5 Steps CISOs Can Take to Ensure Resilience

Recovering from a cyberattack is as important as defending against it. Chief information security officers need thorough recovery plans to ensure resilience and win the support of top execs.

James Doggett, CISO, Semperis

July 11, 2024

4 Min Read
stick figure stopping other sticks from falling
Mark Rademaker via Alamy Stock

The chief information officer’s job is becoming untenable. Security leaders struggle with limited resources to ensure protection in an increasingly dangerous threat landscape while trying to overcome a communication gap with C-level executives that hinders mutual trust and understanding. 

In fact, a recent report by FTI Consulting showed a disconnect between CISOs and executive leaders. The report showed 82% of CISOs feel the need to paint a rosier security picture than is justified by reality. While, for their part, 30% of execs felt CISOs were reluctant to talk about their organization’s vulnerabilities. But in the event of a breach, one thing is always clear: CISOs will get 100% of the responsibility -- and the blame

Even with ample resources and technologies, hacks will happen. To bridge the divide and gain greater buy-in from the executive suite, CISOs need to focus on a critical aspect of security that is sometimes overlooked: resilience. 

Ransomware, the current scourge of organizations across many sectors, affected 75% of organizations in 2023, according to Veeam’s 2024 Data Protection Trends Report. Being able to quickly identify, respond and recover from an attack -- in a word, resilience -- is just as important as protection. But historically, CISOs spend most of their time focused on prevention and detection. As a CISO of several large corporations, I rarely focused on recovery. I was more focused on compliance and preventing and detecting anomalies. But, today, resilience must take priority. 

Related:The CISO Role Is Changing. Can CISOs Themselves Keep Up?

Here are five steps CISOs can take to bolster security and ensure recovery, while putting both the organization and their role on a path to resilience. 

Preparing Systems (and People) for Recovery 

1. Harden your systems: This is obvious and applies to any scenario, whether the goal is resilience or not. It’s best to work within a risk management framework, identifying the systems that most need protection because they are mission-critical and/or most likely to be attacked (which should lead you to resilience in today’s environment). In the current climate, identifying critical systems and understanding how those applications and infrastructure impact the company if not available is a starting point. A great (and commonly overlooked) example is a company’s identity system. Most focus on the accurate provisioning/deprovisioning, but what about the security of systems like Active Directory (AD) or Entra ID? If those systems are down, I suspect the entire company is down. 

Related:SolarWinds, CISO Targeted in SEC Lawsuit

2. Adopt an “assume breach” mindset: This is critical to defensive security and recovery. A mindset that assumes systems have been breached helps you maintain focus on the most vital systems from a risk perspective. It can also help direct investments toward improving detection and response, such as implementing continuous monitoring and anomaly detection. An assume-breach approach can also convince organizations to prioritize response plans, since you’re assuming they are needed now. Also, based on my experience, don’t be hesitant to change your mind. I’ve found many CISO’s don’t want to go back and ask for a change in budget or where the budget is going to be spent. Things and risks change, and we must have the courage to adapt for the good of the company. 

3. Develop robust recovery plans: A thorough strategy for recovering from an attack is essential. Start by focusing on the most mission-critical systems -- the ones your organization cannot do business without. And this includes not only critical business applications, but also the infrastructure software the key applications are dependent on. You need to know how quickly you can restore those systems (including infrastructure) with a detailed plan. It’s also important to have a clear governance plan defining who is responsible for its specific steps during recovery. Wherever possible, you should also have backups stored offline where they are protected from attack. This can help speed recovery or allow an organization to maintain operations while an attack is underway. 

Related:How to Evaluate a CISO Job Offer

4. Test your progress with tabletop exercises: The keys to effective tabletop exercises are the extent of preparation and the depth of the simulations. When an attack occurs, it’s important to know how quickly critical apps can be restored. Don’t make assumptions. And test every scenario. In my prior life, we assumed certain infrastructure pieces would be available and focused primarily on critical applications. This doesn’t work in a real outage. I assumed AD would be restored like any other infrastructure, only to learn the hard way it takes many steps and much time to recover. Without testing, it’s hard to know. 

5. Educate the workforce: With recovery plans in place and the results of tabletop exercises, you need to increase education about resilience among your team. But don’t stop there -- focus on educating the entire company. A security culture that includes prevention, detection, response and recovery must involve the entire organization, from top executives through the rank and file. 

A More Resilient Future 

Resilience depends on an organization-wide understanding of security, and that depends on communication. Taking clear steps toward ensuring effective response and recovery while educating the workforce and explaining the process to executives in business terms they understand can help provide resilience for the entire organization -- and the CISO’s job. 

About the Author(s)

James Doggett

CISO, Semperis

James Doggett is the CISO at Semperis and a veteran in the information security and risk space. He previously served as partner at Ernst & Young, where he helped build the company’s cybersecurity practice during his 27-year tenure. Before Semperis, Jim worked as CISO and head of US operations at Panaseer. He has also held positions as CTRO at AIG, CSO and CTRO at Kaiser Permanente, and managing director at JP Morgan Chase, where he was global leader of Information Risk and Resiliency, Treasury and Security Services. 

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights