2024/39 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Upcoming webinar: Webinar on Benchlearning 5 Dec. 2024 2pm – 3 pm CET / Webinar “HIRING4CYBER in a European Public Administration” 3rd December 2024 10am – 12 noon CET / “Watch it burn” can be an acceptable attitude… / is security patching over the weekend overrated? / CIS “Reasonable Cybersecurity Guide” Released
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 8): Test new solutions yourself (with the assistance of an expert) – never let others do that for you.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 8): Reduce your costs by making sure only IT buys IT services – an informal conversation with Finance can help identify whether non-IT staff are buying third-party IT services at your cost.
- Weekly [TLP:RED] for IT Leaders (Repeat # 8): It usually pays off to hire good service / supplier managers without IT skills than asking IT professionals to do that for us.
| Summary |
Hi everyone, I hope you are doing well. Colleagues from four cities / regions from Belgium, Bulgaria, Ireland and Italy again joining Friday morning.
We had a colourful discussion about how many legacy solutions exist on our estates (many even without password protection) and that while we may often warn leaders about the dangers, little (if anything) happens / budget is made available or, until the systems fail. The image below reminds us that sitting back and watching the fire is sometimes the best reaction when threats become incidents – it is probably the fastest path to new and more secure solutions – ideally of course you have prepared the needed investment papers (inf act, something one colleague does – has the needed vendors etc lined up for emergency remediation for example). This may sound terrible, but there is only so much we can do and keeping solutions alive at any price not always the best approach.
We then discussed a specific question about whether we do security patching on weekends and seemed to agree that typically this does not work out, since this needs in-house support that is not always available – or alternatively, there is so much patching to do that we could be patching every weekend but cannot afford the resources (or even have them). So what to do when a critical vulnerability is discovered on Friday afternoon? Well, we do think that the question is then “can we delay until Monday first thing?” and usually we can (might be helpful to enhance firewall security etc until this is done of course).
Another colleague then sharing how they are in the middle of storage upgrades and that at least with third-party cloud these sort of challenges should not be relevant anymore. In practice of course we see that third-parties will “sweat” their cloud storage solutions for financial reasons as long as possible and that leads to ignoring the fact that, just like any storage, the performance of solutions running on them is often best with under 60% storage usage. The problem has just shifted from our local data centres to the supplier ones. Which reminds me, “good” storage solutions are of course also not cheap and get more expensive all the time.
Some public administration colleagues were able to attend the US Coalition of City CISOs event last week that demoed a Threat Intelligence Sharing pilot created by the City of Los Angeles, California. The used platform seems to be very detailed, rich an information and offered possibilities. We will continue to share such invites as relevant – cyber has no geographic boundaries and learning from our peers across the world can only be beneficial.
Cheers,
Oliver
Insights from AI
Some colleagues nearing retirement and succession planning often difficult in public administrations since roles are often only published when someone has actually left! I asked CoPilot “What is the importance of succession planning in cybersecurity roles?” The AI responded:
“Succession planning in cybersecurity roles is crucial for several reasons:
Continuity and Stability: Ensuring there is a plan in place for key cybersecurity roles helps maintain organizational stability and continuity. If a CISO or other critical security role is suddenly vacated, having a succession plan ensures that there is minimal disruption to security operations.
Talent Development: Succession planning encourages the development of internal talent. By identifying and grooming potential successors, organizations can build a pipeline of skilled professionals who are familiar with the company’s systems and processes.
Risk Management: Cybersecurity is a critical function for any organization. A well-structured succession plan helps mitigate risks associated with leadership transitions, ensuring that there is always someone capable of managing and responding to security threats.
Regulatory Compliance: Many industries have regulations that require formal succession plans for key roles. Having a succession plan in place helps ensure compliance with these regulations and avoids potential penalties.
Reducing Burnout: Cybersecurity roles can be highly stressful, leading to burnout. Succession planning allows for the rotation of responsibilities and provides opportunities for rest and rejuvenation, which can help retain top talent.
