IBM manager: Cyber-resilience strategy part of business continuity

If your organization doesn't have a cyber-resilience strategy for business continuity, it needs to get one.

Andrea Sayles, general manager of IBM Business Resiliency Services, said she has found companies in general are thinking about the "when," not the "if," regarding a potential cyberattack.

"It's on the top mind for every C-suite executive that I talk to," Sayles said in a Back up to Basics podcast about cyber-resilience strategy and other IT resiliency issues. "They all want to talk about it. They want to understand the capabilities and what services and offerings are out in the marketplace today."

Sayles said it's important to differentiate between cybersecurity and cyber resilience. Cybersecurity focuses on achieving the security objectives of confidentiality, integrity and availability. Cyber resilience focuses on the ability to withstand and recover from a cyberattack.

Potential threats to business continuity include not just ransomware like the WannaCry attack of 2017 but also what Sayles referred to as a "wiper attack" such as NotPetya, also from 2017, that seeks to destroy data without a possible financial gain.

"As cybercriminals become smarter, we need to also make sure that we continue to stay ahead of [them] and address new threats in the industry," Sayles said.

At the same time that cyberthreats are evolving and increasing, customer tolerance for any downtime is dropping dramatically. IDC recently published a report -- sponsored by IBM -- about technology that can aid a cyber-resilience strategy. Among the standout statistics, IDC research reports that the average cost of downtime exceeds $200,000 per hour. In addition, the report said that cybersecurity is the leading challenge in today's business climate.

"[The report] also talked about the complexity with digital and the complexity of cloud," Sayles said. "Not to say that cloud is not secure, but it's really the new [question] of 'How do we communicate and ensure breaches are able to be handled even in this new wave of digital transformation and cloud?'"

IBM in August launched Cyber Incident Recovery as part of the 7.3 release of its Resiliency Orchestration platform. The product, armed with immutable storage support and air-gapped protection, aims to quickly recover applications and data in the event of a cyberattack.

Listen to the podcast and read the transcript below to learn more about IBM's work in the field, cyber-resilience strategy and business continuity best practices, standouts from the IDC report and some of the biggest threats out there today.

Editor's note: The following transcript has been edited for clarity and condensed.

There are so many cyberthreats out there right now. What are some ways organizations can better recover from and minimize the impact of these threats and actual cyberattacks?

Andrea Sayles: Today, global cyberattacks are occurring at a much higher rate than they have in the past. I think everyone is seeing the extensive media coverage, bringing cyber resiliency and cyberattacks to a new level of awareness within the business community, both IT professionals and the general public. If you pick up a paper or go online, you'll see, unfortunately, all too often a public company that has been hit by a cyberattack.

So there's definitely heightened awareness from a cyberattack standpoint, and now organizations have to figure out how to deal with that. From a disaster recovery and business continuity standpoint, we're used to the earthquakes and floods and typhoons and hurricanes, but this is a whole new business that, from an organizational standpoint, everyone at the C-level is interested in and has to be concerned with.

It's not just the CIO anymore. It really goes from your board to your CEO to your chief risk officer, chief security officer, chief operational officer. Everyone needs to be aligned around a common set of objectives and how to ensure compliance to make sure that there's not only a unified approach to recovery but also a unified approach to communication.

Do you think organizations are fully aware at this point that it should be an approach taken throughout the organization, as you said, including management and all kinds tiers of the organization? Do companies know that they really need to tackle a cyber-resilience strategy comprehensively?

Sayles: It's top mind for every C-suite executive that I talk to. It's a very interesting topic. They want to understand what services and offerings are out in the marketplace today. But not many are willing to talk publicly about it. Unfortunately, the ones who are talking publicly are the ones who have been hit.

But I definitely believe it's top of mind for everyone, and it's not something that's just in the chief information security officer's office anymore. At the end of the day, businesses are spending a lot more time now on how they respond and recover from a cyber incident or cyberattack than they did before.

There isn't a C-suite executive who I've talked to in the past six months who hasn't been very anxious to talk to me and to talk to the folks that work for me, to learn about what's out there in the marketplace and how they can keep their company safe.

Is it specifically ransomware, or are there many other cyberthreats that executives are worried about right now?

Sayles: It's not always ransomware because in the case of NotPetya, which happened last year, that malware really was, in fact, more characteristic of what we would call a wiper attack. It was intended to destroy data rather than provide a financial gain like the traditional ransomware attack. In that case, there was no mechanism to unlock the disabled machines even if a payment had been made.

