Cyber Resilience for Your Business
In This Article
Cybersecurity and cyber resilience are distinct disciplines. Cybersecurity is comprised of mostly defensive actions and what can be done to keep attackers out. Cyber resilience is designed to minimize the impact of a cyberattack on the organization. You have to start from the perspective that you are attacked.
Effective preparation is a collaborative effort and directly proportional to an enterprise-wide resilience plan's effectiveness. Identifying budget and resources requires teamwork from senior leadership, IT, business experts and information security experts.
Devising a cyber resilience strategy involves thinking strategically -- asking such questions as: How would we respond to a ransomware attack? How would our business functions continue if we had a computer system shut down? What if our IT systems get attacked from within our supply chain?
Answering these questions helps executives, both business and technical, come together to devise a resilience plan for the organization. It's vital to define communications and a command structure to ensure business continuity. The business with a cyber resilience strategy has an advantage. Such a strategy enables the company to rebound faster from a breach or attack; understand, define and manage digital risk; and provide the organization with a holistic view of risk.
Such a plan includes:
- Developing business, IT and cybersecurity resiliency teams.
- Outlining clear compliance and up-to-date governance processes.
- Maintaining a business, technology and cybersecurity strategy.
- Securing digital assets.
Understanding the relationship between business, IT architecture and cybersecurity is key to developing a healthy cyber resilience plan. Business is complex, with many dependencies, so risk management is essential. Cybersecurity risk is reaching an all-time high; its crucial that your organization is determining how you could be attacked, the various ways an attacker could manifest and its impact -- so that you can have the most holistic view possible of your business and digital risk.
Cyber resiliency engineering is created by various technology disciplines, including system security engineering, resilient design, system survivability, dependability, fault tolerance, business continuity and contingency planning. Done well, it considers the use of technology against the technical risk of vulnerabilities and the business risk in light of various cyber threats. Cyber resilience has to consider digital resources, including mission or business segments, shared infrastructures, shared services, cloud services, third-party networks, systems and data repositories.
Engineering your systems for cyber resiliency means you need to design and build systems with the flexibility to be prepared for, withstand and adapt to dynamic threat conditions, attacks and compromises. It is not to be confused with day-to-day cyber operations.
- Anticipate and plan for risks. Establish a situation of informed preparedness toward attacks to manage and mitigate compromises of mission/business functions from various cyberattacks and vulnerabilities.
- Withstand and manage through essential business functions, regardless of attacks by adversaries.
- Recover and restore business functions to the fullest extent possible during and after an adversary attack.
- Evolve and adapt to changes in business functions and IT systems to minimize impacts from adversary attacks.
Each of these engineering levels gets more exact as you implement an engineering framework. Being able to anticipate high-risk areas in your organization, both technical and business, will help you get ahead of exposure or attacks and manage that risk. Withstanding an attack or outage can be the most complicated undertaking of a cyber resilience program; it can also reveal interconnectedness and complexities that may be completely overlooked in the organization.
Many companies only focus on cyber defense and fail to be proactive. Cyber resilience solves this by delivering a holistic (business and IT) view of risk. More importantly, it provides a way to manage attacks, vulnerabilities or other digital disruptions, regardless of whether it's an intentional attack or complacency.
Having a cyber resilience program tied to cyber operations gives organizations such benefits as:
- The ability to identify and manage technical ROI.
- Improved business processes.
- IT systems planning.
- More effective defensive cyber operations.
- More streamlined and effective cyber incident response.
Most companies don't tackle these areas in a coordinated risk-based approach. They manage cybersecurity and corporate risk management as separate activities, which increases complexity, cost and risk.
When creating or implementing a cyber resilience program and tying it to cyber operations, you need to consider the adversary's capabilities, intent and tactics. Then you can design mechanisms of absorption and recovery that are more likely to withstand the adversary actions. Organize your plan into the following sections:
- Architect to protect.
- Secure administration rights.
- Tightly manage access control.
- Harden all devices.
- Create design and test backup strategies.
- Continuity of Operations planning and execution.
- Securing communications.
- Ensuring core services status and operations.
- Data recovery strategies.
- Digital forensics.
- After action/lessons learned.
Effective cyber resilience must be addressed in business, IT architecture and cybersecurity. To start down, that path organizations should consider the following:
- Assess your digital transformation strategy and apply it to your corporate security plan.
- Include cyber resilience plans at the enterprise and business division level.
- Have each business division identify and create a resiliency plan that protects the most critical data and assets.
- Transform your cybersecurity approach from a reaction to a proactive prevention-based plan.
Thinking that it's just the security team's responsibility or that a specific product will provide what you need can be shortsighted and serves to increase the risk, not reduce it. The good news is that most companies don't have to start from scratch. They already have systems in place, to some degree, that they can leverage to get a jump start on an enterprise comprehensive cyber resilience solution.
Over the next month, we will discuss how cyber resilience applies to business, IT architecture and cyber operations -- these three elements constitute a holistic cyber resilient plan.