From vision to Blueprint
Today, a new kind of business is required to succeed
Our Corporate Strategy service is designed to transform your vision into reality by helping your business focus on where to play and how to win. We work closely with your leaders to redefine organisational purpose and align it with ambitious, forward-thinking goals.
Through tailored market insights and operational diagnostics, we train your leadership to evaluate opportunities and risks more effectively, laying the groundwork for confident decision-making.
A collaborative mindset for today's challenges
We encourage fundamental changes in your executive mindset and collective management practices, embedding new standards of excellence and innovation within your industry. This comprehensive approach includes a thorough analysis of the market to identify growth opportunities, a diagnosis of your business architecture, and collaboration on strategic goals that align with these insights.
We also optimise critical areas such as operational efficiency, resource allocation, risk management, and procurement to support your strategic objectives. Together, we will transform market uncertainty into actionable growth opportunities, helping your leaders to challenge every aspect of their purpose, business model, operating model, and themselves.
Services
Business Unit Strategy
Designed to deliver targeted, actionable solutions that drive the success of individual business units within your organisation.
Vertical Strategy
Researching the specific trends, dynamics, and competitive landscapes of your industry, we offer strategic solutions that leverage our extensive experience in your sector.
Portfolio Strategy
Provides your business with the insights and frameworks necessary to optimise your portfolio of businesses or products for maximum value creation and strategic coherence.
Business Model Development
With our extensive experience across various industries, we guide you through the process of designing or refining your business model to ensure it is scalable, and aligned with future market demands.
Start-up & Scale-up Growth Strategy
From securing scalable funding to optimising operations and refining business models, our Start-Up & Scale-Up Growth Strategy services provide the foundation for sustainable expansion in competitive markets and regions.
Want to know more?
Our outcome-driven, pragmatic approach will provide direct feedback and practical strategies to help leaders and teams better understand their role and purpose.
We give actionable advice on the best way to communicate your strategy, gaining buy-in across all levels of your organisation and building the momentum for success.
Strategy in Numbers
95%
Number of employees who say they don't understand their company's strategy
48%
Of organisations fail to meet half of their strategic actions
60%
Of organisations do not tie financial budgets to strategic priorities
“We provided the client with a clear roadmap for enhanced profitability and sustained competitive advantage in the dynamic data connectivity market.”
Case Study: Transforming Data Connectivity for a Global Services Provider
Strategy insights
Peter Drucker wrote in his book The Practice of Management (1954) that ‘it is the customer who determines what a business is’. This sentiment still firmly holds true today, as consumers increasingly expect personalised shopping experiences from aspirational businesses that desire to have a positive impact on the community, country, or world in some way. Across this series of articles, Daniel Fitzsimmons explores the role of customer-centricity as a mechanism to support the delivery of superior customer experience and business profitability. Following from the first article in this series, in which Daniel covered the basics of customer centricity and initial ways to implement it into your organisation, this article applies these premises to the development of actionable customer satisfaction. Purposeful Value Creation Purposeful value creation involves the increased alignment of an organisation to a broader societal cause to secure a positive association with potential customers. As ethical consumption becomes increasingly important to consumers, brands must be increasingly sensitive to not only profit generation, but also the nature of the profit being generated. A customer-centric business purpose statement helps to project a company’s motives to prospective customers, and provides an impetus or bias with which to engage with your products or services. However, failure to fulfil a stated purpose can negatively impact brand equity, share prices, and future revenue generation, highlighting the need to embed purpose messaging within the fabric of the organisation. Purposeful value creation represents a key informant to customer journey mapping, consumer touchpoint messaging, and the identification of what matters to potential clients. Through increased alignment to customer values, you are better positioned to define the customer journey through your organisation, and secure future access to the customer’s wallet. Customer Journey Mapping Sales funnel formulation and market targeting typically focuses resources and efforts on ‘top of funnel’ customer acquisition and the development of velocity around transaction creation. When considering customer-centricity, greater focus needs to be given to Post Purchase Management, and securing customer loyalty through an improved customer experience. Post Purchase Management supports the creation of brand equity, reputation, and future opportunities. Effective customer journey mapping requires the identification of market segments, target consumers, and product positioning. Once you have identified targets, it becomes easier to map the offline-online interactions of target customers and how best to engage with each distinct customer persona, amplifying or quietening their voices as they contribute to business success. Customer Satisfaction Customer satisfaction and the creation of customer enjoyment should be at the forefront of your organisation’s culture. However, it necessitates a mechanism to collect and codify customer feedback related to the delivery of goods and services. Various mechanisms exist to support customer satisfaction identification, including: Kano’s model for customer delight Net Promoter Score Measures, ie. the likelihood to which you would recommend a service Customer Effort Score, identifying the friction associated with engaging with a product or service ACSI Measures, which address a) Overall satisfaction, b) Expectancy disconfirmation, and c) Performance versus the ideal product or service. While it is impossible to pick just one ideal method, and organisations will need to select a solution which best supports their insight creation process, we can confidently recommend the use of CSAT surveys as critical to customer-centricity and the provision of critical insights into products and services on offer. Conclusion When cultivating a customer-centric organisation, all ventures and operations should be directed towards the goal of customer satisfaction; inversely, you can be assured that your business is successfully customer-centric when you observe increased customer satisfaction. In this article, I have covered how best to integrate this goal into your business plan, ensuring it follows the same steps as your customer’s journey. In the next and final article in this series, I take these basics and outline ways in which technology can be leveraged to amplify these goals.
