For most organizations around the world, the concept of global cyber resilience has taken hold — and it’s the standard many are striving to achieve. However, there’s still a great deal of work to be done globally. The state of resilience (and the challenges involved with improving it) varies from region to region.
The Ponemon Institute and IBM Resilient released a series of global studies that explore and benchmark the state of cyber resilience in the U.S., U.K. and Germany. These reports outline the threats and barriers to resilience in each respective country and offer insight on how security teams can build more resilient organizations.
A Conversation About Global Cyber Resilience
To get a more global view of the state of resilience, we spoke with Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. We asked him for his thoughts on how the three countries stack up against one another — and the top lessons to be gleaned from the studies.
IBM RESILIENT: When you look at the global research holistically, what do you find to be most interesting?
PONEMON: One thing we find is that there’s general consensus in all countries on the importance of resilience — not just cyber, but in all aspects. Organizations truly understand they need the ability to maintain their integrity and sustain their business in the face of an array of challenges. It’s a growing concern.
Another lesson we learned is that — despite cultural differences — there’s a lot of symmetry around the globe when it comes to barriers to IT and security. In order for companies everywhere to be resilient, they need to overcome corporate silos and create a cross-functional team that brings different skills to the table.
But a lot of teams don’t press their comrades in other departments and don’t speak each other’s languages. As a result, it creates real barriers for those companies.
IBM RESILIENT: What are the biggest regional differences you found — and why do these differences exist?
PONEMON: We found that Germany, in particular, is sometimes an outlier. It stems from the fact that there are more regulatory requirements in Germany, and the German culture generally includes a high level of security and vigilance — and that includes the cyber realm.
Plus, Germans are more likely to have a comprehensive incident response [IR] plan. It’s not 100 percent true for the country, but German organizations are generally better prepared than the U.S. and U.K. Germany can demonstrate the workflow for a data breach and outperform other countries. The U.S. and U.K. are consistently very similar, but Germans have a more resilient security posture.
IBM RESILIENT: What were you most surprised to find in the global studies?
PONEMON: We saw good news and bad news. The good news is that most organizations globally see the importance of resilience. They’re not just preparing for specific incidents like malware and ransomware but building the mettle to overcome an array of events, through people, process and technology.
That’s the good news: they recognize this.
Bad news is that a lot of global companies also recognize that they’re not resilient today — and it could be catastrophic. And there are a number of challenges: They don’t have the resources allocated — or the right people and skillsets in security that they need.
For others, it just may not be a high priority for organizations’ leadership. They think it’s a technical thing — or a matter for IT. It’s really bad when that happens.
IBM RESILIENT: What immediate steps should U.S. and European Union-based organizations take to improve their cyber resilience?
PONEMON: One of the most critical things we found is that organizations that have an IR plan in place, prepare and test their plans tend to do better than the ones that don’t do the basic blocking and tackling.
Some of these organization have plans, but it’s wallpaper — they don’t value it. It’s just a checkbox, and it doesn’t accomplish anything.
Security teams need to look at security events like DDoS [denial-of-service] malware, data breaches or PII [personally identifiable information] losses — because each event requires different approaches. They need to find out if you have a plan and if they’re ready for it — and most aren’t. That’s the first step to getting more effective at IR.
Beyond the plan, you need to have a team of people ready to roll. If you don’t have people, outsource it. Companies that do so have a much stronger security profile and cyber resilience. We see that consistently.