It is important to select the right cyber security capabilities necessary to fulfil the scope and vision for a Smart City and the individual cyber security requirements. There may be potentially over 100 cyber security capabilities needed to support a large Smart City organisation and services. They could be chosen from a best practice framework like NIST CF or taxonomy provided by an organisation with specific expertise. The development of a decision tree may also help to consider the options and necessary choices.
| Capability Selection Decision Tree |
| 1 Where will the Capability be located? |
| 2 What will the Capability do? |
| 3 Who is best placed to provide the Capability? 3.1 Outsourced 3.2 In-house |
| 4 Why is the Capability needed? |
| 5 How is the Capability provided? |
| 6 etc etc… |
The strategy should explore if the capabilities are to be provided directly, outsourced or a hybrid of the two. Whether or not it is an in-house, hybrid or outsource strategy its success will be dependent upon the right capability mix and how they are defined. Similarly, for service capability, maturity and benchmarking, gaps and challenges should be met with clear capability definition and structure.
The NIST Cybersecurity Framework is a good starting point for the initial set of key capabilities:
The Identify Capabilities
The Detect Capabilities
The React Capabilities
The Respond Capabilities
The Recover Capabilities
| Further reading |
| Monitoring Strategies and Design Guides as well as Cyber Security Smart City Strategy |
Smart City Cyber Security 