How to build a cyber-resilience culture in the enterprise
Discover how organizations can build a culture of cyber resilience by reducing risk, limiting damage, having a disaster recovery plan and assuming a cyber attack is coming.
Cybersecurity and cyber resilience are not the same. They're related, of course, but both have different demands, principles and mindsets.
Cybersecurity is an organization's ability to protect its information assets from digital threats and vulnerabilities, whereas cyber resilience refers to an organization's proactivity in being able to do the following:
- anticipate where threats are going to come from;
- manage the attacks when they happen; and
- have the visibility to adapt to future threats.
Cyber resilience also assumes a breach has or will happen and provides the foundation to prepare and manage through such an attack.
Read on to learn how to build a culture of cyber resilience.
Cyber-risk without reward
As fast as businesses are growing and expanding, so are risks and disruptions. With the pressure for organizations to use more technology in the form of digital transformation strategies and the growth of the hybrid workforce, organizations are faced with an increased cyber-risk that needs to be managed and mitigated.
Despite best efforts to reduce risks, it's unlikely any organization can prevent attacks that target business-critical resources, especially when attack surfaces are broadened. At the same time, it's key businesses aren't beholden to the fear of cyber threats. This would hamper innovation, critical growth and transformation, as well as enable competitors to surpass them.
Damage limitation with cyber resilience
Limiting the effect of an attack or vulnerability requires coordination and collaboration from security, IT and the business.
The business has ultimate responsibility for managing risk. Risk is a sliding scale -- some risks must be accepted, and some can be temporarily ignored. Other risks are codified in liability, and regulation can't be ignored, which begs the question: Which protections can be maximized? It should be those that pay dividends in securing the business, while encompassing a proactive approach when dealing with a data breach.
Road to recovery
Many organizations have a disaster recovery (DR) plan in place. However, traditional backup and recovery plans do not take into consideration how cyber attacks or vulnerabilities can still affect backups and recovery systems.
Organizations could reintroduce the same vulnerabilities or increase the effectiveness of a cyber attack if they rely solely on a DR plan. DR plans recover data -- not the security, services and workstreams surrounding it. Successfully restoring key systems from an attack means restoring applications, platforms, networks and the security that supports them. An encompassing approach to recovery requires fluidity and the ability to switch response tactics -- something which requires cross-function collaboration and dedication.
Adapt and press on
Cyber resilience provides a holistic approach that links business, operations and technology considerations. It requires enterprise security be approached from the perspective of what you're going to do when you get attacked -- work with the assumption you'll get hit.
The best approach to creating a solid cyber-resilience program is to apply the anticipate, withstand, recover and adapt foundations.
About the author
Geoff Hancock is global director of cybersecurity engineering at World Wide Technology, where he leads a team of architects and technical experts to provide assessment, consultation and implementation services to customers and partners. Hancock is also chairman of the Federal CISO Alliance and board member of the National Technology Security Coalition, the largest private sector CISO group. He is also adjunct professor at George Washington University, where he teaches the World Cyber MBA program.