2024/40 Weekly Update from the MCE SIG “City ISAC I4C+” Highlights: Please complete Quick Survey – HIRING4CYBER / Upcoming webinar: Webinar on Benchlearning 5 Dec. 2024 2pm – 3 pm CET / Webinar “HIRING4CYBER in a European Public Administration” 3rd December 2024 10am – 12 noon CET / Give suppliers a desk in your office / IT does NOT own cyber risks / CySec4PA proposal paused.
** For Back Issues see https://isac4cities.eu/blog **
The City ISAC (I4C+) is an Information and Analysis Centre whose members are IT and cyber security decision makers exchanging knowledge to improve their cities and collective cyber resilience. I4C+ is a Special Interest Group (SIG) hosted by Major Cities Europe (MCE). Dr. Oliver Schwabe is a member of MCE and in his function Chair of the ISAC for Cities Plus (I4C+). He is the person in charge of this effort on behalf of MCE and the responsible contact person. I4C+ is recognized by the European Agency for Cybersecurity ENISA. See https://isac4cities.eu/.
| Weekly [TLP:RED] |
Please contact us directly for more information – these are summaries only and the “key” is in the actual stories shared privately. The stories are based on personal sensitive knowledge shared by peers in personal conversations under Chatham House Rules. This “stuff” may look obvious (?) – the magic lies between the lines and only becomes visible in a personal conversation.
This week´s thoughts are based on the scope of essential services your public administration subscribes to, operates, and manages, including what IT systems support their delivery.
- Weekly [TLP:RED] for Publicly Elected Officials (Repeat # 9): The best new budgets come from a level higher – create the regional / national initiatives your administration then benefits from.
- Weekly [TLP:RED] for Essential Services Managers (Repeat # 9): “Citizen Development” of solutions is the only way to keep control – but design for security from the beginning.
- Weekly [TLP:RED] for IT Leaders (Repeat # 9): You need budgets for your own tools – “hide” them in research agreements.
| Summary |
Hi everyone, I hope you are doing well. A quiet session with only Ireland joining Friday morning – all the more intensive a conversation of course 😊
We have launched a simple survey to support the HIRING4CYBER workshop next week – should take you less than a minute to complete and responses are anonymous. The survey is at https://ec.europa.eu/eusurvey/runner/eea6f5bd-6173-5281-68e2-0fd215c4c7d7 and the password is “HIRING4CYBER”. The threat we are looking at is “IF we do not recruit enough skilled cyber resources in our administration, THEN we will not be able to protect our citizens from cyber threats”. The survey will be closed on Friday morning 6 December. All you need to do is select ONE option in the grid and then decide how confident you are about your answer. Please participate if you have an interest in the question and feel you can make an informed input – you do not need to be a member of a public administration. Please feel free to circulate in your networks.
When you access the survey page you will see that it asks some very simple questions and the science behind that is based on the thinking of Sir Francis Galton in the 19th century which triggered the robust development of correlation and regression in statistics (see https://en.wikipedia.org/wiki/Francis_Galton). Fundamental to that was the famous “ox experiment” which today is better known under “wisdom of the crowds” (see https://en.wikipedia.org/wiki/The_Wisdom_of_Crowds). The larger the number of confident individuals are “guessing”, the lower the resulting range of uncertainty about an outcome. And yes, there are diminishing returns after about 40 relatively confident guesses, and, in general, you will not get better than 50/50 with less than about 11 average respondents.
We also shared thoughts on how we can perhaps informally augment our resources by providing third-party suppliers with office space in our buildings (maybe just a desk) and then leverage their presence to help with issues that might arise. Also, a way of perhaps building relationships leading to more formal support agreements? Example: the field engineer of the company providing us with PC support gets a desk in the office where the IT team sits – they still do their normal job of course, but over time become locally supportive and integrated into the team. Give it a try – can work wonders!
Something we did not get time to discuss was a discussion one member had this week around who actually OWNS a risk related to cyber. In their organisation there is a perennial discussion around the business (i.e., service owners) needing to be the owners of a risk and IT being responsible for the treatments. Example: Service of Social Housing Management being run off of an Internet facing server that is way behind in patching – the owner of the risk needs to be the colleague responsible for that service and needs to work with IT to identify/fund/deliver the treatment. IT does not own risks and must work to work hand-in-hand with the service owners to increase cyber resilience!
So, Christmas market season starting (at least here in Germany) and wishing everyone the chance to perhaps begin slowing down as we head into our well deserved breaks.
Cheers,
Oliver
Insights from AI
Surveys are an important part of helping to inform ourselves. “Good” surveys need at least from 40 responses from a relevant stakeholder community to be robust. A key question is often whether a survey should be anonymous – many people feel more comfortable this way. I asked CoPilot “What are the advantages and disadvantages of anonymous surveys?” The AI responded:
“Anonymous surveys come with a range of advantages and disadvantages. Here’s a breakdown:
Advantages
Honesty and Transparency: Respondents are more likely to be honest and open when they know their identities are protected. This can lead to more accurate and candid feedback.
