Public-private partnerships – true partnerships, which advance the mutual interests of participants – are necessary for improving the cyber resilience of our organisations.

Through its Partnership against Cybercrime work, which seeks to build a global architecture for collaboration, the World Economic Forum says exactly that: ‘Enabling strong operational collaboration between the private and public sectors at the global level and combining their resources and capabilities are crucial elements in reducing the risk posed by cybercrime.’

National cybersecurity strategies, including the UK’s National Cyber Strategy 2022: Pioneering a cyber future with the whole of the UK (published in December 2022), also place significant attention on partnership. The first of five pillars in that strategy focuses on deepening collaboration between government, academia and industry, and goes further, asserting that for the strategy to succeed, the UK needs to ensure it has ‘the right people, knowledge and partnerships.’

Support for partnerships from such influential protagonists is certainly encouraging. But it is important that we dig slightly deeper to understand what good partnerships look like, how they work in practice, and most importantly the values that underpin them. We can learn lessons from this best practice and ultimately make progress in improving our cyber resilience.

In my experience, there are three key aspects that underpin successful partnerships:

Pragmatism
Of course, it is important for partners to align on strategic goals and objectives. But it is important for everyone’s expectations to be realistic and to recognise that there must be some empathetic give and take.

In some cases, this may mean flexibility and starting out by achieving some quick wins for both parties. For example, the UK National Cyber Security Centre’s (NCSC) Industry 100 offers the opportunity for private sector employees to gain experience of working in and with the UK Government – often on very specific projects, for a limited period and through flexible arrangements.

For example, beginning with a one-day per week commitment is likely possible for both parties and allows for realistic expectations to be set. Similar arrangements with financial sector organisations and the Cyber Defence Alliance are also extremely productive, especially the pooling of resources towards supporting the prosecution of cyber criminals.

Proactivity
This can include sharing expertise, skills and lessons learnt, threat intelligence or the tools, techniques and procedures of malicious actors. The UK’s Cross Market Operational Resilience Group (“CMORG”) does just that. Recent proactivity includes a guide for medium to large organisations on how to improve supply chain cybersecurity, compiled through the collective expertise and experience of CMORG, the NCSC and a range of financial institutions. Proactive sharing helps to engender trust and demonstrate that cyber resilience is a sector-wide issue, rather than a competitive one.

People
At the heart of developing strong and sustained collaboration is trust between people. Sometimes this can be through some of the formal mechanisms referenced above, but often this can also be through informal channels.

Membership bodies such as CIISec help facilitate these networks across sectors. More formal bodies such as CMORG rely on consistent membership and participation. At the core of this are individuals with the expertise and energy to share their knowledge and support their peers. Strong relationships, built over time, also allow for open and honest dialogue through which partners can be clear on the challenges they are facing or concerns they have.

Consistent across these partnerships is the desire, commitment and expertise to improve cyber resilience not just for our organisations, but for society as a whole. Without collaboration, the task will be far harder, so we must continue to learn, innovate and trust each other to work towards this goal.