Would you feel comfortable flying in an aeroplane designed by engineers who only considered what might go wrong after they had built it? ‘Secure by Design’ (SbD) is not a technology, it is a set of principles to be adopted to improve business risk and resilience. It has strong similarity to conventional engineering practices, and it will save money by reducing wasteful rework. The critical first step is to understand the risks that the solution will be exposed to. Like Failure Mode Analysis in conventional engineering, these inherent risks form an essential part of the solution requirements. The design can then be a collaborative and iterative exercise of review and enhancement to meet the security requirements. Effort spent defining requirements before design and implementation is widely recognised to save time and money. The situation is no different with security requirements, but there are wider benefits as well, compared to addressing security late in the lifecycle: Security controls applied after design and implementation are more likely to restrict functionality, undermining overall user satisfaction and the return on investment Early engagement reduces the risk of budgets overruns, or having to accept inadequate security if you can’t secure the budget A well-documented set of risks, security controls and design decisions can then follow the solution through implementation and into operations, enabling future change to understand past rationale Above all else, late identification of risk and security requirements causes wasteful rework of the solution, which will cost time and money The key to success is defining the system scope correctly. If the scope is too great and encompasses a number of separate systems, then the benefits are eroded and the exercise becomes more akin to a homogenous enterprise risk assessment. If the scope is too small, the number of systems becomes unwieldy and unsustainable to assess and manage. It is not a Technology, and it is not New Despite what you might believe from some of the cyber tech product sheets, SbD is not a technology (for that matter, Zero Trust, which we see as a valuable component of SbD practice, is not a technology either). It is a philosophy or strategy, a set of principles that bring efficiency, consistency, and discipline to cyber risk management. You may find tools that help you to adopt these principles, and the practice requires a sound understanding of technology, but above all SbD is a human endeavour. Like many other buzzwords in the security community, SbD is frequently presented as something rather mystical, requiring specialist knowledge and attracting a new set of standards and vocabulary. We don’t hold with this concept; in our view, it ‘does exactly what it says on the tin’. It is about ensuring the system’s very design enforces security and mitigates risk rather than relying on sticking plasters applied after implementation. Whether those design features are preventative controls, controls to detect and respond to issues, or any other category, they will have been defined and tuned to the specific risks and characteristics of the solution in advance (and managed through life). The concept is not new. The benefits of early security engagement have been known for some time. But sadly, this has been frequently ignored. As the cyber security industry matures, and the frequency and impact of cyber attacks on businesses increases, the call for this discipline has been increasing. Governments are starting to mandate it in the standards and security governance of technology programmes. The Similarities between Digital and Conventional Engineering Most engineering lifecycles, not just those related to digital solutions, recognise the importance of spending adequate time defining the requirements. At the start of the programme, the level of uncertainty will be at its greatest. The purpose of Requirements Engineering is to reduce that uncertainty so that design and implementation can proceed with direction and to minimise the number of ‘wrong turns’ that have to be unwound. If you do not reduce uncertainty as early as possible, the problems grow as they move downstream, and solving them then becomes a disheartening exercise in ‘pushing water uphill’. Let us imagine that we want someone to build us a house. We would go to our local house building company and commission the job; if they get started immediately, the chances of the end result being anything like what we originally wanted would be almost zero. Where do we want our home located? How many bedrooms, bathrooms, and living rooms? What architectural style? What about the fixtures and fittings? We will identify everything wrong once the sub-optimal, ill-thought-out building is completed for our inspection. Putting those right at this stage will cost orders of magnitude more than they would have with an effective design phase. Worse, there will be many issues that we cannot put right without starting again, and, therefore, we will be left operating in a flawed and compromised solution. Where do we Start? So, how do we identify the security requirements for the design? What is Requirements Engineering in a security context? The security requirements are defined by the risks that the solution will be exposed to. One of the most important SbD principles emphases this by stating that you must ‘adopt a risk-driven approach’. These risks and your organisation’s appetite to accept risk determine the requirements for controls; or, to put it another way, the controls are required to mitigate the risk to a level that it is within your organisation’s