What is Cyber Incident Interoperability?

Cyber Incident Interoperability means the ability of organisations to work together in coherently as a matter of routine whilst responding to a cyber security or hybrid incident.

It includes how Cyber Security Incident Response Teams (CSIRTs), Emergency Services, private sector responders, and others, are prepared to work together effectively to minimise the real world impacts of a cyber incident.

What is JESIP?

The Joint Emergency Services Interoperability Programme (JESIP) was established to bring about changes at the operational level that lead to the emergency services working together more effectively in response to major incidents.

Is there a ‘Cyber JESIP? Do we need one?

JESIP is traditionally used by ‘blue light’ services rather than cyber security incident responders, however the development of hybrid warfare practices, it integration of technology in societal wellbeing, and the reliance of people on digital services, mean the likelihood of a cyber or hybrid cyber incident having a real world impact has never been higher, and the potential impact of cyber and hybrid cyber incidents on life and wellbeing are increased. This creates a need for effective collaboration between cyber incident responders and emergency services, and therefore a need for interoperability.

Three possible approaches include:

1. Creation of a separate ‘CyberJESIP’ framework

2. Identifying the highest value elements of emergency services protocols and embedding them into existing cyber standards

3. Aligning cyber standards with emergency services protocols by creating common implementation playbooks

Do existing cyber incident management frameworks cover this?

No. Existing cyber incident management frameworks (such as NIST or ISO) are generally designed with single organisation response in mind, with suppliers and customers involved in the incident response process as external stakeholders. Interoperability means having the ability to mount a single response to an incident that impacts multiple organisations. Existing Cyber IR protocols are not designed to do this.

Can existing protocols simply be applied to cyber?

Key challenges in applying existing JESIP protocols to cyber centre include language and communication, the global impacts of cyber, and different professional approaches, tools and training. For example:

• Co-location in JESIP is generally considered to by physical co-location, but in a cyber incident is likely to be virtual. This raises a different set of challenges and needs.

• JESIP is a UK protocol with other countries having different approaches, but many severe cyber incidents are international.

• Cyber Incident Response standards are such as NIST SP800-63 or ISO27035 are high level frameworks that are applied differently in each organisations, whereas Emergency Services tend to have common (and therefore more interoperable) implementation approaches.

Where can I read more?

I presented on this topic at FIRST 2025 in Copenhagen, you can find the supporting information for this here.

How can I discuss this with you?

I’m happy to discuss this further. It is a common (though unsolved) issue, and there are may different views and approaches. Please do connect here, at work or on linkedin.