incident and on those that help reduce the undesired consequences of it. Such a combination of a proactive and reactive approach is reasonably easy to implement and provides good guidance for future improvement activities through its intuitive visualisation.Verify!In order to obtain assurance of the achieved cyber security and to demonstrate compliance towards the company’s stakeholders, cyber security resilience should be verified. Awareness can be validated through questionnaires, technical improvements can be testedthroughadvancedmethodologieslikepenetration, network or storm testing and management systems can be certified. These verification approaches can be used, too, to establish a baseline and then monitor progress as a company’s cyber security maturity develops over time.It’s doableRecognising that cyber security resilience is increasingly important in shipping and offshore, DNV GL will publish a Recommended Practice “Cyber Security Resilience Management” in early September. It will serve as a practical guideline and is based on the experience gained in multiple projects in this domain as well as on input from academia and experts from other industries. Recognising the obligation to support the industry in this process, DNV GL has in parallel released a web-based cyber security self- assessment tool, e-learning modules for crews and shore staff as well as a range of related advisory, testing and verification services.Managementteamswillfindthatdealingwithcybersecurity challenges has many commonalities with other responsibilities. Following a systematic approach to assess, improve and verify makes this a manageable task. A first step required is to put cyber security on the agenda of senior management and to make sure attentionismaintained.FollowingaRecommendedPracticewill provided a structured approach to management of a topic that increasingly will make it to the boardroom. Equipping leaders with thetoolstoputinplaceauniquecybersecurityresponse framework will provide the necessary foundation on which to build digital decision making capabilities and start harvesting the immense opportunities coming at the industry by way of Big Data.• Iftheriskisperceivedassubstantialandthenumberofcritical systems is high, a comprehensive, in depth assessment is proposed. Different methodologies are suited for IT and for OT. While the assessment of the consequences of a successful attack will be more systematic, the biggest challenge in this type of assessment lies in assessing its likelihood. It has proven practical to approximate this likelihood with an assessment of the ease of access. For this assessment, substantial technical knowledge is required, and the effort required is high.|23Three areas of improvementOnly with an appropriate assessment in place can management be assured that the improvement activities to be initiated are sufficiently targeted and worth the money invested.Diverse as these improvement activities may be, they typically fall in three categories that should all be considered when moving ahead:• Awarenessandcompetencearethemostimportant contributors to cyber security. Studies consistently attribute 90% of cyber security breaches to the human element. Awareness campaigns and trainings or e-learnings for shore staff and crews will be central to most initiatives.• Technicalsolutionscanprovidesolidbarriersagainstattacks, be it from the in- or from the outside. They need to be scaled to meet the specific requirements of the company.• Buildingamanagementsystem,mostlikelyaccordingtothe internationally accepted standard ISO/IEC 27001, should complement these activities and secure that cyber security becomes a continuous improvement effort.THOUGHT LEADERSHIPISSUE 51 | WAVES