June 1, 2020 By Beth Dunphy 3 min read

In January, the World Economic Forum (WEF) again included cyberattacks as one of the top 10 most likely and significant risks to society in 2020. Less than two months later, ways of working underwent a drastic change due to the global pandemic.

With so many employees working remotely and many business functions now in the cloud, organizations are rethinking their cybersecurity posture. As new ways of work are coupled with a growing prevalence of malware and ransomware, cyber resilience has become top of mind in boardrooms around the world.

What Is Cyber Resilience?

A quick search yields a variety of definitions for cyber resilience. Simply stated, cyber resilience is an organization’s ability to withstand adverse cyber events. A traditional cybersecurity program plans for the protection against cyberthreats and enhances the ability to detect and respond to those threats. Cyber resilience takes this traditional approach a step further by acknowledging that the organization must keep operating in a secure manner when faced with a variety of threats — including, but not limited to, cyberattacks.

Why Cyber Resilience and Why Now?

A 2019 Ponemon Institute study of 3,655 organizations found that 77 percent do not have incident response (IR) plans applied consistently across their organizations. Furthermore, 57 percent of respondents stated they experienced a significant disruption to their IT or business due to a cybersecurity breach. According to a Forbes Insights global survey report, only 42 percent of global executives reported being confident that their organization could recover from a major cyber event without impacting their business.

With so many organizations at risk of experiencing a cyber event and less than half believing they can withstand a major cyber event, what can organizations do?

Improving Cyber Resilience

Build Awareness

The first step to improving cyber resilience is to build awareness across the organization’s leadership that cybersecurity is not just a technical or IT problem — it’s a business problem. Organizations with a higher degree of cyber resilience experience less business impact due to cyber events.

Build Relationships

Forbes identified that 60 percent of security IR teams and business continuity teams do not work closely together or have established relationships in many organizations. Business continuity teams are charged with identifying threats that can materially impact the organization’s ability to operate. Cyberthreats are so prevalent that our business continuity processes must now include them. Likewise, security teams who are planning response activities for cyberattacks must also understand the business impact of those attacks.

Plan for the Inevitable

As any organization that has experienced a ransomware attack knows, a cyberattack can significantly impact or destroy a business’ ability to operate. Business continuity planning scenarios must include plans for withstanding a cyberattack. Traditional business continuity planning scenarios such as Workplace Unavailability, Workforce Unavailability or Regional Disasters can all be precipitated by a cyberthreat, driving the need for joint planning between business continuity and cybersecurity teams.

Test Together

The National Institute of Standards and Technology (NIST) recommends testing response plans as part of both disaster recovery and IR planning activities. Including cyberthreats as part of business continuity exercise scenarios, as well as including the cybersecurity team as part of the exercise itself, will help the organization be better prepared for both business continuity and disaster recovery in the event of a real-world event. Likewise, cybersecurity teams will find higher quality testing by including both business stakeholders and business continuity team members as part of their incident response testing.

Respond Effectively

Rapid response during any type of crisis — cyber or real-world — generally means less potential impact to the organization. One of the main reasons to plan and test for any type of disaster is to improve the speed and quality of the response effort. In some circles this is known as reducing your OODA Loop, where you Observe, Orient, Decide and Act during a crisis. When teams plan and test together, their OODA loops will be shorter and tighter, leading to more effective and timely response activities.

While organizations increasingly depend on technology to support their businesses, they can no longer afford to treat cybersecurity as a technical issue — it’s a critical facet of their business continuity, and a shift in focus to cyber resilience is required for success. Organizations need a new paradigm, one that is driven by a growing partnership between business stakeholders, business continuity teams and cybersecurity teams, to withstand cyberattacks and continue to operate as they modernize their businesses and embrace new ways of working.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today