2025/36 Weekly Update from the EU ISAC for Cities & Regions: How is your NIS2 inventory & controls management doing? / Does leadership care about IT failure? / Are we part of a global ecosystem? / Can we use our time better? / OpenSSAM Trending Terms for the Day
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
Discussion Summary
Hi everyone, friends from Belgium and Ireland joined for a casual chat as we continue to try and clear our desks for the Holiday Season.
We got into a discussion on how one colleague is trying to manage AWS sales efforts into their organisation, including TCO questions and what to do with legacy solutions that are unaffordable to move/replace. That triggered reflections from another colleague struggling to get an old mainframe decommissioned and that for public administrations at least, the worst impact of failed IT services (whether due to cyber or not) is probably reputational / perception risk for political leadership – there are few if any services that directly impact citizen safety (i.e. police/fire or homeless bed booking services). Which reminds me, the “failure” of a service is usually not really needed to trigger cyber concerns – a valid threat (i.e. through disclosed sensitive information by a credible source on the Dark Web) is usually enough. At the same this has me thinking whether failed planned IT changes do not a lot more damage in reality -> this usually is caused by an incomplete asset inventory and lacking effective controls, which are two main themes of NIS2. On that note, I remember a conversation from earlier this week where a public administration CISO admitted not having inventory overview or decent controls in place – it did not worry them though since their leaders consider having a plan in place sufficient and if there is a cyber incident, then the perception is it could not have been prevented in the first place anyway.
You may also be interested in a parallel conversation happening as part of continued formation efforts for the EU Council of ISACs – this is about the globality of cyber challenges and that limiting collaboration efforts based on geopolitical boundaries (i.e. within EU member states) may not be the best thing to do. Some interesting points from an ongoing discussion:
- Operational legitimacy matters more than legal form.
- Exclusion creates fragmentation and risk.
- Control ≠ Commitment.
- Trust and contribution should determine voice.
It is about “actively defending European and global ecosystems”.
Compared to global industries (i.e. aviation, finance, automobile etc) public administrations may not feel they are part of European and global ecosystems – on the other hand reflect on the continuous aggregation of IT services from local to regional to national (and future EU level) platforms that are run by global companies (think about the recent global AWS outage for example). Whether public administrations like it or not, they are running more and more on global platforms -> within the EU the pathway of conversation therefore needs to be towards the Commission, while at the same time protecting ourselves locally from larger scale failures – assuming we actually care?
Finally, perhaps a small personal story that resonates on cyber for me. As many of you may know I have horses and keeping them exercised is critical to their health. Although I spend a lot of time exercising them in various forms, I have not been happy with the results and often struggle to find the time to do “more”. A very experienced colleague of mine then suggested I might want to spend my time doing more effective things than trying to do more ineffective things – I am now taking a hard look at what I am doing and slowly learning that spending ½ the time doing things *right* is a lot more effective that doing more of what is not right – sounds pretty self-explanatory right? But look at what you and our teams are doing daily – is it really the *right* things? This is where I find the NIS2 focus quite powerful…. Maybe 2026 is the year to get your asset inventory under better control in a dedicated push?
OpenSSAM trending terms for today below –
Wishing you all a good wind-down to the end of the year!
Cheers
Oliver
| ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
Note that emerging new services are related to managing the MISP platform (and onboarding) plus Barista.
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/