Even with the best will in the world, the most comprehensive and stringent policies, and the latest and most powerful tools and techniques, eliminating risk in the corporate environment remains an impossibility. It’s not even necessarily a desirable state of affairs, as a certain amount of risk must be present to inspire and bolster innovation and to promote enterprise agility.
So rather than adopting an all or nothing approach to the assessment and management of risks and the enforcement of threat management and cyber-security policies, a more adaptable, far-reaching, and forward-thinking mindset is required in order to maximize the benefits and minimize the negative aspects of the digital landscape.
It’s in this regard that the philosophy of cyber resilience comes into its own.
What Is Cyber Resilience?
Resilience is defined as the toughness and capacity to spring back and/or readily recover from shocks and assaults. So cyber resilience (also hyphenated in some literature as cyber-resilience) may be described as the capacity for an enterprise to return to a stable and operational state (“spring back”) and recover from the adverse effects of risks, cyber-security threats, and permutations in its environment.
These permutations could be procedural and internal (staff turnovers, new technology and processes, changes to regulatory practice, etc.) or external (data breaches, hacks, cataclysmic natural, technical, or manufactured events, etc.).
The concept has arisen in response to the realization that historical approaches to enterprise cyber-security which emphasize threat detection, prevention, and a reactive approach to incident mitigation are no longer sufficient. Rather, there needs to be a deeper understanding of risk at an organizational and strategic level.
Cyber resilience therefore involves a strategic approach to evaluating what occurs before, during, and after a threat is encountered by an enterprise system or network.
A long-term and wide-reaching policy of risk evaluation in the enterprise will enable an organization to make advance preparations in the face of known and possible vulnerabilities and threats. It will also empower the organization to develop defenses against these threats, and to budget for and allocate the resources needed to mitigate the effects of a security breach or assault, if one should happen.
So cyber resilience requires a policy for risk management far-reaching and adaptable enough to facilitate strategic planning, and extend the reach of risk-transfer mechanisms such that those methods known to be effective for historically recorded threats may be refined and used against new or evolving ones.
In practical terms, cyber resilience determines the ability of an enterprise to minimize the impact of security incidents in a network ecosystem which may typically be constructed on a foundation of unsecured hardware and software, with human operators who are prone to error, a lack of security awareness, and occasionally outright malice.
On top of this, the digital transformation of enterprise networks through cloud, mobile, IoT and other developments combines with the ever-evolving landscape of cyber-threats to give an enterprise attack surface of increasing area and complexity.
Cyber resilience planning must therefore take into account a number of elements, including but by no means limited to:
- Network infrastructure
- The types of devices, applications, and users on the system
- Network segmentation
- Authentication and access control measures
- Endpoint controls
- Filtering of traffic entering and leaving the network
- Management and deployment of Virtual Private Networks (VPNs)
- Virtualization and software-defined assets
At the heart of cyber resilience are strategic planning and the development of threat and risk management mechanisms capable of being transposed across various aspects of the enterprise, and over extended periods of time. For this reason, a number of mathematical procedures have been proposed, to formalize and give a methodical structure to the cyber resilience planning process.
Variables such as those generated by users, applications, network assets, process and user interaction, application and systems configuration, mitigation protocols, threat modeling, threat intelligence, and the state of existing security deployments are taken into consideration, and various relationships established through the application of statistical analysis and probabilistic mathematical calculations.
Given the number of factors involved and the complexity of the mathematics, it’s been suggested that this approach to cyber resilience determination should be delegated to software. This could be scripted locally by IT staff, based on characteristics specific to their organization, or sourced from a number of proposed commercial solutions incorporating Artificial Intelligence and enhanced analytics tools for cyber resilience planning.
Why Is Cyber Resilience Important to Businesses?
A 2017 Annual Cybersecurity Report published by Cisco suggests that 22% of organizations which suffered security breaches of one form or another lost customers, while 29% also lost revenue – some (38% of those polled) more than 20% of their annual takings. These are serious financial consequences – largely facilitated by a reactive rather than proactive cyber-security culture that focuses on what are essentially knee-jerk responses to observed events.
A more proactive, multi-layered, and strategic approach to security defense is called for – and cyber resilience provides the principles and working practices required to make this possible.
Beyond the financial and philosophical aspects, the pragmatic approach of cyber resilience – whereby plans are formulated to allow for conditions before, during, and after the emergence of a threat – promises greater effectiveness than an incident by incident emergency/first aid methodology.
The future planning aspects of a cyber resilience policy may also act as a hedge against the activities of evolving threat vectors, and the emergence of new and even more disruptive technologies which could affect a whole range of enterprise assets as these too undergo changes and diversification.
Key Elements of a Cyber Resilience Strategy
Broadly speaking, the following are essential elements of an effective and comprehensive cyber resilience strategy:
- Corporate, executive, and board-level support must be solicited and maintained – both in obtaining the resources and support required to sustain a cyber resilience policy, and in providing the leadership necessary to create an enterprise-wide culture that embraces the contribution of people, processes, and technology in the creation of a strong security posture.
- Processes and human resources should be carefully assessed and monitored, to ensure that core business and financial processes remain secure and that procedures for continuous improvement of an organization’s cyber resilience are put in place, backed by relevant metrics and performance indicators to gauge success.
- Technologies and security policies should be assessed to determine whether or not current levels of risk and their potential consequences are known, and that systems of control are in place to protect critical assets (including websites, apps and internal software systems) and ensure business continuity.
- Visibility across the entire network must be maintained, to enable system monitors to know when threats are present or imminent and to ensure that active mechanisms are in place to restore the network to a stable and operational state, in the event of a security incident.
- Situational and security awareness training should be integrated into the strategy, in order to create a culture of cyber-security throughout the enterprise.
Cyber Resilience Resources
Since 2011, the World Economic Forum has been active in promoting cyber resilience as an integral part of business strategy. The Forum is currently developing a set of tools and guidelines for raising awareness and understanding of cyber resilience principles and practices on corporate boards.
CERTs (Computer Emergency Readiness/Response Teams) may be called upon to provide an assessment of an organization’s state of cyber resilience. And there’s a growing number of government bodies, private firms, consultancies, and standards-setting organizations contributing to the ongoing dialogue about cyber resilience.
Share this Post