Cybersecurity in the United Nations system organizations (JIU/REP/2021/3)

In today’s digitalized world, cybersecurity has emerged as a matter of importance for international organizations, and the United Nations is no exception. The Joint Inspection Unit released its report on cybersecurity in the United Nations system organizations observing significant differences in the approach the participating organizations have taken in their respective responses to cybersecurity threats and in the maturity of their cybersecurity frameworks. Not intended as a technical assessment of the operational arrangements in place across the organizations, the report identifies a series of elements likely to improve the corporate cybersecurity posture of the United Nations system organizations and their capacity to identify, prevent and detect cyberthreats, as well as to respond to and recover from incidents.

A strong cybersecurity posture for any organization results from a multifaceted, whole-of-organization approach cutting across several organizational domains and competences, including information and communications technology, risk management, physical safety and security, and information and knowledge management more broadly.

In a system-wide perspective, the weak individual cybersecurity posture of one organization has the capacity to represent a collective problem for the system as a whole. Determining a basic level of protection and minimum defence requirements for the United Nations system organizations, and thus for the system as a whole, is therefore a collective responsibility.

To that end, improving linkages between the system-wide strategic direction provided by well-established inter-agency mechanisms dealing with cybersecurity and existing operational capacities to implement shared solutions must be a priority. In addition, more direct support for the implementation of shared solutions through voluntary donor contributions as a complementary funding mechanism could remove some stumbling blocks in safeguarding the overall cybersecurity posture of the system.

Opportunities for a closer alignment of physical security and cybersecurity in both institutional and operational terms have yet to be explored and studied more comprehensively. The two domains undeniably intersect in practice, but the link between physical security and cybersecurity remains understated in the corporate architecture of organizations to date, which is also true at the system-wide level.