External Context

The interconnected and digitalised world requires a constant alignment of an enterprise’s mission, objectives, and functions with the larger context of the national, regional, and sectoral ecosystem in which the enterprise or organisation operates. The external context of an entity includes the customers/ users of an entity’s services, as well as the suppliers, auditors and supporting agencies. In the case of regulated entities and CSEs, the national bodies, viz. the government, regulators, nodal agencies, and other authorities, are important stakeholders/ interested parties, having legal, regulatory, oversight and advisory responsibilities over the entities.

The Ecosystem

In modern business, it is very rare that an entity operates in isolation. Besides the customers and users and national bodies, the regulated and critical sector entities provide or use the services of other external entities in a cooperative, coordinated, or federated manner. In addition, the entities also connect with their suppliers and service providers by means of various “channels” and operate using a variety of federated business processes. This business ecosystem is termed in this documentation as functional business ecosystem of an entity.

The business ecosystem of an entity can also be described in terms of the use of IT in the provisioning and consumption of business services, the underlying business processes and information flows between the entity and its users, customers, partners, service providers and national bodies. This technology ecosystem is widely applicable in today’s digital environment and is termed in this documentation as federated digital ecosystem of an entity.

Business and Digital Ecosystems

The business and digital ecosystems of an entity in the Indian context is pictorally shown below:

Federated Digital Ecosystem Federated Digital Ecosystem

Each organisation in the federated ecosystem is responsible for its own IT and information security. The organisations however must be aware and responsive to the information security needs of other participating entities within the federated ecosystem, and comply with directions, guidelines and standards prescribed by law, regulation, and mandates of nodal agencies. Every organisation in the complex, federated ecosystem is ultimately responsible for carrying out due diligence, not only about its own information security but also with respect to all parties in its external context.

The National Cyberspace

A pictoral view of the national cyberspace is shown below:

National Cyberspace National Cyberspace

The pictorial above describes the digital ecosystem elements (blobs) of the national cyberspace from an ownership perspective (who uses, owns, provides, manages and controls what). Usage, ownership, management and control of elements of the digital ecosystem are important criteria to assess the trustworthiness and risk associated with the elements, specifically from the perspective of external threats.

Entities are encouraged to print out a blank diagram and populate it with their own information infrastructure components (web portals, email system, ERP, CRM, OEM subscriptions & support etc). It will give them a high level perspective of their digital landscape.

Smart, Resilient and Sustainable

The business and digital ecosystems of critical sector entities are highly complex and fast evolving. Generally, the top leadership of entities have a good grasp and understanding of the business complexities and are able to handle them well. However, the complexities of the digital ecosystem are not well understood by the top leadership and it is left to the CIOs, CISOs and their teams to handle the same. In most cases the technical and project teams adopt a technology-driven approach, which leads to misalignment between the business needs and the use of technology provided by the underlying digital ecosystem.

The integration of IT at the sectoral, regional, and national levels will only increase in future. Hence, at the national level, there is need to develop capabilities for a smart, resilient, and sustainable digital ecosystem. These terms are described below:

  • ‘Smart’ describes the high levels of automation, analytics and decision support capabilities that are enabled by the use of IT.

  • ‘Resilient’ describes the ability of the IT ecosystem to not only withstand large scale attacks and mitigate its destructive power but also the capability to recover from a successful attack in the shortest possible time with minimal damage or disruption.

  • ‘Sustainable’ describes the ability of the critical sector entities and the nation as a whole to be able to use IT for delivery of national critical functions and business services efficiently and effectively over a long period of time that extends into decades.

In general, smart capabilities are achieved through the use of intelligent devices, analytics, AI, and machine learning, which can significantly improve the functioning, performance and resilience of the digital ecosystem. Automation agents and bots provide an infinitely scalable non-human workforce that can complement the limited human workforce. Resilience is a key component of business and organisational needs and achieved through well-designed operating procedures, processes, and practices. Sustainability is achieved through a combination of institutional structures, people, policies, governance, risk, and compliance (GRC) mechanisms.

Strategic Program Approach

Resilience and sustainability of IT and Information Security are strategic goals of organisations. Hence, they must be driven by the top leadership and management, who must take a long-term strategic view of both the use of IT to achieve business objectives and use of Information and Cyber Security to protect IT and business. Governing bodies and top leadership should assess whether they have adequate in-house capabilities to strategise on these two goals or they require external expertise to support their leaders and teams.

A smart, resilient, and sustainable federated digital ecosystem is best achieved through a strategic program approach that regularly addresses all issues related to the following:

  • Protect information and information infrastructure in cyberspace.
  • Minimise vulnerabilities and risks through proactive actions.
  • Build capabilities to prevent and rapidly respond to cyber incidents.
  • Minimise damage and ensure fast recovery from cyber-attacks.