Skip to main content

Operationalize Principles of Cyber Resilience

Learning Objectives 

After completing this unit, you’ll be able to:

  • Describe how to design an integration strategy to enable the adoption of new cyber policies and principles.
  • Explain how to get support and allies to prioritize cyber resilience.
  • List actions to make the case for cyber resilience as a valuable business opportunity for your organization.
  • Identify how to build a plan and team to enable the efficient adoption of cyber-resilience principles.
  • Describe how to perform the rollout of cyber-resilience principles and monitor and expand cyber resilience throughout your organization.

Implement the Principles

To implement the World Economic Forum (WEF)’s cyber-resilience principles for the oil and gas (OG) industry, and fully realize their intended benefits, cyber resilience must not be an afterthought but instead be incorporated into an organization's culture and into all aspects of a business’s norms. To shift deeply embedded corporate mindsets, managers can take a gradual approach to introduce cyber-resilience best practices within OG organizations. Here are the steps to this approach.

  • Design the integration strategy.
  • Get support and allies.
  • Make the case.
  • Build a plan and team.
  • Perform the rollout.
  • Monitor and expand.

Sydney is a chief information security officer (CISO) at a public petroleum and natural gas company. Let’s follow along as she operationalizes the cyber-resilience principles for her industry. 

Sydney stands in front of a petroleum and natural gas company.

Design the Integration Strategy

Sydney knows how important it is to define a strategy that will effectively integrate and enable the adoption of new cyber policies and principles. She starts by defining a delivery methodology around four key pillars within her organization: risk posture, internal culture, organizational model, and business strategy. She assesses the internal maturity and risk posture of her organization to accurately prioritize cyber actions.

Sydney also aligns and integrates the cyber-resilience principles with the business’s strategy, vision, and mission by understanding how cybersecurity can support and enable each business unit’s core competency. She understands the organizational operating model and structure, and verifies which key stakeholders are required for rapid and successful adoption. She selects a delivery-model strategy that integrates well into the organization’s internal culture to ensure the effective adoption and implementation of cyber-resilience principles.

Get Support and Allies

Next, to ensure internal support from both mid-management and senior leadership, Sydney demonstrates the cyber risks of their business units while leveraging her board’s mandate to prioritize cyber resilience. She outlines the specific expectations and requirements needed to support the board mandate to secure buy-in from key stakeholders by illustrating the value of the cyber-resilience principles in unique situations. She secures support from senior leadership by making the case for and demonstrating the importance of cyber resilience to board members.

Sydney also identifies key supporters from multiple stakeholders across the organization who are critical for the implementation of the cyber-resilience principles (for example, the organization’s risk officer and audit team). She gets internal buy-in from key business heads when building a strategic plan by illustrating the relevance and benefits to their businesses. She also provides resources and funding support for pilot or lighthouse projects with dedicated cybersecurity funds, by allocating operational budgets to specific cyber-resilience measures.

Sydney also integrates the cyber-resilience principles into existing governance processes for seamless and more rapid adoption (for example, by leveraging her organization’s safety culture and other mature disciplines).

Make the Case

Next, to maintain senior leadership support and engagement, Sydney describes cyber resilience as a valuable business opportunity to the organization. She maps new cyber policies to the company’s vision, mission, and strategic goals. She communicates the complexity and urgency of implementation by illustrating the risks for the organization and business unit.

Sydney also coordinates with identified internal allies to ensure a collaborative and holistic proposal when communicating and reporting to the board. She reiterates the benefits of cyber resilience to the board by demonstrating business value through quantifying and qualifying the risks and rewards for the organization through practical examples. She also sets clear goals by clarifying performance measurement points and timely key performance indicators, and by defining regular reporting (from monthly to biannually).

Sydney highlights to the board the value and benefits of long-term cyber resilience by reiterating the relevance of the cyber-resilience principles. 

Build a Plan and Team

Next, to enable the effective adoption and implementation of the cyber-resilience principles, Sydney establishes a roadmap with clear activities, milestones, and practical key performance indicators with mechanisms that support future changes. She selects a cross-functional team to manage an implementation roadmap based on her organization’s complexity and culture, and the board members’ goals. She adapts and validates the plan (if needed) by setting key deliverables and measurement points, and a well-defined reporting and metric communication plan.

Sydney also defines the delivery model by considering internal change management, business process engineering, and the delivery method (for example, leveraging the organization’s agile methodology and annual business planning). She verifies that the team understands the value of the principles and champions the roadmap by applying individual goals and embedding cybersecurity responsibility within each role.

Perform the Rollout

Next, Sydney initiates the rollout of the key cyber-resilience and risk management principles to shape her organization’s cybersecurity culture by following a defined integration strategy. She introduces, implements, and embeds cyber-resilience principles into a target operating model. She leverages pilot, lighthouse, and existing projects to integrate cyber-resilience programs into new developments.

Sydney also tailors training to a wide range of staff members, including board members, to set comprehensive expectations and awareness of inherent cyber risks.

Monitor and Expand

Finally, Sydney enables continuous monitoring through instant feedback loops, while providing key performance metrics and carrying out routine performance reviews needed to expand cyber resilience throughout her organization. She enables continuous communication to key stakeholders on the value of ongoing and future cyber-resilience projects and the achievement of the organization’s cybersecurity goals. She implements continuous reporting and feedback to the board, recalling initial goals, providing simple measurements, and communicating progress and the overall value.

Sydney also monitors leading indicators (for example, project budget and capacity) and removes identified obstacles before they can negatively impact implementation. She monitors and reviews defined performance indicators and when needed adapts them to support cybersecurity expansion.

Knowledge Check

Ready to review what you’ve learned? This knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching term on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Great work!

Sum It Up

In this module, you’ve been introduced to a blueprint for evaluating cyber risk and enhancing cyber resilience across the OG industry. You’ve also learned how to implement the WEF’s cyber-resilience principles for OG industry boards. Great job!

Interested in learning more about cybersecurity careers and technologies? Head on over to the Cybersecurity Learning Hub to explore other roles and hear from real security practitioners.

Resources

PDF: WEF: Cyber Resilience in the Oil and Gas Industry

Comparta sus comentarios sobre Trailhead en la Ayuda de Salesforce.

Nos encantaría conocer su experiencia con Trailhead. Ahora puede acceder al nuevo formulario de comentarios cuando quiera desde el sitio de la Ayuda de Salesforce.

Más información Continuar para compartir comentarios