In cybersecurity as in most jobs, problems don’t happen one at a time, you’re bound to have a few at once. Speakers at the RSA Conference 2021 talked about this in terms of maintaining cyber resilience in chaos. So, what does the buzzword ‘cyber resilience’ really mean? And why is it important to be able to embrace chaos in your day-to-day work? 

Cyber attacks are on the rise. Between June 2019 and June 2020, the Ponemon Institute observed a 64% rise in the severity of digital attacks targeting businesses and agencies. It witnessed an even greater increase in the volume of digital attacks during the same period, at 67%.

Even so, none of that prevented defenders from achieving cyber resilience. According to the Ponemon Institute, the proportion of organizations that achieved a high level of cyber resilience increased by more than half from 35% in 2015 to 53% in 2020. The proportion with cybersecurity incident response plans also grew 44% over those five years.

What Is Cyber Resilience?

Cyber resilience means you’re capable of preventing, detecting, containing and responding to a variety of digital threats — at least to some degree. It isn’t binary, after all. It’s a spectrum not only of degree but of aptitude.

Rohit Ghai, CEO of RSA, put it this way in his keynote for RSA Conference 2021:

Being resilient is not good enough. We must be good at resilience. Resilience isn’t just about getting up when you fall. To be good at it, we must fall less often, withstand the fall better and rise up every time.

Ghai’s first point, falling less often, is challenging in light of changing network setups. Just take what’s happened with the cloud as an example. According to IDC, more than a third of organizations purchased over 30 different types of cloud services from 16+ vendors in 2019 alone. (That’s before the events of 2020.)

Such a distributed deployment landscape contributes to a sense of chaos regarding security ownership over different cloud apps and services. It could also explain why organizations don’t always take certain security processes into their own hands. Indeed, two-thirds of respondents in another survey said they relied on their cloud providers to ensure their baseline security, a position which puts themselves at even greater risk of data exfiltration and other attacks. Cyber resilience is a balance between too many tools and too few; too much attention paid to attacks or too little.

A Three-Pronged Approach to Security in Chaos

The chaos referenced above isn’t limited to the cloud. Machine and human actors are learning and working together across multiple environments, both cloud-based and on-premises. In the process, they’re using Internet of Things (IoT) products, containers and an expanding number of devices.

All this makes keeping your data safe more complex. In doing so, it raises an important question: how can you secure chaos?

Ghai gave the answer in his keynote:

You can’t. You don’t. You focus on resilience by embracing chaos. How? One, expect the unexpected. Two, trust no one. And three, compartmentalize failure zones.

How to Cut Down on Chaos

Here’s what cyber resilience looks like in practice. First, you need to have visibility of all your hardware and software, as well as network traffic. Knowing that, you can implement security controls to protect your most critical data and assets. You can then use penetration testing to see how those measures stand up against an actual attack.

As for the second point, some might say those who trust no one have zero trust. In this regard, organizations can use encryption, multi-factor authentication, principle of least privilege and other security controls. Those help build the architecture needed for validating connection attempts on an ongoing basis. It’s important that they also focus on compartmentalizing failure zones as part of their zero-trust efforts. There’s no need for every asset to have access to the entire network, after all. With that in mind, use network segmentation to ensure that a potential device or account compromise doesn’t spread across their entire digital infrastructure.

Chaos isn’t something that defenders can control. It’s a state of nature, and as such, they can choose to fight against it or flow with it. Knowing where you stand with cyber resilience helps. By accepting the latter and embracing chaos, organizations can put themselves into a stable security position where they’re less inclined to fall going forward.

More from Incident Response

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today