Our journey through the factors that make up organizational cyber resilience is almost complete. It’s time to put the puzzle pieces together.
First, a quick look at the issues we’ve covered so far.
Individually, each of these plays an important role in your cybersecurity and business continuity plans. But their real force of power comes when they are harmonized.
Harmonization vs. Centralization
It’s important to note that “harmonized” is not the same as “centralized”. It’s easy to default to the latter, but that’s not necessarily a good thing. “Harmonization” may have a central point, meeting place or repository, but the actual execution is delegated to individual business functions, with escalation protocols in place if the disruption exceeds the resources of those responsible. “Centralization” can too often be a hive mentality with the hierarchy calling the shots. There is less delegation and decision-makers are likely further away, or even out of touch, from the disruption. That means blind spots, bumbling over bureaucracy and bad decision making.
Put simply: harmonization is about delegates working together, while centralization is about command and control. The operational framework you want is the former, which is more federated, not the latter. Let’s look at five necessary steps to get you to a harmonized approach to resilience.
Step 1: Define What Matters and Perform a Risk Assessment
We said this before and it needs to be repeated: what matters to your organization? Different stakeholders have different interests, but the organization itself is driven by certain metrics and missions. If your information security and resilience strategy are not aligned to protect what matters, the entire effort is a waste.
Therefore, at the end of the “what matters” exercise, your organization should be able to succinctly answer these two questions:
- What drives the organization’s business needs?
- What is required to protect those drives?
If senior leadership – especially the risk executive and CISO – cannot answer those questions in about 60 seconds, they’ve missed the mark. A risk assessment is vital to revealing the answers to these questions, including the underlying details. Furthermore, what you believe you need versus what you actually need could be very different.
For example, you may believe your greatest risk is losing a data center that houses your crown jewels. But in actuality losing a small manufacturer on the other side of the world would be much more damaging. Why? It’s because that seemingly obscure shop manufactures highly specialized components that go into your final product. Without them, you’re done!
Business has been moving so fast over the last decade, it has become easy to miss your real soft spots. Risk assessments are an important part of defining what “resilience” means for your organization.
Step 2: Rid Yourself of Unknown Unknowns
There is nothing glamorous about cleaning up data and systems of record and identifying gaps. It’s boring and mundane, but it is also vital. If data is our greatest currency, systems of record are our bank accounts and ledgers.
- What would you do if you went to an ATM to withdraw money, but found the balance was incorrect?
- What if you went to establish an internet connection only to realize that the infrastructure you were about to rely on was decommissioned six months earlier?
- What would you do in these situations if you didn’t know who to talk to because you never bothered doing a notification test prior to the disruption? Worse, what if the person you expected to talk to is no longer the person you should be talking to?
Stakeholders in your organization will be ready to beg and plead for new tools, gadgets and so-called silver bullets, but there is no way around it: you need to rid yourself of “unknown unknowns” and stop building on a house of cards. Fancy tools aren’t any good when they’re built on a fragile foundation.
There are no shortcuts in cybersecurity, business continuity or resilience. It’s a painstaking and laborious step, but it truly will improve your cyber and organizational health and hygiene to perform a dedicated audit of your data and systems of record.
Step 3: Identify, Empower and Supply Resources
If you are confident in your work conducted during steps one and two, you have already made progress to improve your resilience posture. Now you should have:
- A much better sense of what your risk posture is
- A clearer picture of the state of your own information gaps, quality and errors.
With these fundamental steps handled, now you can better plan and execute. You begin to shift away from the academic (e.g. the “theoretical” state for where you want to be) and move to operate in the practical (e.g. the current state of affairs and what can be reasonably achieved). This is the stage where the rubber really begins to meet the road. With the foundation in place, now you can:
- Allocate resources and funds for technologies. Perhaps you need an upgrade, such as certified devices, identity and management processes or data loss prevention tools. Or maybe you recognize your current hosting arrangement should change to minimize your risk, such as taking some assets off the public cloud and moving back into a fully controlled in-house data center.
- Divest and decommission old or vulnerable technologies. You may suddenly find out the maintenance costs of a certain technology do not justify the return on investment. In that case, you may accelerate the plan to move something to another resource, such as moving from a local data center to the cloud.
- Assess your staffing requirements. You may (unsurprisingly) find out that you are wholly understaffed to meet your cybersecurity and resilience requirements. This is not new. But at least now you will find out exactly how understaffed you are. And as a bonus, you’ll now be well-armed to make the business case to your superiors about the importance of investing in staffing from a resilience perspective.
- Identify frameworks and obligations and plan developments/updates. Throughout the first two steps, you will have likely identified some areas of concern, such as compliance requirements or plan gaps. You can now seek the best tools for your mission. For example, your business needs may require you to focus on the NIST Privacy Framework over the NIST Cybersecurity Framework, and you can prioritize what needs immediate attention.
Step 4: Integrate, Operationalize and Awareness
Now that all the pieces have been identified, the hard part is putting everything together. And let’s not sugarcoat this: it is hard to do both because of practical reasons and also competing interests.
Therefore, the risk assessment completed in step one is vital, as it serves as documented common ground, making the resilience effort an easier sell. Your different teams and stakeholders may prioritize different things, but everyone at least agrees on threats that pose a danger to the organization as a whole. That is where you will find common ground.
And once the common ground is identified, the organization can harmonize its efforts, especially through a federated model. The federated model is a team game, where each function’s efforts are lifted up by the other. Put differently, instead of having only a strong security operations center to defend the entire organization, you have an organizational culture that supports resilience throughout. All stakeholders are all-in. It’s a cybersecurity all-star team instead of just an all-star player.
Step 5: Prepare for the Loss
After all your resource planning, risk identification, plan development, technical upgrades, testing and training and all that other great work, the most difficult reality you will likely face is this: there will be a future event that will overwhelm the response capabilities of your organization. It’s only a matter of when that event happens and what it is.
It could be as simple as a malicious actor’s intent changing from purely financial to ideological, putting an entirely new spin on ransomware. Or it could be some newly sophisticated script that jumps between regions of cloud services providers. Or a geopolitical disruption could also have devastating effects. Remember that small manufacturer we mentioned earlier? What if all of a sudden that country is sanctioned and can no longer export the components you need???? Or the elements themselves could turn against your organization, with a bad storm or a solar flare overwhelming even the best organizational plans and teams.
Regardless of the cause, the point is that an important part of resilience is understanding that a failure will eventually happen. Successful organizations prepare to clean up after the incident and become stronger afterward.
Do Not Fret, But Be Prepared
Resilience should not be a doom and gloom subject. It should be an issue to get excited about because it helps your organization grow and deliver your products and services better.
But you cannot give this issue a light touch. You really need to stress test your capabilities, to the point of considering things as drastic as the loss of an entire business unit. Even a couple of minutes of disruption can be costly. Just look at what happens online every minute in 2021. Knowing where the weak points and dependencies are can help a bad actor can knock down an entire industry.
That’s the unintended consequence of highly available, highly efficient and highly connected systems. They’re fragile.
If you are prepared for the loss and have the capacity to operate through a disruption, what may initially look like a mountain of a problem is only really a molehill. And in that light, you may begin to hear more of something called operational resilience, a concept coming out of the financial sector.
Whatever you end up calling it, the outcome is simple: survive the storm with minimal impact and come out stronger because of it. When trying to survive, perfect is the enemy of good enough. If you can achieve that state and level of maturity, the odd storm may even end up being good for you. It’s through testing that you improve and become antifragile.