber-security related information at the strategic, tactical and operational/technical level.
  
• Sharing resources to address the cyber threat.
  
• Using interoperable procedures and processes.
  
• Learning and understanding each other’s crisis communications language and incomprehensible cyber technical terminology.

Are you prepared for dealing with a cyber security incident? When confronted with tough questions from the media, will you be able to say that you are in control? Can you truly say that you were aware and that you did everything you could? Be in control, communicate, be accountable, and show your shareholders and stakeholders what you have done.

 Move beyond what is known today. Continue to challenge yourself and your assumptions. Stay sharp. Keep innovating in order to keep up with the dynamically changing and innovative environment.

What are the next steps that you will take? Awareness about the cyber risk is crucial. Learn from earlier cyber mishaps. Understand the importance of cyberspace to the entire society. Learn about vulnerabilities and gaps. Know your national and international peers and organisations and flock together. Collaborate with them in thorough training and exercises. Partnerships need to be created now, not when the crisis is already happening. Stay on top of it at all times.

A resilient digital society is a collective achievement. Nobody can reach it on his own. It does not make sense to limit actions to a sector or a nation. A shared responsibility is a global challenge. 

Global partnerships are necessary, but those will be difficult to achieve if the national situation is not up to par. National and regional stakeholders in all nations need to take their responsibility with regard to the cyberspace domain. Step up, be ahead of the game, be in control and contribute to our global cyber resilience!