appetite. Again, there are similarities with conventional engineering. Understanding the risks that the design must treat is similar to identifying the Failure Modes of an aircraft or other system. The risks need to be articulated so that all stakeholders can understand them, including by the non-technical and non-security communities. Getting all stakeholders to sign off on these inherent risks is crucial to ensure that everyone recognises the constraints the solution will be confined by. If you do not have a sound understanding of the risks before work starts on the design, let alone the implementation, then you are lacking an essential part of the solution requirements. Review, Collaborate, and Iterate Once you have the security requirements, you can feed them into the design process similar to functional requirements. Selecting appropriate controls to meet the requirements will undoubtedly require some specialist expertise. However, this is similar to the requirement for technical architects to be familiar with the technologies employed in the solution stack. This design process should be iterative. Requirements change, frequently due to learning in one iteration providing feedback into the next. The security requirements may influence the architectural approach to fulfil the functional requirements. Occasionally, a complete rethink may be required to adjust the functional requirements to meet the security constraints while also meeting the business needs. However, like the house-building analogy above, this time spent optimising the design will be significantly less than the time, cost, and disruption caused if security is addressed later in the lifecycle. Each iteration takes the proposed design, reviews the inherent risks to identify any that can be retired or if new ones have been created, assesses the residual risk given the existing security controls, and identifies additional security controls to reduce the residual risk to an acceptable level. Done collaboratively, this can introduce fast feedback into the design process, and, over time, the technical architects will become more familiar with security issues and their resolutions. Zero Trust’s Role in the Exercise, and Scope Definition Zero Trust is another trending buzzword frequently camouflaged with mystique, or hijacked as a ‘feature’ on product sheets. My view on Zero Trust is similar to my view on SbD: it should be easy to understand, and ‘does exactly what it says on the tin’. In design and in operations, we start from the baseline that nothing is trusted. Whether it is digital identities, devices, applications, or services, we can only trust them once we have an objective and explicit reason to trust them. We use the principle of Zero Trust extensively when applying SbD. By having no implicit trust in any identity, device, or service, we can decide on the minimum level of trust we need to enforce and the maximum level of trust that the entity can offer. If the maximum trust on offer is less than the minimum trust we need, then there is a design decision to be made about how we close the gap. It may be necessary to reduce functionality in order to reduce the required minimum. Or, we may need to put in place other compensatory controls to reduce the risk in other ways. Defining an appropriate scope of the system is key to success. If you set the scope too large, then everything is inside the ‘circle of trust’, and SbD becomes a homogenous exercise in enterprise security. If you set the scope too small then you will drown under the sheer quantity of projects to manage. The World is not a Greenfield Site, and Security is not a Fire-and-Forget Weapon The world is not a greenfield site, and there will be challenges retrofitting a SbD approach to the broad portfolio of legacy solutions. There is no simple or quick solution to this, it will be a case of progressively revisiting each project’s architecture and identifying the changes that will make it secure by design. But, risk can help us here too. Some projects or services will be sufficiently low-risk so that they can be tolerated until they are retired (so long as they are not trusted by any other more important system). The SbD approach lends itself well to a progressive rollout. SbD will limit the negative impact that a legacy system can have on a target system, because nothing outside of a project’s scope is implicitly trusted. You can only aim for a perfect world by progressively taking steps to make it a better world. In this article, we explain why risk management needs to be addressed at the design phase of projects. This does not mean that we believe this is the end of the journey. Security and risk management still needs to be managed in operations as new threats change the risk profile, or change is applied to a system. But with the foundations laid early in the lifecycle, the task of management through life becomes easier. The documentation generated by SbD should provide clear traceability between risks and controls. When a project is reviewed in life, the rationale behind previous decisions can be clearly understood, enabling change to be an informed process. Summary This article outlines why I believe applying the principles of Secure by Design avoids issues getting into operations, and saves time and money. If what I have described already seems obvious, then that is positive. However, from my experience, too many projects do not consider security to be an essential component of design. I believe that this is a missed opportunity, and, when applied correctly, it delivers solutions that are more secure and easier to manage.
