What is cyber resilience?
According to IBM Security’s 2020 Cyber Resilient Organization Report, a cyber resilient organization is one that “more effectively prevents, detects, contains and responds to a myriad of serious threats against data, applications and IT infrastructure.”
In a more colloquial sense, the “further along in the game” the organization is, the better positioned the organization is to being resilient. An emphasis on “position” is important here, particularly when creating your roadmap toward cyber resilience.
Why? Being in a better position is no guarantee of better execution. Position and execution should be treated as mutually exclusive, but also complementary to each other when creating a roadmap.
Here are four major steps to help you plan, create and execute a roadmap.
Step 1: Understand What Your Resources Are
Keep in mind resources are not purely technological. Your resource mix is made of up technological and human capital, including how they operate and interact with each other. You can have the latest-and-greatest tools all properly configured, but, if you do not have an experienced and properly-trained team managing and maintaining these tools, these tools may never see the light of day.
You also need to be cognizant that all current and future information security tools could lead you into a privacy jam if use is not thought through. Anything from real-monitoring issues to holding too much (or unnecessary) amounts of personally identifiable information (PII) increases the liability side of your balance sheet.
Therefore, it’s the totality of your resource mix that will help determine your current position. So how do you determine your current position? It all begins with risk management.
Step 2: Define Your Risk Posture
Risk management is by no means a science, even though a lot of science goes into it. As some environments become more complex, their likelihood for fragility increases, notes risk management expert Nassim Nicholas Taleb in his book “Antifragile: Things That Gain from Disorder.”
The 2020 Cyber Resilient Organization Report found that too many tools weaken cyber resilience, specifically that “excessive use of disconnected tools creates complex environments, which can inhibit efficiency.”
When you define your risk posture and consider integration solutions, employ some of Visa founder Dee Hock’s philosophy into your planning.
“Simple, clear purpose and principles give rise to complex intelligent behavior. Complex rules and regulations give rise to simple stupid behavior,” Hock has said.
If you are over engineering your risk management and resilience planning, you may very well be building a house of cards and there’s a wolf out there ready to blow it down. Therefore, you should consider your risk posture options, such as:
- Risk acceptance
- Risk transfer
- Risk avoidance
- Risk mitigation
- Risk deferral (Delaying action on a risk to capture a time sensitive business opportunity, for example)
- Risk exploitation (Taking advantage of the risk inherent in something new — higher than expected demand for a new product, for example — by planning in advance how to meet the demand)
It is a crude metaphor, but managing your cyber risk increasingly becomes more like managing your investment portfolio. It is tailored to you and your expectations. But if you are not on top of what’s going on, increasing complexity could lead to increasing volatility. That means your current and future outlooks could quickly be thrown into jeopardy. More importantly, if you are hoping to maximize business efficiency in your operations using this new gadgetry, then you may be setting yourself up for a colossal loss on the downturn or, a massive data breach that is nearly impossible to recover from could occur.
Part of resilience also includes hedging. This is your standard business continuity planning, asset management, backing up, doing the basics, disaster recovery and other things that could fall into improving your cyber hygiene. You need to be able to weather a storm and avoid going bust (or, on life support) on one bad hit.
Step 3: Get in the Right Frame of Mind
Data is a form of valuable currency in today’s environment. Treating your data like cash is, therefore, not unreasonable at all. In fact, treating data like money is a prudent course of action when creating your cyber resilience roadmap. Poor handling of your data could actually lead to a real loss of cash and revenue. Making that leap requires a mindset change, as overconfidence could be part of an organization’s undoing.
The 2020 Cyber Resilient Organization Report highlights five reasons why “high performers” are more cyber resilient. High performers ranked better in the following areas:
- Leaders recognize that automation, machine learning, artificial intelligence (AI) and orchestration strengthen cyber resilience
- A strong privacy posture is important to achieving cyber resilience
- Leaders recognize enterprise risks affect cyber resilience
- Using cybersecurity tools that are interoperable across vendors helps increase the ability to respond more effectively to cyberattacks
- Leaders recognize cyber resilience affects revenue
These points support the need for understanding your resource mix, privacy implications of tools used, the balance between technology and interoperability and risk management.
Step 4: Step Up to the Challenge
The final step is action. There are three fundamental questions you need to ask yourself, cites Sidney Finkelstein, if you truly want to be cyber resilient:
- Are you willing to change what you have been doing?
- Can you think of a better strategy than the status quo?
- Can you execute on your chosen solution?
If you can answer “yes” to all three, you’re ready to go. Steps one through three are designed to get you in the right position. Step four brings together strategic, operational and tactical considerations in order to achieve best practices.
According to the Cyber Resilient Report you should:
- Implement an enterprise-wide cybersecurity incident response plan to minimize business disruption
- Tailor response plans to specific attacks in your industry
- Embrace interoperability to increase visibility and reduce complexity
- Invest in technologies to accelerate incident response
- Align your security and privacy teams
- Formalize C-level/board reporting to raise the visibility of the organization’s cyber resilience
The last two points are particularly important because, if left unaddressed, they become critical barriers between your stakeholders. You need a a common language every team member can understand. Stakeholders may not always operate in the same timescales. For example, your C-Suite may be focused on long-term growth. The security team may want to focus on an immediate threat. And, the privacy team want to address the ongoing legal ramifications of a breach. But there needs to be an area that brings all stakeholders into alignment: the language of business. Having that candid “business talk” between the stakeholders sets the stage for:
- What resources are needed
- What amount of risk the organization is willing to take on
- What cultural changes need to happen within the organization
- How to execute the cyber resilience plan
Tools to Help You Get Started
The NIST Cybersecurity Framework (NIST CSF) is a great starting point, because it is scalable to the size of the organization. Its adoption is relatively widespread. First, review the functions: identify, protect, detect, respond and recover. Then, check off what you have done and what needs to be done, with the added bonus of being able to really dig in.
NIST CSF also provides deeper information around categories and subcategories. The deeper you go, the more specific the control. That’s where NIST special publications come in handy. For example, need help on your risk assessment? Look at NIST SP 800-30, Guide for Conducting Risk Assessments. Going to be handling government information at your organization? NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations helps specific controls you need to keep an eye out for. Is privacy your main concern? Plus, you can review the new NIST Privacy Framework, A Tool for Improving Privacy through Enterprise Risk Management, which operates just like the NIST CSF with functions, categories and subcategories. However, keep in mind that using tools can be a futile attempt without knowing your organization’s risk tolerances.
Building a Roadmap to Weather the Storm
The 2020 Cyber Resilient Report clearly states that challenges still remain. Therefore, remember cyber resilience is a team effort, where every person who touches your organization’s network has a role and responsibility. Don’t forget to identify team roles and responsibilities as part of building your cyber resilience roadmap. Focus on employee training and testing. Doing so will better position your organization from a resilience perspective and better prepare you to execute on a stronger position, taking advantage of all your previous hard work.
If you still are unsure of how to start building or modifying your cyber resilience roadmap, take a look at the Eisenhower Matrix. The matrix will help you prioritize and delegate tasks across your environment.