How do you know you need to invest more in cyber securing your ships?

How do you prove it to your management team?

Building a business case for cybersecurity is notoriously difficult.

  • Risk is hard to quantify. Security doesn’t directly lead to revenue generation or cost cutting. It results in risk reduction. But how much risk is too much risk? And how do you estimate the likelihood when there is limited historical data and cyber risk is continuously evolving?
  • Standards feel arbitrary. Standards tend to be a long list of actions to complete. If you cannot afford to complete the long list in one go, standards don’t generally support prioritisation. Do it all, or fail to meet the standard. Critically, standards are voluntary unless they become well-enforced regulation.

We looked into why the shipping sector finds it is so difficult to know what and how much to invest in cybersecurity. The findings were covered in a report we developed with HFW and Thetius – “Shifting tides, rising ransoms and critical decisions”.

How are your competitors prioritising?

41% said not having the ability to benchmark cyber hygiene with comparable organisations is a major challenge for securing the right cyber security resources.

As a sector, we shouldn’t be competing on cybersecurity. But some comparison, channelled in the right way, can be healthy.

Imagine if you had a way to understand:

  • What areas of cybersecurity other shipping companies are investing in.
  • How much they are investing in these areas, to what level of maturity.
  • How you compare, how far behind or ahead.

Would this change your priorities?

Would it support your business case?

Would it strengthen the dialogue with your management team?

There are a few ways you can get hold of some benchmarking information:

  • Develop or join a peer group. Knowledge-sharing networks are strong in shipping. Some of these are informal. Others are more formal organisations likeAMMITEC, theSingapore Shipping Association, the Cyprus Chamber of Shipping or MTS-ISAC in the US. Be prepared that it will take time to build trust before your peers openly share. At CyberOwl, we also maintain a network of c.400 shipping IT professionals. Let us know by replying to this email and we would be glad to put you in touch with your peers.
  • Get your vendor to work harder. Trials are useful to understand a vendor’s proposition, but can also be valuable to uncover areas of relative weakness. A vendor that knows their space should also be able to provide you a strong steer, based on actual industry adoption, rather than theoretical. The key is to get them to explain why others are investing in certain cybersecurity controls.

CyberOwl has developed a shipping cyber maturity scorecard. We are now piloting this with early adopters. In return for participating as an early adopter, you will gain access to an anonymised benchmark across all participants. Become an early adopter and gain access to the benchmarking data by clicking here to register your interest.