"If you want to build a ship, don’t drum up people to collect wood, divide the tasks, and give orders. Instead, teach them to yearn for the vast and endless sea." —Antoine de Saint-Exupéry The need to communicate complex topics to third parties, whether they be executives, stakeholders, or potential clients, is a universally recognised challenge across industries and sectors – particularly doing so in a way that connects with the people behind these roles. You can enter a meeting with all of the evidence, data, insights, and analysis, but unless you make an emotional connection with your audience, you are only going to get halfway there. In other words, you might win their minds, but how are you going to win their hearts? In this article, Mauro Mortali, Senior Partner for Strategy and expert in leveraging the power of narrative to convey a message, details how to apply age-old story structures and techniques in a business context to amplify communication and build positive working relationships. This approach of using the power of story is a key part of how Cambridge MC delivers Strategy Development projects. The Science of Story The practice of storytelling is an intrinsic component in the genetics of human nature and our history. Cave paintings may be comprised of pictures rather than words, but they still tell a story and represent the way in which constructing narratives is as old as communication itself. Since then, story has proved invaluable for enabling us to share experiences, transfer knowledge, and build social connections. In fact, there is evidence to suggest that story is the primary lens with which we interpret the world and digest our day-to-day lives. Though it may seem reductive, our brains are constantly creating a world for us to understand our experiences, populated with ‘good guys’ and ‘bad guys’, main characters – Me! – and deuteragonists – You. All of our milestones, memories, and goals, become the plot-points that tell the story of our lives. This makes them the perfect, universal language with which to engage with other people. Our brains respond positively and attentively to stories because they eliminate distraction and help us to remain focused on a particular topic or message. We register stories with the same receptors that detect speakers, giving them the ability to reach our psyche quicker and facilitate a shared experience. In a Board Room Far, Far Away So how can we apply these practices and principles to our working life? In short: decision making is driven by emotion first and rationality second. We spend a lot of our time justifying decisions that we have already made with our gut. Fundamentally, organisations are systems of people who are characterised and steered by their emotions, and so organisations should be considered to be a network of collected emotions. Thus, data may speak to a person’s rationality, but it is often not enough to influence their actions or their decisions. Stories are significantly more powerful for the way they capture someone’s emotions, and so the language and narrative you use to frame your data has much more authority. Below are several techniques that you can use to strengthen this framing to facilitate an emotional connection with your audience. Narrative Arcs A narrative arc can be a useful tool for structuring a speech or proposal to make its delivery more cohesive, relatable, and dynamic. There are numerous classical arcs which you can extrapolate to fit the message you are seeking to convey and suit the tone you are hoping to create. The Cinderella Story, for example, provides an inspiring rags-to-riches trajectory which communicates hope, optimism, and determination. Man in a Hole (a person leading a perfectly bearable life finds misfortune, overcomes it, and then is much happier afterwards) is useful when encouraging someone to escape from a stagnating situation. And when you need to face your fears, or empower someone to do the same, Overcoming the Monster (an underdog story where the main character sets out to destroy a greater evil of some kind) provides a positive framework for success. The most common and popular, however, was uncovered by Joseph Campbell (1904-1987) in the 1940s, upon collating and studying all available myths, legends, and fairytales across the world to compare them for similar patterns and structures. Following this thematic analysis, Campbell coined the Hero’s Journey , a monomyth which can be applied to nearly all protagonists between classical and modern fiction, and now the boardroom, following their journey from the call to adventure, initial resistance, influence from a wise mentor, and ultimately pursuing their mission. Simplified, this becomes a universal and accessible three-act structure of Context / Conflict / Resolution (known to some as SOAR: Situation, Obstacle, Action, Result) which can be used to frame any story and give it an emotional, uplifting ending. Hook, Line & Success When you begin a story, open in a way that immediately captivates your audience, and sustains their engagement and belief in what you are about to reveal. These are referred to as hooks , and, similar to narrative arcs, there are numerous different kinds that you can use. For example: Provocative Question: Intrigue your audience with a provocative question that compels them to learn the answer, e.g. What if a single app could revolutionise the way we manage our health? Personal