Increased Participation: People may be more willing to participate in surveys if they don’t have to share their personal information, leading to higher response rates.
Reduced Bias: Anonymity can help reduce social desirability bias, where respondents might otherwise give answers they think are expected or socially acceptable.
Enhanced Privacy: Respecting the privacy of respondents can build trust and encourage more engagement, especially in sensitive topics.
Disadvantages
Limited Follow-Up: Anonymity makes it difficult to follow up with respondents for clarification or additional information, which can be necessary for deepening insights.
Accountability Issues: Without identifying information, it’s challenging to hold respondents accountable for their answers, which might lead to less thoughtful or even dishonest responses.
Lack of Demographic Information: Valuable demographic data (like age, gender, location) is often lost, which can be crucial for analyzing results and understanding different segments of the population.
Difficulty in Actionable Insights: The inability to link responses to specific individuals can make it harder to implement specific changes or improvements based on the feedback.
Balancing these pros and cons depends on the goals of the survey and the importance of respondent anonymity versus the need for detailed, actionable feedback.”
| In the News |
- We have launched a simple survey to support the HIRING4CYBER workshop next week – should take you less than a minute to complete and responses are anonymous. The survey is at https://ec.europa.eu/eusurvey/runner/eea6f5bd-6173-5281-68e2-0fd215c4c7d7 and the password is “HIRING4CYBER”. The threat we are looking at is “IF we do not recruit enough skilled cyber resources in our administration, THEN we will not be able to protect our citizens from cyber threats”. The survey will be closed on Friday morning 6 December. All you need to do is select ONE option in the grid and then decide how confident you are about your answer. Please participate if you have an interest in the question and feel you can make an informed input – you do not need to be a member of a public administration. Please feel free to circulate in your networks.
- Join Our upcoming Webinar on Benchlearning 5 December 2024 2pm – 3 pm CET: Learn how ISAC Baseline can help your city enhance its cybersecurity and collaborate in a community of peers across Europe. Register for our webinar on November 5th and see how compliance work with NIS2 requirements is effectively supported by Benchmarking and a Solution Library with shared security practices using the Benchlearning principle. Registration is here: https://events.teams.microsoft.com/event/a826eed1-27ff-4804-ad3f-d1bfe0803de5@ab59e806-3337-45df-8257-2bc61793098b
- With ECSO and Region Toscana – Join our Webinar “HIRING4CYBER in a European Public Administration” 3rd December 2024 – 10:00-11:30 CET. ECSO and its co-organising partners would like to invite you to participate in its “Hiring4Cyber in European Public Administrations” webinar and online roundtable, taking place on the 3rd of December, from 10:00 to 11:30. See the attached agenda for more details on the speakers and agenda. The webinar is part of the Cyber Resilient Regions Community (CRR) initiative run by ECSO with Tuscany Region, Major Cities of Europe and EU City ISAC I4C+. Through expert input and regional examples, this session will boost the understanding on how European Public Administrations can attract and retain the cyber security professionals who are essential for modern-day and future-orientated public authorities at all governance levels. Registration link https://events.teams.microsoft.com/event/a2588981-7de8-4add-a979-10cecc0b515f@07daeece-77f0-4a62-882f-a7a4ce502054
| City ISAC Services (Member Funded) |
We have published our services at Services Offered – EU ISAC for Cities (isac4cities.eu). Please do review and consider reaching out to include such in your activities and budgets.
| Project Cyber Securing Public Administrations “CySec4PA” – DIGITAL-ECCC-2024-DEPLOY-CYBER-07-CYBERSEC-02 |
Our efforts for preparing a proposal for DIGITAL-ECCC-2024-DEPLOY-CYBER-07-CYBERSEC-02 “Support for Implementation of EU Legislation on Cybersecurity and National Cybersecurity Strategies (2024)” that will be due for submission on January 21st, 2025, are currently PAUSED due to the loss of our Lead Proposer. The Lead Proposer is stepping back since they have more lucrative opportunities than the 50% cofounding offered by this call – the low funding rate is actually a major discussion point with the ECCC at the moment as well (see https://cybersecurity-centre.europa.eu/index_en).
Please remember you can reach the whole group via city-isac-i4c-tlpwhite@majorcities.eu. A dedicated group for those cities signing the NDAs is available separately.
Also note our LinkedIn organisational page at https://www.linkedin.com/company/eu-city-information-sharing-and-analysis-center-isac/ and our discussion group at https://www.linkedin.com/groups/12773643/. Do follow us / join.
Join our weekly Friday morning coffee chats from 9am-10am CET – feel free to come in your pyjamas. Let me know if you are missing an invite and I will send.
Thank you for the support, your City ISAC I4C+ Team.
Cheers and ever onwards
Oliver
Innovating our Future… Together
Chair City ISAC I4C+ / Dr. Oliver Schwabe.
Email: oliver.schwabe@isac4cities.eu Mobile: +49 (0) 1709053671. Web: https://i4c.isacs.eu/ & https://www.majorcities.eu/isac-for-cities-plus/