2024/25 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Fed the cat today? / Many critical IT services are not connected to your networks / Best practice tools for helping meet NIS compliance? Survey Pending / Segmentation is key to protection / CISO offices must be independent from IT / Opportunity to professionally review funding proposals
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials: Making risk management (including cyber) a formal part of your public annual reports is helpful.
- Weekly [TLP:RED] for Essential Services Managers: Many critical IT services (i.e., electricity, mobility) are not run by your IT department – make sure to have them subject to cyber audits regularly.
- Weekly [TLP:RED] for IT Leaders: Don´t take you vacation in the summer since that is valuable “quiet time” to get things done.
| Summary |
Hi everyone, I hope you are doing well. Two cities and three regions joining from Belgium, Bulgaria, Ireland, and Italy, joined us on Friday morning.
We kicked off discussing our initial reactions to the Enablor benchmarking solution which most are now trailing and agreed that it can provide significant value both locally and for comparisons with peers. The comparisons making the most sense if done in a conversation to understand who is tackling what and how. A good development here is that some cities / regions that share other languages are twinning up – English is only a lingua franca of course and sometimes it helps to shift to others. We are now also preparing a small survey on tools being used to help meet individual NIS2 criteria and will conduct a small workshop on this later in the year – we will circulate that to all in a week or so. FYI you may have National Recovery funds or similar available to fund an effort like this.
The discussion of (defence in depth) tools used to help meet NIS2 requirements then got us into the discussion of how much better home-grown solutions can be, although these seldom survive as cloud migration as the move continues to cloud solutions from major providers (which are of course a lot more expensive). But hey, you cannot go wrong if you buy the market leading products right? (Ha ha ha…) Remember “Buy Blue”?
We then also reminded us that regulations in many countries are beginning to mandate having a separate CISO role reporting directly to the highest public authority (i.e., in Italy and Switzerland),
Finally, we explored some approaches to segmentation which is key to reducing the impact of any incidents and the challenge that many critical IT services are not running via our own networks (i.e., electricity and mobility). We agreed that it would be helpful to run a small event looking at how we are doing segmentation in practice and will tee that up after circulating the previously mentioned NIS2 tooling questionnaire. The architecture of good segmentation is an “art” where we best learn from the practical experiences of others. Cyber breaches in these “non-connected” services can in fact cause more pain than we would expect (see some comments in the Vauban/Phalanx section).
All of the above got me thinking that our James Bod villain “Spectre” enjoys exploring our data centres and their cat probably feeds on anything not firmly connected to the network 😊 AI came up with he following foto…
Before I forget – we also took a look at what really good risk management looks like – see https://www.rolls-royce.com/~/media/Files/R/Rolls-Royce/documents/annual-report/2024/2023-annual-report.pdf section “Principal Risks” in the following annual report on pages 50-57, and especially page 55 where the Information & Data (including Cyber) risk is discussed.
Wishing everyone a safe summer!
Cheers,
Oliver
Insights from Chatbots
I was curious about the opinion of Bing Chat about why a CISO should NOT report to a CIO. The AI responded as per below:
“There are several reasons why the Chief Information Security Officer (CISO) should not report to the Chief Information Officer (CIO):
1. **Conflict of Interest**: The CIO’s primary focus is on ensuring the availability and efficiency of IT systems, which often involves implementing new technologies and optimizing performance. On the other hand, the CISO’s role is to secure these systems, which can sometimes mean imposing restrictions or additional controls that might slow down IT processes. This inherent conflict can lead to compromises in security if the CISO reports to the CIO¹.
2. **Independence and Objectivity**: Reporting directly to the CEO or another C-suite executive (like the Chief Risk Officer) allows the CISO to maintain independence and objectivity. This ensures that security concerns are given appropriate weight and are not overshadowed by IT operational priorities².
3. **Visibility and Influence**: When the CISO reports to a higher executive level, they have better visibility and influence over the organization’s overall risk management strategy. This positioning helps integrate cybersecurity into the broader business strategy, rather than treating it as a subset of IT².
4. **Resource Allocation**: CISOs often struggle to get the necessary resources when they report to CIOs, who may prioritize IT projects over security initiatives. Direct reporting to the CEO or another senior executive can help ensure that cybersecurity receives the necessary funding and support².
5. **Holistic Risk Management**: Cybersecurity is not just a technical issue but a business risk that affects all aspects of an organization, including legal, financial, and reputational areas. Having the CISO report outside the IT department emphasizes the importance of managing cybersecurity as a comprehensive business risk².
By having the CISO report to a higher executive level, organizations can better balance their IT and security priorities, ensuring that both areas receive the attention and resources they need.
Source: Conversation with Copilot, 10/08/2024
(1) Should the CISO Report to the CIO? – Cisco Blogs. https://blogs.cisco.com/security/should-the-ciso-report-to-the-cio.
(2) Why CISOs Shouldn’t Report to CIOs in the C-Suite – Security Intelligence. https://securityintelligence.com/posts/why-cisos-shouldnt-report-to-cio-c-suite-conflict/ .
(3) CISO Reporting Lines – Why? – (ISC)². https://www.isc2.org/Insights/2024/07/CISO-Reporting-Lines-Why.”
| In the News |
- No special updates this week
| City ISAC Services (Member Funded) |
We have published our services at https://isac4cities.eu/services-offered and are now proceeding to establish collaboration agreements with third parties we have been working with for a while. These will include joint marketing and enablement plans. Please do review and consider reaching out to include such in your activities and budgets.
One service to highlight this week is the review of IT / cyber related funding proposals – we have a number of highly experienced (EU) proposal evaluators in our network who, for small money, are willing to intensively review and comment on any proposals.
| Project “VAUBAN” – 2024 Multi-ISAC Tabletop |
You might remember that our City ISAC is a founding member of the EU Council of ISACs where we have many EU ISAC members from sectors like health, energy, finance, water, energy etc. As part of the work with the EU Council of ISACs we are also building out our relationship with ENISA. ENISA is planning a face-to-face Multi-ISAC event in October and we, the City ISAC, may have an opportunity to run a 120 minute tabletop with many ISACs in the room plus a wide range of ENISA representatives. The preliminary discussions have gone well, and we now have a 120-minute time slot in the morning of the second day. The tabletop will address all ISACs in the room and be based on a public administration being breached and asking for the support of the community to help tackle the challenge. The exercise will address all NIS2 domains and offer the ISACs a chance to jointly help.
The Red Team had an initial session this week and interestingly enough quickly focused on “non-connected” services (i.e., electricity, water, mobility) that are usually very insecure and if breached could cause significantly more societal impact than classical public administration systems we are focused on. Just image if the traffic control monitors on your highways suddenly diverted all truck traffic to your city centre…
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/