On the face of it, cyber resilience has a simple singular output — the continuation of operations despite an adversary’s efforts to the contrary. Scratch beneath the surface, however, and it quickly becomes apparent that achieving this relies on a complex network of interwoven factors to work in harmony.
It requires a holistic approach to risk reduction — people, processes, and technology all continually optimized as the nature of the threat landscape changes. A multi-part countermeasure endlessly morphing to match emerging threats.
This is no new revelation. Blueprints for a systemic approach to cyber resilience have been around since the 1970s, with a U.S. task force on computer security noting at the time: “A combination of hardware, software, communications, physical, personnel, and administrative, procedural safeguards is required for comprehensive security.”
Key actors realize this. The White House recently released suggestions for how organizations can protect themselves against a rising threat, providing a high-level guide for prioritizing different elements.
Realization is only one part of the equation, however. Achieving and maintaining resilience is another part completely.
To achieve cyber resiliency, it is important to first agree on what it entails. This is not as straightforward as it sounds since executive teams and chief information security officers (CISOs) often have differing definitions. A lack of alignment at these early stages will cause everything to skew.
It’s interesting, for example, to see the disparity in numbers from the World Economic Forum’s report about the ways cyber resiliency is understood. There is a perception from business executives that their organization is cyber resilient, yet security leaders aren’t so sure. In fact, almost half of security executives (45%) do not agree. This perception gap highlights how misaligned organizations really are in understanding threats. It also, unfortunately, suggests that while executives think they understand cyber resiliency, they likely require additional knowledge, skills, and judgment around cybersecurity as a whole.
Publications such as the recently updated NIST Cyber Resiliency Framework go some way to helping organizations understand the breadth of elements at play. While such guides are not intended to be accessible to the majority of the executive function, they provide a crucial mandate from a government-backed organization for a systems-wide approach to resilience.
Knowledge, skills and judgment in resilience
Potentially the most valuable constituent part of resilience is the human aspect. Some of the most inspired acts of organizational cyber defense have been due to human capabilities - i.e., the security leader at Maersk, who was able to hunt down the last remaining copy of Active Directory in Nigeria to breathe life into an otherwise paralyzed company, for example.
Getting this element right consistently and in a way that achieves strategic goals is difficult because human cyber capabilities cannot traditionally be measured. The fact that the impact of cyber risk is now spreading across the entire organization makes this even harder. Now you not only have to understand how the InfoSec team manages cyber risks, but also the legal, communications, supply chain, development teams, and more. Without understanding a baseline of how effective the workforce is in a cyber crisis, what ability it has to mitigate breaking threats, or how good AppSec capabilities are, for example, it is impossible to improve resilience.
The impact of human capabilities on resilience is not static either. As the threat landscape continually advances, knowledge, skills, and judgment decay and become less relevant over time. Like anything in cybersecurity, up-to-date data is central to a relevant and effective risk reduction strategy.
It’s only with relevant data to determine the level of human capabilities across the whole workforce that organizations know how truly resilient they are. Only then can they leverage a hugely underestimated part of the resilience equation.