Businesses must focus on cyber resilience to withstand the near inevitability of security incidents -- and gain an edge on competitors.
Speakers at this week's MIT Sloan CIO Symposium pointed to a shift in thinking on cybersecurity, which has traditionally focused on assessing risk and devising protections. The National Institute of Standards and Technology's Cybersecurity Framework breaks the task into identify, protect, detect, respond and recover. Stuart Madnick, co-founder of Cybersecurity at MIT Sloan (CAMS), suggested organizations should pursue a better balance among those activities.
"Where most of the energy goes is protection -- better firewalls, better coding and so on," he said. "The biggest issue companies now need to focus on is how to be more resilient. Don't assume that you won't be cyber attacked. I can't tell you when. I can't tell you what way. But assuming it will happen, how well prepared are you?"
Keri Pearlson, CAMS' executive director, said resilience calls for new beliefs and language around cybersecurity.
"It's a whole program of thinking differently, just changing the words from 'Let's protect' and 'Let's be able to respond' to 'Let's be resilient.'"
Cybersecurity executives underscored the importance of cyber resilience.
"For me, it's Darwinian," said Esmond Kane, chief information security officer at Steward Health Care, a healthcare system based in Dallas that operates 39 hospitals. Kane, who participated in a cyber resilience panel at the MIT Sloan event, cited ransomware as a particularly dangerous threat to enterprises.
"If you don't take the proactive measures, you're going to learn the hard way that ransomware isn't an IT problem -- it's a business problem," he said.
Preparing for trouble is paramount. Businesses should build a plan for sustaining operations amid a cyber attack, although the act of planning may prove more useful than the plan itself.
"What we found, very quickly, was that the core concept around resilience is in preparing," Kane said. "Now unfortunately, when you do prepare, you will find that no plan survives first contact."
The COVID-19 outbreak, the mass adoption of cloud technologies and the follow-on pandemic of cyber attacks put many plans to the test. Steward Health Care's planning exercise, however, created an "organic understanding" of who to talk to as a facilitator or coordinator amid an attack and established lines of communications to be used when needed, he noted.
Esmond KaneChief information security officer, Steward Health Care
Planning fosters resilience, which, in turn, helps an enterprise stand out from competitors.
"Our ability to adapt to control and manage change associated with that massive change in risk profile was a competitive advantage," Kane said.
Schneider Electric, a French multi-national that makes industrial automation and control systems, manages three aspects of cyber resilience: its internal security posture, the security of the products it sells and customers' secure deployment of those products, said Fred Cohn, director of cybersecurity and digital risk leader for the digital offer practice at Schneider Electric.
Cohn said customers have become more sophisticated over the years. They are not only inquiring about product security, but about how Schneider Electric protects its own enterprise, he said.
"The two of those [questions] are intertwined now as part of the answer," Cohn noted.
The other part of the answer involves how customers use the company's products. Schneider Electric aims to ensure that clients properly install its offerings, he said.
"Resilience, for us, is really looking at both sides," Cohn said. "It's critical for us that we make sure that we help them, we guide them, cajole them, to try to make sure that they take care of themselves as much as we take care of our own house."
Rolling with the punches
MIT and industry executives define resilience as series of events from preparation to recovery. What resilience isn't, however, is throwing in the towel, according to David Masson, director of enterprise security at Darktrace, a cybersecurity AI company headquartered in Cambridge, United Kingdom. He said shutting down an organization to stop an attack sends the wrong signal.
"To me, building cyber resilience … is about taking the punch when you get attacked and rolling with it," Masson said. "You keep going while you're under attack, and you keep moving, and that will reassure people. That will give you an advantage, particularly in the supply chain."