Companies continue to face challenges preparing for and responding to cyberattacks — but there are clear steps security teams can take to improve their cyber resilience and manage today’s cyberthreats. This was the key takeaway from the 2016 global report on resilience from the Ponemon Institute.
Our on-demand webinar, “Key Steps to Improving Your Cyber Resilience,” features Dr. Larry Ponemon of the Ponemon Institute and John Bruce, chief technology officer at IBM Resilient. It explores the study’s findings and provides actionable recommendations to security teams to improve their resilience.
Cyber Resilience Strategy: A Conversation With Dr. Larry Ponemon
Dive into the state of cyber resilience today and explore real-world examples of organizations improving their ability to manage, mitigate and move on from cyberattacks. I had the opportunity to ask Ponemon about his thoughts on some of the most interesting findings from the study.
Question: Cyber resilience is a term that may be new to some people. Can you define it?
Ponemon: We define cyber resilience as “the capacity of an enterprise to maintain its core purpose and integrity in the face of cyberattacks.” In the context of the research we collaborated on, cyber resilience can be seen as the alignment of prevention, detection and response capabilities to manage, mitigate and move on from cyberattacks. A cyber-resilient enterprise is one that can prevent, detect, contain and recover from a plethora of serious threats against data, applications and IT infrastructure.
Why should security leaders strive to improve this?
The first reason to improve cyber resilience is one we all know: Cyberattacks will continue to mount and grow more and more complex and sophisticated. Our data showed that most organizations experienced a data breach in the past year — often more than once.
As this climate continues to worsen, having an improved cyber resilience will be crucial to organizations of any size in any industry.
Second, cyber resilience is an organizational effort. It involves people, process and technology — and the coordination of business units across a company.
There’s no easy fix. Improving cyber resilience takes a commitment to making improvements over a long period of time. Security leaders would be smart to get started today.
What was the most surprising finding overall in the study?
One interesting finding was the emergence of IT process and business process complexity as a new barrier to cyber resilience. In fact, complexity is the second-biggest barrier to cyber resilience, behind only “insufficient planning and preparedness” — a huge leap from 2015.
These complexities can be tied to a number of things, but we often see organizations with a deluge of IT and security tools and processes — and no real overarching system to manage it all. With a lot of fragmented tools and processes in place, a lack of standardization can make everything complex very quickly.
This year, it looks as though the study had more global reach. Were the findings different market by market? If so, how?
Interestingly, Germany and France tended to be outliers on opposite ends of the spectrum for cyber resilience. German organizations are much more confident in their ability to be cyber resilient compared to the other countries we focused on. These companies reported placing a high value on being cyber resilient and saw importance in having skilled security employees within the organization.
On the other hand, French organizations felt largely the opposite. They reported the lowest confidence in their cyber resilience abilities but did not place much as much value in this compared to the other countries. They also placed a lower priority than others in getting skilled security employees on staff.
Are there ways that companies can improve their cyber resilience?
The key is to start from the top down and get executive buy-in. This goes beyond just getting the right tools in place and checking the box. With executive buy-in, security becomes a part of the culture.
It is not easy to become completely cyber resilient, but a real effort to combine the technology with people and process will certainly improve the situation. If the executives are committed and providing guidance and prioritization, they can create a sense of value around security for the entire organization.
This will play a role in recruiting to help fill skills gaps, as well as empowering existing employees to improve their process, cyber resilience and overall security.