Strategic Planning: Succession planning is part of a broader strategic plan for the organization. It ensures that the cybersecurity team is aligned with the company’s long-term goals and can adapt to changing threats and technologies.
In essence, succession planning in cybersecurity is about being proactive and prepared. It helps organizations navigate the inevitable changes in leadership while maintaining robust security measures.”
| In the News |
- Join Our upcoming Webinar on Benchlearning 5 December 2024 2pm – 3 pm CET: Learn how ISAC Baseline can help your city enhance its cybersecurity and collaborate in a community of peers across Europe. Register for our webinar on November 5th and see how compliance work with NIS2 requirements is effectively supported by Benchmarking and a Solution Library with shared security practices using the Benchlearning principle. Registration is here: https://events.teams.microsoft.com/event/a826eed1-27ff-4804-ad3f-d1bfe0803de5@ab59e806-3337-45df-8257-2bc61793098b
- With ECSO and Region Toscana – Join our Webinar “HIRING4CYBER in a European Public Administration” 3rd December 2024 – 10:00-11:30 CET. ECSO and its co-organising partners would like to invite you to participate in its “Hiring4Cyber in European Public Administrations” webinar and online roundtable, taking place on the 3rd of December, from 10:00 to 11:30. See the attached agenda for more details on the speakers and agenda. The webinar is part of the Cyber Resilient Regions Community (CRR) initiative run by ECSO with Tuscany Region, Major Cities of Europe and EU City ISAC I4C+. Through expert input and regional examples, this session will boost the understanding on how European Public Administrations can attract and retain the cyber security professionals who are essential for modern-day and future-orientated public authorities at all governance levels. Registration link https://events.teams.microsoft.com/event/a2588981-7de8-4add-a979-10cecc0b515f@07daeece-77f0-4a62-882f-a7a4ce502054
- CIS “Reasonable Cybersecurity Guide” Released https://www.cisecurity.org/insights/white-papers/reasonable-cybersecurity-guide?utm_source=pardot&utm_medium=email&utm_campaign=cis_leadership&utm_content=cybersecurity_monthly
- Lozère Chamber of Agriculture hit by cyber-attack https://www.francebleu.fr/infos/agriculture-peche/la-chambre-d-agriculture-de-la-lozere-touchee-par-une-cyberattaque-3626628
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| Project Cyber Securing Public Administrations “CySec4PA” – DIGITAL-ECCC-2024-DEPLOY-CYBER-07-CYBERSEC-02 |
We continue preparing a proposal for DIGITAL-ECCC-2024-DEPLOY-CYBER-07-CYBERSEC-02 “Support for Implementation of EU Legislation on Cybersecurity and National Cybersecurity Strategies (2024)” that will be due for submission on January 21st, 2025.
The focus is on supporting NIS2 deployment by raising local / regional NCAF maturity through replicating / localising the ISAC Baseline Cooperation model currently implemented by our friends at I-Trust. If any local / regional public administrations or Local Government Management associations are interested, please contact me – I expect that we will be able to deploy to a maximum of 3 EU member states. The local government administration of one nation has already decided to join so there are perhaps 2 slots left.
Of particular interest might be this emerging project objective:
“This proposal implements, refines and validates a scoring scheme for LGMAs based on the emerging EUCC to assess the degree of alignment of hw/sw solutions with the capabilities demanded by the NIS2 Directive as defined in the NCAF framework. (TRL 6+ needed)
This will then allow LGMAs to determine which solutions support the greatest number of NCAF requirements (greatest number of line items), thus allowing them to cover the greatest portion of their Defence in Depth model at the lowest possible cost.
The collaborative elements of the proposal enable different LGMAs to compare and contrast actual costs (internal and external) and use that information for (a) identifying the lowest cost solution, and (b) negotiating lowest cost solutions with h/s vendors. The international dimension is particularly critical since vendors are often nationally focused with relevant pricing models.”
If you would like to nominate your national government management association or similar (i.e., association of cities) to participate, please contact me.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/