The term “resilience” comes from physics: It’s the ability of a substance to return to its usual shape after being bent, stretched, or pressed. Tennis balls are often cited as examples of resilience: Toss a ball and it will bounce back without its shape being changed. This stands in stark contrast to tomatoes: Throw a tomato and you'll probably need to jump away avoiding splashes on your clothes.
The resilience term has been adopted by the IT community, particularly as it relates to security. Cyber resilience is the ability to keep IT systems up and running while under attack. Indeed, one definition states: “Cyber resilience refers to an entity's ability to continuously deliver the intended outcome, despite adverse cyber events.” The goal is to avoid business downtime and all associated costs, including the loss of revenue, productivity and customer loyalty.
Given today’s relentless barrage of cyberattacks, it’s vital to develop cyber resilience to ensure your organization can stay productive and secure. Cyber resilience involves three key aspects:
- Making it hard for an adversary to successfully complete an attack
- Being ready to operate while under attack
- Using experience to bounce back better in the future
With these aspects in mind, cyber resilience is more than just a new way of talking about disaster recovery and business continuity. Evolving your organization to be resilient towards cyberattacks will embed digital security into all your critical business processes that deliver the value of your business.
The questions listed below can help your organization identify the blind spots and security gaps you should address to improve cyber resilience across these three dimensions.
- Are we able to swiftly alert the organization about an increased likelihood of a cyberattack?
- Are we able to identify all critical business processes that could be impacted by a cyberattack?
- Are we aware of each critical IT asset in each of those business processes?
Quite often department heads are not aware of the cyber risks their digital assets face or how an outage would impact their abilities. Check out these questions to improve the visibility of relevant processes and communication between non-security and security people.
Risk Detection Capabilities
- Can we detect technical and organizational gaps that make the organization vulnerable to cyberattacks?
- Do we anticipate attacks affecting our business processes using simulations or what-if scenarios?
Every organization evolves: new products and services aim to create additional value-generating streams and require specific changes. Such changes are inevitably associated with gaps and vulnerabilities: a new asset is not assigned the needed protection profile, or a strict cyber security policy forces employees to circumvent to be inline with the new setup. If you can detect these risks, you are on your way to digital resilience.
- Can we effectively mitigate or remediate the risks and vulnerabilities we identify?
- Are our business processes aligned with our cybersecurity operations and architecture?
- Are we able to quickly respond to the emergence of new threats or cyberattacks?
- Can we efficiently alleviate the impact of a cyberattack on critical business processes?
- Do we use the lessons learned during cyberattacks to improve our cyber resilience?
These questions might sound familiar (technically thinking of vulnerability assessment), however, they cover a lot more. If you have developed ways to continue to deliver your value-add during an attack, and to improve any short comings here, you have made some good way into cyber resilience.
By providing honest answers to these questions, your organization can determine exactly where there is space for improvement in your cyber resilience strategy. In other words, this checklist can help you turn a tomato into a tennis ball so your organization can bounce back with resilience.