2024/8 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: VAUBAN Virtual Tabletop Monday April 8th 2pm-4pm CET / No call next week / GDPR fines are avoidable! / Planning for retirement? / AI thoughts on the value of benchmarking cyber security / Reminder DIGITAL-ECCC-2024-DEPLOY-CYBER-06 due 26 March
** No call on Friday 1 March **
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
- Weekly [TLP:RED] for Publicly Elected Officials: Benchmark your cyber security – being good is attractive and can be flaunted.
- Weekly [TLP:RED] for Essential Services Managers: Keep copies of your legacy system admin passwords – just in case the current admin does not leave on friendly terms.
- Weekly [TLP:RED] for IT Leaders: Long term technical assistants to the CIO/CISO are the critical knowledge repository for successors – treat them well!
| Summary |
Hi everyone and hope you are well – only one city managed to join this morning and we ended up mainly discussing the “insanity” of legal GDPR regulations compared to security needs, i.e., for robust incident investigation you might wish to retain email logs for 90 days, but legislation is demanding this be reduced to 7 days, while service providers are not able to change agreed retention periods (check out Microsoft 365 for example with 365 days). We then also decided to take an early weekend 😊
The above then led us to reflecting on what we will do for retirement and reminded ourselves how difficult it will be to find replacements – the skills are out there of course; however, will they be willing to work for the money offered by administrations? This is like the development in one country where the implementation of the CISO role in administrations will shortly be implemented, but we do not expect anyone to want to take the role? Maybe a little too pessimistic and money is not everything, however these are challenges we need to reflect on. While we individually can reflect on retirement planning, the organisation needs to have a solid plan in place for talent development, retention, and succession management. Our job to drive this, I think.
Working with Bing Chat to find an image for our 2024 VAUBAN exercise – all suggestions welcome.
Cheers
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about the value of benchmarking in cyber security (remember our friends at https://i-trust.dk/en/ are experts at this for administrations). The AI suggested:
**Benchmarking** plays a crucial role in the field of **cybersecurity**, offering several benefits for organizations. Let’s delve into its value:
1. **Improving Cybersecurity Planning**: Benchmarking helps teams set **concrete performance goals** rather than vague objectives like “increasing security” or “enhancing security architecture.” By having **measurable, verifiable metrics**, security teams can take clear actions and justify resource requests¹.
2. **Monitoring Progress**: Security benchmarks provide clarity on areas where companies need to **improve security practices**. Teams can track changes over time, facilitating **cyber risk analytics** and the task of remediating critical security issues¹.
3. **Enhancing Reporting**: With established benchmarks, organizations can create more **informed and effective reports** on their cybersecurity performance. These reports can be valuable for internal communication and external stakeholders¹.
4. **Budget Justification**: Security benchmarks allow organizations to **justify budgets** by demonstrating the impact of investments in security. When security leaders can show tangible improvements based on benchmarks, it becomes easier to allocate resources¹.
In summary, benchmarking provides a **baseline** for measuring cybersecurity performance across business units, against competitors, and peers. It empowers organizations to make informed decisions, prioritize actions, and continuously enhance their security posture¹.
Source: Conversation with Bing, 24/02/2024
(1) Security Benchmarks | Bitsight. https://www.bitsight.com/glossary/security-benchmarks.
(2) Establishing Cybersecurity Benchmarks a Must for Orgs. https://www.bitsight.com/blog/why-establishing-cybersecurity-benchmarks-is-a-must-for-organizations.
(3) Security Benchmarking | BitSight. https://www.bitsight.com/glossary/security-benchmarking.
(4) Top 5 Recommendation for Cybersecurity Benchmarking. https://www.firecompass.com/blog/top-5-recommendation-for-cybersecurity-benchmarking/.
| In the News |
The European Commission has decided to open the DIGITAL-ECCC-2024-DEPLOY-CYBER-06 call for the following six topics. If anyone is applying and looking for partners from local / regional administrations please let us know.
- DIGITAL-ECCC-2024-DEPLOY-CYBER-06-ENABLINGTECH – Novel applications of AI and Other Enabling Technologies for Security Operation Centres
- DIGITAL-ECCC-2024-DEPLOY-CYBER-06-STRENGTHENCRA – Strengthening cybersecurity capacities of European SMEs in line with CRA requirements and obligations
- DIGITAL-ECCC-2024-DEPLOY-CYBER-06-COMPLIANCECRA – Tools for compliance with CRA requirements and obligations
- DIGITAL-ECCC-2024-DEPLOY-CYBER-06-PQCINDUSTRY – Deployment of Post Quantum Cryptography in systems in industrial sectors
- DIGITAL-ECCC-2024-DEPLOY-CYBER-06-STANDARDPQC – Standardisation and awareness of the European transition to post-quantum cryptography
- DIGITAL-ECCC-2024-DEPLOY-CYBER-06-TRANSITIONEUPQC – Roadmap for the transition of European public administrations to a post-quantum cryptography era
The call was published on 16/01/2024 and will close on 26/03/2024. You will be able to find further details under the Funding and Tenders portal. The full text of the Work Programme can be found under the following link.
| City ISAC Services (Member Funded) |
No update. The agreement with our hosting organisation Major Cities Europe has been finalised. Key themes are benchmarking NIS2/CIS Controls as the basis for robust risk management through Defence-In-Depth solutions and enabled through awareness building. As soon as final formal steps are completed, we can move forward with a formal offering to members.
| Project “DAVID” (Member Funded) |
Now finalising the MOU with our Big 5 partner and will be able to publish details as soon as that is formally signed. Two work packages being planned:
- Work Package 1: NIS 2 Directive Review and Outlook: Conduct an interview-based assessment of NIS2 directive implementation with selected members (6) of I4C+. The results of the interviews will be used to identify weak spots in the directive and to provide a strategic outlook including strategy recommendations for the expected NIS3 directive. Identified gaps shall be summarized in a point of view reflecting the current security posture with respect to NIS2 requirements and potential expectations towards the NIS3. However, it is important to note that the outcome should not be used as a gap analysis of the assessor’s current security posture.
- Work Package 2: Defence in Depth: To strengthen I4C+ members’ cyber resilience, shape the understanding of joint-cyber security as an integral approach among members. Based on the outcome of the work outlined above, deliver a best practice catalogue including suggestions for a respective toolbox. Furthermore, inputs can be utilized to enhance the overview for the Defence in Depth to close respective gaps. Collected raw data will be given to the I4C+ for further analysis .
| Project “VAUBAN” – 2024 “Battle for the Golden Ticket” Monday 8 April 2024 from 2 pm to 4 pm CET. |
Everyone should have received the invitation via separate email by now. Please feel free to forward in your networks. Please reach out if you are interested in actively supporting the event. See also https://isac4cities.eu/join-the-battle-for-the-golden-ticket-webinar-about-managing-it-security-april-8-2-to-4-pm-cet.
| Project “Regions4Cyber” |
The ECSO’s Cyber Resilient Regions Community (CRR) has now been officially launched and is a new initiative that aims to build a European community of Local and Regional Authority’s (LRAs) that have a desire to increase their digital resilience. It will engage LRA’s Chief Information Security Officers (CISOs) and related roles, and IT or security specialists that have cybersecurity responsibilities into a community that aims to increase LRAs cybersecurity resilience. This community has been developed in cooperation with Regione Toscana, Major Cities of Europe (https://majorcities.eu/) and ISAC4Cities (https://isac4cities.eu/). Please let me know if you would like to learn more.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/