Anecdote: Speak to the human, emotional side of your audience by pulling from your background or that of your company, e.g. Five years ago, our founder was living out of a van chasing a dream; today, that dream is a $1million enterprise. These represent only a couple of examples, but it is important to remember that the rule of first impressions applies just as much to your story as it does to you, so open with something charismatic that will make your audience want to learn the rest. Know Your Audience Choosing a hook to open your story can be coloured by a keen and informed understanding of your audience. Specifically, predicting how they will respond to a topic is dependent on knowing their comprehension of it before you begin. One way to visualise this is through the idea of a Story Ladder , which extends from a place of no awareness on your given subject or message, and lands in a place of actionable understanding. The rungs in between represent all the stages of knowledge which it takes to get from one end to the other—and thus it is unrealistic to expect your audience to be able to jump multiple rungs at a time. Before addressing your audience, first acknowledge where on this ladder they are to anticipate where you would like them to end up, and how you will manoeuvre them there. Another way to imagine this ladder uses a more emotional structure. If you view the top of the ladder as a feeling you want to produce, you can use the rungs as stages to work out how you can produce an emotional pay-off. Happily Ever After We will finish our story with a reiteration on the importance of speaking to the hearts of your audience, as well as their minds. One half of this may be supported by data, facts, and figures, but the rest is ensured by a relatable, thought-through, and structured delivery which speaks to the human, rather than just the client/employee/stakeholder/etc. This can be informed by turning to the idea of story, a premise which everyone has grown up with, whether consciously or not, and thus envelops a social feeling of community, and amplifies your message with importance and universality. In this article, we have detailed the basic methods of forming this structure and improving how you frame your narratives, but for further guidance and information on this topic and how Cambridge MC uses story within Strategy Development Projects, get in touch with Mauro Mortali , Senior Partner for Strategy.
Our demographics and the moral value that we place on life as a society mean that our military must rely on technology to an ever increasing degree in order to exploit its advantages. However, the increased dependence on support from suppliers transforms the supply chain into an extended part of the networked battlespace, and thus its security and resilience has become a critical concern. Capabilities with a Competitive Advantage also Bring New Vulnerabilities In general, any new capability that has given our military a competitive edge also brings with it new vulnerabilities. A recent example is the introduction of GPS and other navigation systems. When these became widespread in the 90s, the risk of getting ‘geographically embarrassed’ was reduced, and thus members of the army bought consumer GPS receivers for personal use on exercise and operations. Thus, this capability represented a significant advance, and the joke that ‘the most dangerous thing in the combat zone is an officer with a map’ became less relevant. However, skills like map reading need to be learned and practised, and as such the more we rely on technological aids, the more we atrophy muscle memory . How many of us follow phone directions, only to realise we haven’t learned the route and have no feel for the environment we have just travelled through? This effect is organisational as well as individual. The strive for achieving efficiency through digital transformation has led to fragility, with the loss of capacity and capability when digital services are disrupted. The global IT failure caused by CrowdStrike overnight on the 18-19th July demonstrates this clearly; in just a few hours, a software update crashed 8.5m computers globally, severely disrupting banks, airlines, rail services, healthcare, and other critical services. Maintaining full capacity in a reversionary mode is not economically viable once core business processes have been digitally optimised. However, reducing the likelihood and impact of a systemic incident like this requires systems to be designed with resilience from the outset. Good Cyber and Data Security is about Much More than Preventing Data Leaks It is natural to assume that maintaining data security is primarily about preventing someone from stealing confidential information. Granted, this has been an important consideration since spies first operated; this is why we classify and compartmentalise information. However, confidentiality is only a part of the problem. If we look back at the trends over the last decade, many of the most damaging attacks have been ransomware. In these incidents, the attackers deny their victims the ability to access their own information until they pay a fee. It is also vital to ensure that information is not modified covertly. It is an intriguing aspect of human nature that people frequently assume the information presented on a computer is completely accurate, when they would not have the same trust in information provided by a human. When