Integrate risk management with cybersecurity

Managing cybersecurity is fundamentally about managing risks, threats and vulnerabilities. Cyber-resilient organizations can demonstrate how they build risk practices into every aspect of cybersecurity by doing the following:

• Employing risk frameworks and methodologies to ensure that risk is part of decision-making.
• Preparing and regularly updating risk registers and their associated mitigation plans that address cybersecurity.
• Using risk-based practices when working with third-party organizations.
• Completing periodic risk assessments and business impact analyses for systems and resources that might be at risk.

These activities demonstrate the emphasis management places on cyber-risk management.

Adopt frameworks and best practices

Organizations that use specialized cybersecurity frameworks, such as NIST's Cybersecurity Framework and "ISO 27001: Information security, cybersecurity and privacy protection -- Information security management systems -- Requirements," prove that they are employing best practices. To demonstrate this, organizations should do the following:

• Document policies, procedures and audit reports to show that the organization adheres to cybersecurity standards, regulations and frameworks.
• Document the control technologies in use, such as firewalls, intrusion detection and intrusion prevention systems, MFA and encryption.
• Show how the organization implements physical controls at data centers and other facilities.
• Track administrative controls such as user awareness training, change management and access assessments.

These activities provide evidence of the organization's security posture.

Validate resilience through independent evaluations

Independently produced audits and assessments help build trust in a security program. Organizations should do the following:

• Arrange for audits and assessments by qualified independent firms.
• Consider specialized audit reports, such as SOC 2, a compliance standard for ensuring that service providers properly protect sensitive data.
• Pursue third-party certification of ISO 27001 compliance.
• Show results of penetration tests and other forensics activities.

Independent reviews demonstrate an organization's confidence in its cybersecurity readiness and acceptance of third-party scrutiny.

Show incident response and recovery capabilities

It is not enough to prepare for a cyberattack. CISOs must demonstrate how their organizations will respond to and recover from an incident, as well.

To demonstrate this, do the following:

• Document the organization's incident response plan.
• Show how disaster recovery, business continuity and cybersecurity plans address specific events.
• Establish recovery time objectives and recovery point objectives.
• Report results of testing activities, such as tabletop exercises and digital forensics challenges, that describe lessons learned.

These actions provide proof that the business can effectively detect, respond to and recover from many types of cyberattacks.

Adopt performance metrics

Organizations can demonstrate that they use applicable metrics and can show cybersecurity maturity and discipline by doing the following:

• Tracking recognized incident response metrics, such as mean time to detect and mean time to respond.
• Identifying and measuring cybersecurity KPIs.
• Documenting results of prior audits and how recommendations from those were completed.

Analyzing metrics demonstrates a commitment to issues central to cyber resilience.

Demonstrate continuous improvement

Achieving cyber resilience demands an ongoing commitment. To be successful, organizations must continually improve their security programs. They can demonstrate this by doing the following:

• Scheduling cyber-resilience activities, including weekly security team meetings and regular patching, training, pen testing, audits, and policy and procedure reviews.
• Including continuous improvement activities in cybersecurity policies and other governance documents.

A willingness to improve shows that the business is making a long-term commitment to cybersecurity resilience.

Raise confidence through communication

Organizations should foster trust by providing regular communication on resilience activities to all interested parties. Demonstrate this by doing the following:

• Providing regular messaging that discusses how the organization addresses cyber-risks, threats and vulnerabilities.
• Implementing ways, such as a customer portal, for interested parties to view the organization's resilience activities.
• Surveying users on how well cybersecurity is being managed.
• Planning for how the organization will notify employees, customers and stakeholders when a cyberattack occurs.

Effective communication can increase confidence in an organization's cybersecurity capabilities while minimizing uncertainty.

Ultimately, the most effective way to demonstrate cyber resilience is to survive a real cyberattack. While ideally that never happens, a good alternative is to engage a third-party testing firm to "attack" the organization's security infrastructure. That firm should also evaluate the attack response and recommend ways to improve future responses.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.