Here is the bottom line: when it comes to cyber threats, we should of course take steps to protect ourselves and our businesses from attacks. However, we also need to prepare ourselves for the very real possibility that, at some point, someone will get into our systems. That’s why many cyber experts are beginning to use the new term “cyber resiliency.”
The concept of cyber resiliency stems from an understanding that the cyber threat landscape is so diverse that it’s important to make sure you can withstand and not simply prevent attacks. The overall goal of a cyber resilient system is therefore to maintain essential operating functions even when it is under attack.
The Basics of Cyber Resiliency
In the fall, the National Institute of Standards and Technology (NIST) released a cyber resiliency engineering framework that provides detailed steps organization can take to minimize the impact of attacks. However, the overall framework can be broken down into four basic goals:
According to the NIST framework, the first goal of cyber resiliency includes preventative measures often included in cyber security policies. However, anticipating a cyber threat goes beyond prevention by also focusing on preparing for an attack. This includes having an incident response plan in place, as well as changing your system often in order to preempt attacks.
Withstanding a cyber attack should involve steps taken to limit the overall damage an attack has, even if you haven’t detected the attack yet. In general, this involves deflecting the attack to areas that can take the most damage without disrupting day to day activities. You should also be prepared to entirely remove and replace systems that are badly damaged.
Before an attack even happens, you should know exactly how you plan to recover if one ever happens. This should primarily involve being prepared to revert your systems back to the state they were in before the attack. Recovery strategies will therefore depend heavily on having good backups of your system that you test regularly.
At bottom, adaption means understanding that if the threat landscape continues to change, so do your security policies and systems. You should constantly be looking for new vulnerabilities within your system as well as new forms of cyber threats. If an attack does happen, you should also be willing to take a hard look at how it happened and make changes accordingly.
Leaders are best equipped to drive cyber resiliency efforts
It is important to understand that these four cyber resiliency goals were designed to encourage communication between leadership-level business risk management strategies and the rest of the organization. We’ve written before about the importance of proper governance and business leadership when it comes to cyber security and the same goes for cyber resiliency.
Because many executives don’t come from a background in cyber security, it may seem to make the most sense to leave the responsibility to the IT department or someone trained security. However, cyber resiliency is as much a function of culture as anything: how we govern, organize, and communicate about cyber threats are all necessary considerations for putting cyber resilient policies into action.
That’s why Accenture Security’s 2019 State of Cyber Resiliency Report emphasizes the three skills business leaders have that make them essential to any cyber resiliency policy:
The report found that leaders who scaled technologies and security systems across all levels of the organization were far more effective at both preventing attacks and discovering attacks already in place.
Offering comprehensive security training across all levels of the organization also proved to be an effective method for protecting and maintaining system during cyber attacks. Business leaders are therefore key for investing in and maintaining robust training programs.
Perhaps the most important skill a business leader brings to cyber resiliency is the ability to collaborate. Putting in place a cyber resiliency policy requires cooperation and communication between all levels and aspects of the business. By bringing different groups together and keeping everyone on the same page, organizations can be confident their policies and practices are as effective as possible.
The Take Away
At its root, cyber resiliency involves preparing all aspects of an organization so that any potential cyber threat has a minimal impact on business operations. This involves well-informed risk management strategies, effective communication and training for employees, updated intrusion detection systems, and a strong incidence response plan that is tested and revised regularly. Cyber resiliency takes a village but depends first and foremost on a leadership team that takes the task seriously.
Also published on Medium.