There is a wave coming to every enterprise, every technology vendor, every supplier of IT goods and services. This wave is called ‘cyber resilience’. I’m claiming a measure of clairvoyance over this coming trend because the alternative to it is that industry and government don’t change their current stance, and inevitably, the numbers of organizations crippled by ransomware and data breaches continues to escalate. Society, the economy, governments – we can’t stand for inaction any longer.
Part of the answer is to establish a cyber resilience mindset and reassess the people, policies and technologies being employed. Then, move to a position of proper, risk-appropriate security. The benefits of doing so for organizations, nations, and the international community are enormous. Getting there will take bold thinking and decisive action.
Look, too, at the morality and ineffectiveness of paying ransoms. Some, like Colonial Pipeline, felt that they have no other recourse to get back up and running. But, by doing so organizations fuel the problem – and they don’t stop themselves from getting targeted by other criminal groups – or even the same adversaries again, later.
Business needs to reset this situation, which can – without hyperbole – be described as a runaway plague. It has similarities, and a similar solution, to the 2008 financial crisis. After the bailouts, banks were instructed to carry less risk, and to keep more capital in reserve. To put this in our cybersecurity terms, they were forced to become more operationally resilient. The lesson the banks learned was that it is vital to be better prepared for the actual hazards facing them.
So, businesses are operating in a world with myriad cybersecurity risks, but despite the headlines, many are caught underprepared because they have not developed cyber resilience.
It starts with a resilient mindset
Cyber resilience is not merely having a cybersecurity policy, some technology, or even a managed service in place (laying off the burden elsewhere). Just like mental or fiscal resiliency, it starts from a place of self-knowledge and understanding, from having plans – but accepting that negative experiences are going to happen, and then having a serious conversation about tolerance: What can or will you tolerate, as a business?
Some negative situations can be managed, some must be taken on the chin and waited out, or will not impact the business enough to be a major concern. But others are more serious and mitigation and defense plans, policies, and people must be prepared to play their parts. Given the serious nature of the topic, which can and does end businesses, this should be a key corporate initiative. Resilience and recovery can be part of the business plan, an expected part of doing business in the digital age.
The business – the entire business – needs to know what the tolerance is for an IT failure. From the board to the front line workers there needs to be an understanding of how secure the business is, and why cybersecurity decisions need to be made. It’s part of a commercial mindset, and will ensure everyone can take shared responsibility for security, when they know the big picture, the risks, and the costs.
There’s a business saying: “You invest to avoid a crisis OR you invest because you are IN a crisis.” The former scenario is clearly preferable.
If, or when, negative cybersecurity situations happen, and the odds are high that every business will face them, either directly or as collateral damage, the correct response is not a ‘blame’ situation. It’s to already know, to rely on a plan focused on simple questions: How quickly can we recover? How will we build back better?
Focus on realities, and the right responses. It’s important not to fearmonger. Instead, talk about enablement.
Ensure specialists are consulted, but always remember that specialists are exactly that: They focus on one domain, and a business is an organization made up of different kinds of people, departments, technologies, and policies. It can be said, by way of example, that doctors look at a patient’s problem ‘through a straw’, with their own specialisms. They sometimes don’t think about the whole patient. Build in strength against this narrow approach and really build a team that can utilize a truly ‘common sense’ to look up at the holistic situation.
What does it take?
Stop thinking about technology for a start, and think about the journey to cyber resilience, and its concrete, measurable outcomes.
Educate your stakeholders. Think about the long-term journey, not about buying a quick fix, or setting and forgetting a policy, or outsourcing to a managed provider. No single measure is the answer, even if they form a part of the holistic solution.
Focus on resilience and on recovery as the two overarching pillars of corporate resilience. When drilling down into the detail, the lens should be on deployment, operationalization, and time to value. The managers’ mantra, that success must be measurable, still applies. As an organization, the board and the security team must agree on what success looks like.
When done correctly, security should be the department of ‘go’, not stop. Security experts should be telling their teams “do it like this” and provide the guardrails that allow the business to be agile and creative in its business execution.
For a rapid leg-up on these topics, the ‘big four’ accountancy firms are taking this seriously, and publish information on resilience. There is the NIST framework, detailed work from ENISA and, in the US, President Biden’s framework and infrastructure bill focuses on resilience.
And so should you.
