Cyber Resiliency is the New Cyber Security

Here is the bottom line: when it comes to cyber threats, wshould of course take steps to protect ourselves and our businesses from attacks. However, we also need to prepare ourselves for the very real possibility that, at some point, someone will get into our systemsThat’s why many cyber experts are beginning to use the new term “cyber resiliency.”  

The concept of cyber resiliency stems from an understanding that the cyber threat landscape is so diverse that it’s important to make sure you can withstand and not simply prevent attacks. The overall goal of a cyber resilient system is therefore to maintain essential operating functions even when it is under attack. 

The Basics of Cyber Resiliency 

In the fall, the National Institute of Standards and Technology (NIST) released a cyber resiliency engineering framework that provides detailed steps organization can take to minimize the impact of attacks. However, the overall framework can be broken down into four basic goals: 

1. Anticipate 

According to the NIST framework, the first goal of cyber resiliency includes preventative measures often included in cyber security policies. However, anticipating a cyber threat goes beyond prevention by also focusing on preparing for an attack. This includes having an incident response plan in place, as well as changing your system often in order to preempt attacks.

2. Withstand  

Withstanding a cyber attack should involve steps taken to limit the overall damage an attack has, even if you haven’t detected the attack yetIn general, this involves deflecting the attack to areas that can take the most damage without disrupting day to day activitiesYou should also be prepared to entirely remove and replace systems that are badly damaged. 

3. Recover 

Before an attack even happens, you should know exactly how you plan to recover if one ever happens. This should primarily involve being prepared to revert your systems back to the state they were in before the attack. Recovery strategies will therefore depend heavily on having good backups of your system that you test regularly

4. Adapt 

At bottom, adaption means understanding that if the threat landscape continues to change, so do your security policies and systems. You should constantly be looking for new vulnerabilities within your system as well as new forms of cyber threats.  If an attack does happen, you should also be willing to take a hard look at how it happened and make changes accordingly.  

Leaders are best equipped to drive cyber resiliency efforts 

It is important to understand that these four cyber resiliency goals were designed to encourage communication between leadership-level business risk management strategies and the rest of the organizationWe’ve written before about the importance of proper governance and business leadership when it comes to cyber security and the same goes for cyber resiliency.  

Because many executives don’t come from a background in cyber security, it may seem to make the most sense to leave the responsibility to the IT department or someone trained security. However, cyber resiliency is as much a function of culture as anything: how we govern, organize, and communicate about cyber threats are all necessary considerations for putting cyber resilient policies into action.  

That’s why Accenture Security’s 2019 State of Cyber Resiliency Report emphasizes the three skills business leaders have that make them essential to any cyber resiliency policy:  


The report found that leaders who scaled technologies and security systems across all levels of the organization were far more effective at both preventing attacks and discovering attacks already in place.  




Offering comprehensive security training across all levels of the organization also proved to be an effective method for protecting and maintaining system during cyber attacksBusiness leaders are therefore key for investing in and maintaining robust training programs.  




Perhaps the most important skill a business leader brings to cyber resiliency is the ability to collaborate. Putting in place a cyber resiliency policy requires cooperation and communication between all levels and aspects of the business. By bringing different groups together and keeping everyone on the same page, organizations can be confident their policies and practices are as effective as possible.  

The Take Away

At its root, cyber resiliency involves preparing all aspects of an organization so that any potential cyber threat has a minimal impact on business operations. This involves well-informed risk management strategies, effective communication and training for employees, updated intrusion detection systemsand a strong incidence response plan that is tested and revised regularly. Cyber resiliency takes a village but depends first and foremost on leadership team that takes the task seriously. 

Unlocking Strategic Value through Cybersecurity Tiering

One main challenge for implementing proper cybersecurity policies is the fact that there is no one-size-fits-all solution. But, in some respects, this isn’t a bad thing. What solutions a business needs depends on several factors, such as size, industry, and the type of data being stored. If every business followed a single set of security solutions, some would end up over-protecting their assets, where others would be under protected.  

There are, however, a number of widely accepted security standards that strike a balance, giving organizations an outline of what protocols to implement based on their overall business strategy. A good example of this is the National Institute of Standards and Technology’s (NIST) Cyber Security Framework (CSF) 

And one misunderstood aspect of the NIST’s Cybersecurity Framework is the use of implementation tiers. Rather than being progressive levels that all business should work toward, the tiers exist to relate the firm’s approach to cybersecurity risk management as it exists today with a desired tier level that meets organizational goals and is feasible to implement. Businesses can then go through each control within the framework to address what they are doing today within their current tier context and what they want to be doing to reach their target tier. 

The Tiers

Here is a brief outline of NIST’s four tier levels to help your organization begin to evaluate where you stand now, and where you want to be.  

Tier 1: Partial 

Organizations at this tier are considered to have no formalized risk management practice and respond to threats in a sometimes “ad hoc and reactive manner.”  On the organizational level, risk management is carried out an irregular basis and without any set process to share cybersecurity information throughout the organization.  

Tier 2: Risk-Informed 

The risk-informed tier is for organizations that have risk management practices approved by management but might not be established across all levels of the organization. Cybersecurity processes are prioritized based on the organization’s risk level and business requirements but is only shared throughout the organization on an informal basis.  

Tier 3: Repeatable  

Businesses at this tier have formally approved cybersecurity policies that are well-communicated across all levels of the organization. The organization’s cybersecurity processes are regularly reviewed based on changes in threats and technology. Employees are also properly trained and able to carry out their specific roles related to maintaining the organization’s cybersecurity practices.  

Tier 4: Adaptive  

Finally, organizations in the adaptive tier are those where cybersecurity risk management is a part of the business’ overall culture and effectively adapt their practices based on lessons learned and predictive indicators. Cybersecurity risk and business objectives are fully integrated across all levels of the organization and are considered when making any business decisions.  

Tier as a Strategic Lever

Businesses should not blindly implement cybersecurity controls. Instead, it’s important for organization to think carefully about their position with regards to risk — from the board level, to governance, to marketing — and make informed decisions on where they want it to be.  A benefit of NIST’s tier system is that it can be used to benefit the overall business strategy, and not simply be an exercise in cyber risk management.  That’s because a company’s position and goal with regards to any risk (from cyber risk to market risk to capital risk) is an articulation of the value it brings to its stakeholders.  If a firm is currently at Tier 1 with regards to its cybersecurity, how does that impact it’s value proposition to its customers?  What limitations does it impose on capital allocation?  If the organization worked towards a repeatable tier, what opportunities would be unlocked (and conversely, what markets would they perhaps walk away from)?

Businesses which view the concept of tiers and cybersecurity risk as value creators rather than a compliance exercise will find that it creates sustainable advantages in a marketplace more engaged and attuned in digital protection and privacy.