Cyber resilience is the ability of an organization to anticipate, prepare for, respond to, recover from, and adapt to cyber threats.
Ideally, a cyber-resilient organization can withstand both known and unknown crises, threats, adversaries, and other challenges, explains Dave Adkins, a lecturer and undergraduate director of cybersecurity at the State University of New York at Albany. “It's the ability to continue operations as close to normal as possible,” he notes.
Cyber resilience is a must-have for modern organizations, because the reality is that no business is too small, too obscure, or too off-the-radar to be hit with a cyber attack, warns Jerrod Piker, a competitive intelligence analyst with cybersecurity firm Deep Instinct. “As more advanced attack campaigns trickle down to mainstream hacker groups, organizations must keep abreast of the threat landscape and harden their defenses to avoid being victimized.”
At a macro level, being cyber resilient means an organization can maintain critical business operations even during a cyber incident while limiting potential impacts on their ability to generate revenue, explains David Chaddock, director of cybersecurity for digital services firm West Monroe.
Yet there's far more to cyber resiliency than simply possessing the ability to respond to and recover from a cybersecurity event. “Truly resilient organizations are also able to efficiently absorb, implement, and adopt new initiatives and security controls -- both technical and procedural -- at scale and at a faster rate,” Chaddock notes. “The result is fewer security exceptions, which means less of a backlog to remediate, and more time spent on higher-value strategic efforts.”
Understanding the cyber-threat landscape is critical, since the threat is not evenly distributed among geography, demography, or sector, says Mark Weatherford, chief strategy officer with the National Cybersecurity Center, a non-profit cyber innovation and awareness organization. He notes that NIST 800-160 is widely viewed as a de facto standard for cyber resilience, and that both enterprise and IT leaders need to prioritize how resources are distributed in order to fully understand their technology assets and their relationship to critical systems.
Cyber Resilience Planning
Creating a cyber-resilience plan requires buy-in and input from all parts of the organization, including finance, IT, and operations. “It’s important that departments work together to classify information and risk, as well as to determine where to put controls and where responsibilities lie,” Piker says. “Once a plan has been agreed upon, a budget must be carved out to fund the actual implementation of the plan.”
It's important to engage the entire organization. “This is not just a technical issue under the control of a CIO or CISO,” Adkins says. “Your employees and vendors can play a critical role in spotting potential attacks to limit their impact.”
Additionally, with the continuing trend toward remote work, employee cyber awareness and training is more important than ever. “This means formal policies, training, exercises simulation, and ongoing analysis of risks,” Adkins says.
Adkins advises organizations to use tabletop exercises to test incident practices and times. “It's much easier to fix a flaw in your planning and processes when you’re not in the middle of a crisis,” he says. “In the heat of an incident, mistakes are made, and poor decisions are often the result, impacting a rapid return to normal operations.”
Adkins also suggests creating an expanded testing program. “Consider engaging red teams, or external penetration testing, to provide an external viewpoint,” he recommends. “Plans are a great beginning but testing and refining–and adapting to new threats–are the keys to remaining resilient.”
The Enemy Within
“The enemy isn’t hackers, it’s apathy,” Weatherford observes. “Unfortunately, there are still a large number of business executives who believe they can continue to roll the dice and avoid applying appropriate resources,” He notes that far too many organizations fail to test their cyber resilience by “hacking themselves” -- conducting regular vulnerability assessments, penetration testing, and other standard cybersecurity exercises,
“Simply put, there is no finish line when it comes to security,” Chaddock says. “It takes everyone at the organization to help protect its assets.”
Five Steps to Achieving Cyber Resilience
In conclusion, Chaddock suggests following five steps to reach a state of full cyber resilience.
1. A clear strategy – Define and communicate a shared goal and raise awareness of risk (threats, impacts, risk tolerance) so everyone is aligned on the path forward.
2. Governance – A system of checks and balances is necessary to foster a “trust but verify” culture. It's also important to have well-defined KPIs/KPEs that are actionable and measurable to enable more informed decision-making.
3. Strong collaboration – There are many stakeholders beyond IT and security that need to have a seat at the cybersecurity table. Security is not solely an IT problem; communication is paramount.
4. A holistic approach – Equal focus on all domains of the NIST CSF is required, not just protection capabilities. Investment in respond-and-recover functions is also necessary.
5. Practice – Start by documenting incident response plans, then practice the strategy with internal response or critical system isolation exercises at least annually. Doing so will exponentially increase the security team’s response-time.