Today's attacks are not necessarily always for financial gain, but sometimes it's notoriety and sometimes just to cause disruption in the industry. It's moved to something that is much more destructive and therefore much harder to for and to remediate against.

So how are organizations generally preparing for attacks like that? What are some cyber-resilience strategy best practices that they're employing?

Sayles: The switch is that companies are not thinking about the 'if,' they're thinking about the 'when.' Studies have said that in the next two years, there's a one in four chance that a company will be attacked.

Historically what we look at is the National Institute Standards and Technology framework that talks about 'identify, protect, detect,' then 'respond and recover.' So it's a five-tiered kind of a lifecycle.

Traditionally, organizations have spent their time, money and focus on the 'identify, protect and detect' from a cybersecurity standpoint, or cybersecurity focusing on security objectives for confidentiality, integrity and availability. But the shift is moving around the framework to the 'respond and recover,' and that really focuses on the ability of an organization to get back into an operating mode as quickly as possible.

Cyber Incident Recovery is a capability that IBM recently launched in its Resiliency Orchestration offering. Can you describe some more details about what's new with that capability?

Sayles: It's a recently announced capability in Resiliency Orchestration 7.3. It's software that's available in a perpetual or subscription, and it's also available as a service. It's the creation automated workflows that run on our disaster-recovery-as-a-service orchestration platform. It enables an organization to recover from a cyberattack that's penetrated all data copies, including operational backup.

Many times an organization is running a continuous backup, but in the event of a cyberattack, that attack and that malware is in there and destroys the data or corrupts the data in those backups. The new Cyber Incident Recovery capability offers quick recovery to reduce downtime and meet recovery objectives.

There's point-in-time data recovery to reduce storage costs. There's immutable storage to meet regulatory compliance. Many of our companies and clients and organizations have very strict regulatory controls. There's the "golden copy" in a virtual air gap to assess and reduce the risk of the data corruption across your normal production networks. Finally, there's data verification to ensure that that backed-up data remains viable following an attack. And it's viable because the golden copy is put into that immutable storage inside the virtual air-gapped storage.

Do you see the platform evolving over the next year or so? Are there any areas where you think the product can be improved or enhanced?

Sayles: We already have a roadmap to make additional features, functions and capabilities available. We'll be looking to come out with a new release with additional capabilities. And we'll be announcing something in probably the quarter next year. You'll see additional capabilities for both the air gap and the immutable storage.

As cybercriminals become smarter, we need to also make sure that we continue to stay ahead of them and address new threats in the industry as they come out.

We're also in the middle of hurricane season. What are some ways different from a cyber-resilience strategy that organizations can prepare for recovery from natural disasters?

Sayles: This involves what I would call the traditional business continuity and recovery process. You could say, 'Well, maybe I can't plan for an earthquake.' But a hurricane is much easier to for. They still can be as impactful to the business as a cyberattack. But businesses can plan for it, and our clients traditionally have spent time and money focusing on the recovery of that activity and how they protect the business and the people.

From an IBM standpoint, we've got facilities that have integrated both cloud and traditional data centers and traditional recovery capabilities. We're monitoring those disaster events and mobilizing our resources to make sure that we've got infrastructure available for clients at all times. We're making sure that infrastructure is properly configured and businesses can handle the threats.

IBM has recently enhanced partnerships with several data protection vendors, for example, Actifio and Zerto, just to name a couple. What do those partnerships bring to the table for IBM?

Sayles: We will always look to bring partners in to enhance and supplement our offerings. Many times, our partners have capabilities that allow us to get something to market sooner. And we will continue to assess and evaluate the capabilities of those partners that we have long-standing relationships with, such as the ones you had mentioned. We'll continue to work with them. We'll also continue to evaluate new partners.

Finally, is there anything else that you wanted to mention about cyber-resilience strategy or your company that we didn't touch on?

Sayles: Incidents that once would have been considered extraordinary are becoming more and more commonplace today. Given that, it is imperative for organizations to revisit their traditional security programs and develop cyber-resilience capabilities and processes to figure out how to out-think cybercriminals. The costs of breaches are in the hundreds of millions to billions of dollars.

We have to have a much more holistic view across the organization when it comes to how we develop plans and how we enhance what our clients have today to address these new threats in the world.