There is universal acceptance of the need to be cyber threat resilient—anticipating, preparing for and responding to events and adapting these efforts to continuously changing threat profiles. Creating the security-minded organizational culture needed to achieve resilience remains elusive. One challenge is that the human elements of commitment, collaboration and education are often overlooked. If your cyber risk management efforts remove key human elements from the “machine,” you might accomplish compliance but not resilience.
Kurt Lewin, the father of modern social psychology, put it best: “If you want truly to understand something, try to change it!” Below are three key “resilience killers” from lessons learned over years of working to change organizational mindsets to establish resilience. These are behaviors you should strive to avoid when maturing your cybersecurity capabilities.
- Lack of commitment. Many organizations address resilience as a stand-alone goal, compartmentalizing cyber resilience as a network management priority and moving it down the list past revenue and profitability, growth and acquisition, cost control and talent strategy. Leadership needs to recognize that cyber resilience is an underlying element that supports all business priorities. Technology solutions need to connect to the people, processes and protocols that drive business. The impacts of a cyber event are not siloed in one area of the company. Direct costs (forensics, legal fees, compensation for personal data compromise, theft of financial assets), operational costs (systems and service delivery disruptions) and cost of decreased customer confidence all result in lost time, productivity, revenue and possibly executive jobs across lines of business.
- Static risk management. Intending to manage risk proactively is of little use if your organization cannot let go of “our way” or “the way it’s always been done.” Being dynamic requires agility – the willingness to change quickly and efficiently to meet emerging threats and think differently about your risk environment and security profile. Companies become static when they define strategies based solely on subjectively measured risks coming from independent operating units and fail to incorporate how the executive team looks at overall risk. Executive risk assessment of core functions should be paired with traditional business impact analysis at the process level, putting the greatest focus on the areas deemed the highest risk by senior leaders. This top-down approach creates an opportunity for IT to educate the business on how the application of technology addresses risk and enlightens IT leaders on when to tighten/loosen specific recovery objectives to satisfy business requirements.
- Limited training. Cybersecurity strategies often place emphasis on technical training that is limited to network teams. The critical need for developing leadership skills and building employee awareness which creates a security-minded culture is overlooked. Despite advances in cyber defense technology and security monitoring expertise, security infrastructure is only as strong as its weakest link. Most often, that link is human. Training that constantly reinforces security awareness among employees, partners and clients is not just wise, it is mission critical in becoming resilient.
Keeping these human elements of cyber resilience alive within the threat management machine is an ongoing, continuous organization-wide process. Honesty about how your organization matches up against resilience killers can help you establish a benchmark from which you can set new cybersecurity goals, policies and procedures and guide your path to creating a security-minded culture. An agile cyber defense model serves as a strong demonstration of preparedness, resilience and success, which will inspire confidence among all your key stakeholders.