How to become a cyber resilient organisation

Estevenson Solano    15 September, 2022
Photo: Hugo Jehanne / Unsplash

Fear, panic and uncertainty are some of the feelings constantly experienced in corporate leadership. In management committees, the big question is frequently asked: is our cyber security working?

As well as, What are the new behavioural patterns of adversaries? How do we understand cyberspace in order to define the design, construction and implementation of a cyber security strategy? How do we perceive the cyber threat landscape? Or are we considering retrospective, prospective and panoramic aspects to define a cross-cutting and comprehensive cyber security strategy?

The National Institute of Standards and Technology (NIST) defines resilience as “the ability of an organisation to transcend (anticipate, resist, recover from, and adapt to) any stress, failure, hazard, and threat to its cyber resources” within the organisation and its ecosystem, so that the organisation can confidently pursue its mission, enable its culture, and maintain its desired way of operating.

Comprehensively understanding the impact of cyber risks on an organisation is a complex but critical factor in strengthening cyber resilience. Therefore, frameworks and tools are needed to equip human talent to understand and communicate the prevailing cyber risks and their impact.

Cyber resilience must be seen as a strategic imperative.

Cyber resilience and its benefits must be clear to corporate leadership. Therefore, it is important to translate the impact of the state of cyber resilience into operations, strategy and business continuity. It is a commitment to position cyber resilience as a strategic imperative.

However, current figures and developments indicate that much work is needed to close the cyber resilience capability and performance gap between industry ecosystems and within organisations.

The World Economic Forum’s (WEF) Global Cybersecurity Outlook 2022 ound that only 19% of respondents feel confident that their organisations are cyber resilient, indicating that a large majority know that their organisations lack the cyber resilience they need to be commensurate with the risks they are exposed to.

In addition, the report found that 58% of respondents believe their partners and suppliers are less resilient than their own organisation, and 88% are concerned about the cyber resilience of the small and medium-sized businesses that are part of their ecosystem.

In another Accenture report, 81% of respondents said that “staying ahead of attackers is a constant battle and the cost is unsustainable”, compared to 69% in 2020.

No matter the size, sector or risk profile of your organisation, all of them are exposed to increasingly sophisticated cyber-attacks.

This indicates that as organisations, ecosystems, supply chains and supplier relationships become more interconnected and interdependent – and the pace of change and transformation processes accelerates – not only is resilience lagging, but a cohesive approach to how resilience is designed. It is increasingly clear that, despite this interconnectedness, there is no alignment to jointly overcome disruptive cyber events.

Is your organisation prepared for what is to come, and can you measure your organisation’s capability in the face of various attacks, threats or incidents? It should be emphasised that no matter the size, economic sector, risk profile of your organisation, all organisations are exposed to increasingly sophisticated, evolving and innovative cyber attacks.

There is a reality that many organisations are ill-equipped to demonstrate their capabilities to withstand sophisticated cyber-attack behaviour. What do we need? Where are we joining forces to move forward? Do we have the operational, technical and strategic capabilities? How can we draw a roadmap? What are we doing and how can we improve?

Many organisations are poorly prepared to withstand sophisticated cyber-attacks.

Cyber resilience is not about creating a contingency plan and continuity of operations, it is something that goes beyond ensuring availability and focuses on resilience in the aftermath of a technology infrastructure.

How prepared is our organisation and strengthening its capabilities to identify, detect, prevent, cancel, recover, cooperate and continuously improve against cyber threats?

According to The Cyber Resilience Index: Advancing Organizational Cyber Resilience 2022 report (WEF) found that the top four reasons why cyber resilience is limited in today’s ecosystems are that many organisations:

  1. They have a narrow perspective on cyber resilience, focusing primarily on security response and recovery.
  2. They lack a common understanding of what a comprehensive cyber resilience capability should include
  3. They find it difficult to accurately measure the organisation’s cyber resilience performance or communicate its true value to senior management
  4. They struggle to be transparent within their organisation and with ecosystem partners about the shortcomings of their cyber resilience posture and their experiences with disruptive events.

Characteristics of a cyber-resilient organisation

The approach to cyber resilience must also be free of the fear-driven constraints caused by mere preservation of the status quo that are so often followed by attempts to return to a demonstrably fragile state when disruption predictably occurs.

The reward of making cyber resilience part of the ethos is a greater opportunity to take healthy risks, innovate and responsibly capture the value of tomorrow’s digital economy.

Some resilience techniques that you can implement to mature your security programmes and improve your ability to provide services to customers during a cyber incident:

  • Adaptive response: Optimise the ability to respond in a timely and appropriate manner to adverse conditions.
  • Analytical monitoring: Maximise the ability to detect potential adverse conditions and reveal the extent of adverse conditions.
  • Coordinated protection: Requires an adversary to overcome multiple safeguards.
  • Deception: Deceive or confuse the adversary or conceal critical adversary assets.
  • Diversity: Limit the loss of critical functions due to the failure of common replicated components.
  • Dynamic positioning: Impeding an adversary’s ability to locate, eliminate, or corrupt mission or business assets.
  • Dynamic representation: Support situational awareness, reveal patterns or trends in adversary behaviour.
  • Non-persistence: Provide a means to reduce an adversary’s intrusion.
  • Privilege restriction: Restrict privileges based on user attributes and system elements.
  • Reordering: Reducing the attack surface of the defending organisation.
  • Redundancy: Reducing the consequences of loss of information or services.
  • Segmentation: Limit the set of potential targets to which malware can easily be spread.
  • Integrity checked: Detect attempts by an adversary to deliver compromised data, software or hardware, as well as successful modifications or fabrication.
  • Zero trust: Implies questioning the organisation’s security practices and policies right to ask for and expect clear answers.
  • Unpredictability: Increasing an adversary’s uncertainty regarding the system protections they may encounter.

Cyber resilience must be part not only of the technical systems, but also of the teams, the organisational culture and the way we work on a daily basis.

It is imperative for the success of a cyber resilient organisation to design, build and manage cyber resilience and then get the fundamentals right. Cyber resilience must be part not only of the technical systems, but also of the teams, the organisational culture and the day-to-day way of working.

Cyber resilience must be a pervasive mindset underpinned by a holistic approach within organisations and across their ecosystems. For decades, cyber resilience management has been underrepresented and confused with other principles in cyber security programmes.

Today, more than ever, there are many positives. We have come a long way in a short time. But the key is not to become complacent and complacent, to reaffirm our commitment to improvement and to recognise that the attacker will come back with new capabilities and skills.

Leave a Reply

Your email address will not be published.