serving, I saw staff officers assume that a unit’s location displayed on a digital map was accurate to within metres and always up to date. They knew, though, that the underlying information had been reported by a human to another human, over the radio, sporadically, and as an approximate six-figure grid reference. That instinctive belief in digital accuracy contrasts with the physical map table, where the information was recognised as inherently vague and out of date. Protecting the availability of information and preventing its modification is just as important as preventing it from falling into the wrong hands. Why do we need to care? What is the threat? What must we protect to preserve our fighting power and freedom of manoeuvre on military operations? How could malicious actors undermine military capability? We first need to step above the world of ‘bits and bytes’ and decide what maligned intents might target us. The following are just a few examples, but they illustrate that the systemic nature of our digital landscape makes the risks far more complex and nuanced than they first appear. Espionage Espionage is as old as human conflict. Two and a half thousand years ago, Sun Tzu wrote a whole chapter on the importance of espionage and the use of spies. It is practiced across all contexts from the grand strategic and political levels , down to the compromise of tactical communications and devices . Espionage is also rife across the defence industrial base to gain insight and intellectual property about future weapon systems so that they can be countered and copied . Capability Denial Even with Mission Command to empower and delegate, any operation relies on the efficient flow of information and commands to exploit opportunities and achieve the desired effects. This makes Command and Control capabilities a ripe target. One hour before Russia launched its full-scale invasion, it attempted to disrupt Ukraine’s C2 capabilities by executing a cyber-attack on the communications company Viasat . Disruption of communications bearers is an obvious approach, but a widespread attack on networked computers would be more complicated to recover from. And, as we realise the vision of an ‘ Internet of Military Things ’, described recently by the UK Chief of General Staff, by networking all elements of battlefield equipment, digital denial could extend across those platforms, disrupting intelligence, logistics, mobility, and fires. Subversion & Deception Subversion and deception are already directed at our personal lives; phishing attacks, spoofed websites, fake news, trolls, and bots all attempt to manipulate the way we think and act. A notable case involved an AI-generated deep-fake of a company CFO on a video conference call, leading to criminals defrauding Arup, a UK Engineering firm, by HK$200m (US$25m) . It may be a while before we see Microsoft Teams in the trenches, but reachback from formation headquarters to the home-base is nothing new. Are we prepared for remote support into theatre, provided by partners and suppliers, being used as a vector to conduct highly realistic live deception and socially engineered attacks like the one Arup experienced? Degradation of the Moral Component The moral component – the ability to get people to fight – is the pre-eminent of the three essential elements that make up fighting power according to the UK defence doctrine . Many things would influence it, but a sense of confidence in the security and wellbeing of a soldier’s family at home is a key one. What if the family at home couldn’t access money because the military payroll system had been attacked? How quickly would force motivation and cohesion on operations deteriorate? What is Being Done, and What More Should We Do? The UK government has recognised the threats and risks for some time, and it has done a lot to reduce them. Cyber security has been recognised as a fundamental part of national security for over a decade, with the Defence Industrial Sector identified as critical national infrastructure . The Ministry of Defence’s (MOD) recent shift in governance policy to demand that systems are Secure by Design , and that a programme’s Senior Responsible Officer takes ownership and responsibility for risk, is significant progress. However, threat and risks are not static. Foreign state hacks, both covert and overt, have risen with geopolitical instability . In the most recent National Cyber Security Centre’s annual review, they specifically described the intensity and pervasive nature of the cyber threat from Russia. Cyber-attacks against our information, digital services, and infrastructure, will be a core component of any hybrid war, not least because of their deniability. We can see this today with attacks that closely correlate with the Kremlin’s interests and motivations, such as the recent attack by Russian hackers on NHS partners in London . Fragile networks are only as strong as their weakest link. For some time, the defence ‘network’ has spanned the wider defence enterprise, which extends deep into the supply chain. Our need to maintain technological advantage and agility means we will need to source innovation far beyond the traditional Defence OEMs, and we will need to get updates into theatre quickly and frequently. This makes the supplier of a digital ‘widget’ part of the operational network, even if they’re not connected to it. So, the extended network is expanding