In a perfect world, an organization’s systems would run without problems 24 hours a day, seven days a week, 365 days a year, but we don’t live in a perfect world. Things happen. And when they do, your organization’s ability to carry on in the face of adversity will depend on the resiliency of its systems.
Being a cyber resilient organization means being able to fight through adversity and continue to operate, even if it’s only in a degraded mode, said Stan Wisseman, chief security strategist at Micro Focus.
“Even if you do everything perfectly—and we never do—you’re still going to have 5% to 10% of attacks getting through.”
The difference between cybersecurity and cyber resilience is key. Cybersecurity focuses on protecting an organization from cyber-attack. It involves things such as firewalls, VPNs, anti-malware software, and hygiene, such as patching software and firmware, and training employees about secure behavior.
Cyber resilience focuses on what happens when cybersecurity measures fail, as well as when systems are disrupted by things such as human error, power outages, and weather. Resiliency takes into account where an organization’s operations are reliant on technology, where critical data is stored, how those areas can be affected by disruption.
Then it involves putting measures in place to minimize the impact of those disruptions. For example, the protocols to be followed in the event of a system breach would be part of a resiliency plan.
Here’s what you need to know about cyber resilience is, why it matters to your organization, and how to lay the groundwork for an effective rollout.
Why do you need cyber resilience?
One reason organizations need to pay attention to cyber resiliency is to avoid the kinds of catastrophic failures that occur when you have an all-or-nothing approach to security. Such an approach might assume, for example, that all attacks can be stopped at an organization’s perimeter, so internal controls are unnecessary.
In a similar vein, giving people free rein on an internal network because they have a valid username and password could also lead to disastrous consequences. That’s why a resiliency plan will consider actions and outcomes before, during, and after an event.
“The primary goals of resiliency are anticipate, withstand, and adapt. You need to anticipate that you’re going to be attacked. You need to withstand that attack and continue to operate your critical business functions. And you need to adapt to an evolving threat landscape.”
If an organization is targeted by persistent threat actors, it’s very likely that organization’s networks will be compromised. That’s why a business must be ready to persevere through such attacks. Resiliency allows an organization to do that, minimizing the impact of persistent threats. Building resiliency into an organization’s information architecture will lower the probability of an attack’s success and minimize the damage if an attack is successful.
What’s more, redesigning and upgrading an organization’s systems for resiliency can increase both cost and uncertainty for an adversary, which often acts as a deterrent to attacks by cyber-criminals, who want to maximize their expenditure of time and money.
Resiliency is also important for lowering the long-term risk profile of specific organizations and society as a whole. It is only by thinking of overall network resiliency that businesses can not only surmount existing threats, but also overcome future threats from technologies such as artificial intelligence, the Internet of Things (IoT), and quantum computing.
A digital transformation mindset
Resiliency often goes hand in hand with digital transformation. Both require a similar mindset change. Resiliency requires that old notions of impenetrable defenses be shelved. It assumes attackers will disrupt operations, so measures must be in place to prevent, respond, to, and recover from such attacks. For those measures to be successful, security needs to be everybody’s job and security best practices need to be embedded in all aspects of the organization. As with digital transformation, resiliency requires more organizational agility.
Agility has become even more important as the global coronavirus pandemic has forced organizations to deal with a new working paradigm. The virus has acted as an accelerant for digital transformation in many organizations. As digital transformation efforts have accelerated, so, too, have efforts to boost cybersecurity and resiliency. Businesses are realizing that resiliency will be critical if they’re to survive the seismic effects of the pandemic.
By its nature, digital transformation requires a greater dependency on IT. Because organizations are more dependent on IT, they need strong cyber resiliency. Without it, a business can’t be confident it will be able to continue operations when faced with the increase in cyber threats that accompany increased dependence on IT.
How to get started
Organizations typically begin their resiliency journey with a framework. Several model frameworks have been released to help organizations improve their resiliency, such as the Cyber Resiliency Review, created by the US Department of Homeland Security.
Understand the frameworks
NortonLifeLock, formerly Symantec, calls its framework the Cyber Resiliency Blueprint, which is based on five pillars:
- Identify vital information and security vulnerabilities.
- Develop and implement safeguards to protect critical infrastructure and services.
- Develop and implement a detection system for identifying attacks, assessing affected systems, and implementing a timely response
- Create a response plan that includes clearly identified roles and responsibilities for responders
- Develop and implement a plan to restore any data or services affected by an attack.
The National Institute of Standards and Technology has also created a framework for engineering secure and reliable systems. The document—Special Publication 800-160, Volume 2—includes 14 techniques for improving cyber resiliency.
Cyber resiliency assessments can also be useful in setting up a resiliency scheme. These assessments are used to identify where, how, and when cyber resiliency techniques can be applied to improve architectural resiliency against advanced cyber threats. You can apply the process to existing architecture or future architecture to identify opportunities to provide the greatest and most cost-effective resilience or to create a cybersecurity resiliency road map. These assessments are usually guided by a high-level framework that ties together a resiliency scheme’s goals, objectives, techniques, and technologies.
Assessments can identify where an enterprise’s architecture is resilient and where there’s room for improvement. Ordinarily, it’s impractical to completely redesign and redeploy an organization’s existing architecture to maximize resiliency, but with good planning, resiliency improvements can be implemented during lifecycle replacements and architectural upgrades.
Avoid the KO
In boxing, fighters need to be able to take a punch and keep on fighting. Cyber resiliency allows a business to do that. Moreover, including cyber resilience in long-term strategic plans can create a continual strategic conversation between an organization’s technology and strategic leaders. Because of that, a cyber resilient approach can not only bolster readiness within an organization, but also reduce costly repetition, making the business both more effective and efficient.