The carrot and the stick approach to cyber resilience


The world of cyber security is maturing at a rapid pace. Commercial and public sector organisations are increasingly focusing on cyber resilience, as they realise that the impact of the inevitable must be managed.  They cannot simply focus on prevention, but also on the cure and the recovery.

Efforts for greater cyber resilience are against a backdrop of awareness of the increasing pressure brought about by technological change.  Last year, the World Economic Forum focused on cyber resilience and resolved to support the development of cyber resilience governance capabilities at the enterprise and national level. This year in Davos, the terms AI, robotics and blockchain were the prevalent buzzwords.  As these technologies drive digital transformation across industries, the emphasis on cyber resilience will become more entrenched.

In essence, enterprises have a huge carrot hanging in front of them involving strong reasons to invest in cyber security:  gains from automating processes and decisions, streamlining application development and harnessing data to build better relationships with customers.

But for every carrot, there’s a stick. In this case, the regulatory requirements governing cyber security are having a much broader impact across regions than ever before, with companies facing millions of dollars in fines, loss of contracts and negative publicity related to disclosures of breaches.

Regulatory requirements have driven cyber security for decades, primarily in the financial services industry. CISOs of global banks have long experience in maintaining rigid compliance programs across multiple jurisdictions. The emphasis has now broadened as other industries, such as governments, focus on their susceptibility to cyber attacks.

The security industry is in the midst of complying with the new General Data Protection Regulation (GDPR), which is profoundly impacting the way organisations manage and secure customer data. Missteps in complying with the regulation could be costly — fines of 4 percent of annual revenue or €20 million, whichever is higher (the stick). But if done right, GDPR can deepen your customer relationships as you build trust (the carrot).

The latest topic for enterprises in the EU to consider is the NIS Directive, which was approved in August 2016 and becomes law in May 2018. It focuses on “Operators of Essential Services” (OES).  These include essential services that play a vital role in society, from water and electrical supply to healthcare and transport. As they come to understand that a severe and successful attack could harm the economy and well as the citizen’s daily life, governments are now concerned.

The NIS Directive identifies four objectives:

  • Managing security risk
  • Protecting against cyber attack
  • Detecting cyber security events
  • Minimising the impact of incidents

What it emphasises is the prospect of fines of up to £17m for companies that fail to protect themselves effectively (another stick).

However, governmental organisations are also reaching out to the public and are providing steady streams of advice to support enterprises in developing their cyber resilience capabilities. The NCSC in the UK, for instance, is providing a broad range of advice as well as promising to publish a Cyber Assessment Framework for the OES audience in April of this year (another carrot).

So, the regulatory community is offering a big carrot in the form of helping organisations develop better cyber resilience standards to facilitate the adoption of new technologies. The stick is an increasing number of fines for organisations that do not place sufficient emphasis on their responsibilities on this area.

For CISOs who were used to working in the shadows, the spotlight is now shining on them more brightly than ever before. The topic of cyber resilience is not going to stand still. It will be changing at a faster rate.

That’s why it’s critical for CISOs to ensure they have clear transformation plans aligned to the enterprise business strategy. Against a background of constant talent shortage, organisations will need to make decisions about how to deliver security operations — through internal teams, partners or the integration of external best-of-breed solutions and managed services. Any approach must incorporate ways to increase business agility, while securing the expanding enterprise perimeter. As everybody knows, following the carrot is much more rewarding than avoiding the stick.

Chris Moyer is Vice President and General Manager of Security for DXC. He has spent more than 25 years building business and technology solutions for clients in several industries across multiple geographies. In previous roles, he has led solutioning, transformation projects and delivery assurance. He is also a member of the Institute of Electrical and Electronics Engineers. Connect with him on Twitter and LinkedIn.


  1. AJ Murray says:

    Well written Mr. Moyer!

  2. Iain Frame says:

    Cyber Assessment Framework now published at I’m collating it into a single document to help do stuff like cyber maturity assessment.

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.