and becoming increasingly operationally critical, and the capabilities and motivations of the geopolitical threats we face are evolving. What was adequate five years ago is unlikely to be sufficient for the next five. There are many steps that can be taken to respond to this change, and the following three focus on resilience in the extended defence network: Threat Escalation Contingency Planning All networks have non-critical capabilities that deliver softer benefits and efficiency. However, every piece of software, network segment, or service presents a part of the surface that can be attacked. When the threat escalates, we can reduce our attack service by pre-emptively switching off non-core services, and further segmenting critical capabilities, all at the expense of efficiency . There is evidence that Ukraine’s resilience in the face of Russian cyber-attacks in 2022 benefitted from this preparation . Preparing and testing these measures takes time and imposing it on suppliers will also have commercial consequences. Enhanced Continuous Supplier Assurance Supplier assurance for cyber risk has been an element of MOD risk management for some time, albeit the tools to facilitate it have been limited since the Octavian Supplier Cyber Protection Service was retired without replacement in 2021 . However, when the scope of the networks at risk increases and the threats evolve, we need to change our posture. This will affect the suppliers to focus on, the questions we ask, and the standards we expect. Assurance needs to be flexible and dynamic; threat changes may require targeted or widespread reviews at short notice, with commercial as well as practical implications. Cyber Stress Testing The Bank of England introduced its Critical National Infrastructure Banking Supervision and Evaluation Testing ( CBEST ) in 2014 to assure operational resilience in the UK financial sector. Implementing the Defence equivalent of CBEST would take some significant time and effort to deliver results. However, without this type of activity, there is insufficient objective evidence that risk and resilience are tolerable. Conclusions Our demographics and the moral value we place on life as a society mean our military’s ability to deter and, if necessary, defeat a belligerent nation-state, will rely on it exploiting technological advantage. The evolution of conflict in Ukraine also demonstrates that industries will need to be able to deliver digital enhancements to that technology rapidly into theatre to maintain an advantage. But this introduces vulnerabilities well beyond the boundaries of Government departments and their Tier 1 suppliers. If the enemy can exploit these vulnerabilities, the impact would be significantly greater than the equivalent several decades ago. The increased dependence on agile reachback support from suppliers makes the supply chain an extended part of the networked battlespace, and their security and resilience are critical components of the risk calculus. A lot of progress has been made over the last ten years. But this period has also demonstrated that we should expect a cyber-capable adversarial state to do against us. To prevent and, if necessary, prosecute a war in the future, we need to not just maintain, but significantly enhance our management of risk in the defence supply chain. To find out more about our Cyber Security services and security philosophy, check out our service page . To contact Tom Burton and arrange a free consultation, use the form below or email Tom at tburton@cambridgemc.com .
Mauro Mortali
Senior Partner - Strategy & Leadership
With over 25 years of experience in both leadership and governance positions across the corporate, education, and charity sectors, Mauro Mortali is a Senior Partner for Cambridge Management Consulting within our Strategy Practice. Having held senior strategy and innovation positions, Mauro blends traditional strategy capabilities such as deep insight, analysis and critical thinking with the collaboration, creative and co-creation skills of Design Thinking. One of Mauro’s passions is narrative development and storytelling, and he brings this into his strategy work in order to enable his clients to win the hearts and minds of their stakeholders and customers.
Mauro’s role with Cambridge MC is to help organisations design, develop, and deliver strategies with an emphasis on activation to achieve their goals. Mauro is also an executive coach with a focus on performance and wellbeing, working with both individuals and teams to identify and maximise their strengths. This also enables him to bring a human-centred approach to strategy development.
Our team can be your team
Our team of experts have multiple decades of experience across many different business environments and across various geographies.
We can build you a specialised team with the skillset and expertise required to meet the demands of your industry.
Our combination of expertise and an intelligent methodology is what realises tangible financial benefits for clients.
Our Strategy Experts
Jeff Owen
M&A Lead
A highly-experienced COO/Operations Director, board member, and consultant in the Telco sector, Jeff holds an impressive track record of creating scalable operational infrastructure to drive profit from commercial activities with Six Sigma methodologies.
Get in touch with our Consultants today
OUR OFFICES
SUBSCRIBE FOR LATEST INSIGHTS
FOLLOW US
THE FINE PRINT
