Security leaders have been talking about the need for achieving cyber resilience for quite some time. However, with the surge in digitization efforts across industries, this has morphed into a new paradigm for organizations—to think beyond just prevention of breaches and invest in building capabilities to keep business operations up and running in the aftermath of attacks, be they major or minor.
It is noteworthy that the initiatives taken by regulators and standard setters on this front are aligned. In January 2020, the U.S. Department of Defense (DoD), traditionally the trendsetter for cybersecurity, published the Cyber Maturity Model Certification (CMMC) as a new, uniform set of requirements for Department of Defense contractors and sub-contractors. The key highlights in CMMC focus on resilience, specifically the inclusion of process requirements that are derived from the CERT Resilience Management Model (CERT-RMM). In 2018, the European Central Bank (ECB) launched the European Framework for threat intelligence-based ethical red teaming (Tiber-EU). It is the first cross-border, multi-jurisdictional, multi-regulator initiative, and has raised the standard of cybersecurity testing across Europe.
By leveraging regulations and frameworks, such as CMMC, Tiber-EU, and CERT-RMM, organizations are broadening their perspectives towards achieving cyber resilience i.e. balancing cybersecurity investments in order to achieve both, protection against attacks and build capabilities that allow them to operate in the aftermath of successful attacks. It is fair to assume that resilience management will become more central to cybersecurity across all industries going forward.
The path to achieving cyber resilience starts with identifying, prioritizing, and responding to the risks faced by an organization, both internal and external risks. Quantification of risks plays a critical role when it comes to prioritization of risks. Quantification of risks, however, is not a new concept. For example, financial services organizations quantify the credit risks from their customers who hold credit cards, banks quantify the risks of bad loans, and so on. But when it comes to cybersecurity, there are only a few organizations that practice Cyber Risk Quantification properly. As per Deloitte’s 2019 Future of Cyber Survey, half of the participating C-suite executives responded that they use risk quantitative tools while the other half still depend largely on the traditional approach—the experience of their cybersecurity experts or maturity assessments.
Communicating the risk exposure
Understanding risk appetite
Making cyber insurance purchase decisions
Gaining a competitive edge
To achieve cyber resilience, it’s important to strike the right balance between people, processes, and technology. A common mistake made by organizations is becoming over-dependence on tools and technology while ignoring the importance of well-informed and skilled people and well-designed processes for cyber resilience. What organizations should strive for is bringing all three components of cyber resilience together in a complementary and streamlined manner.
People are considered to be the weakest link in the cybersecurity chain and are usually targeted by bad actors. Needless to say, ensuring cybersecurity is everyone’s responsibility and it is important that every employee is aware of their roles, responsibilities, and accountability.
To make the workforce cyber resilient, here are some key measures that organizations can undertake:
Having the right governance and strong processes in place is crucial for achieving cyber resilience. Speaking of governance, some of the best practices include
With regards to processes, organizations can put into practice a number of key measures for cyber resilience, including
Technology is the biggest enabler to fight against cyber criminals and is the most trusted and important pillar to achieve cyber resilience. Key focus areas for organizations in this regard include:
It is close to impossible to build an impenetrable defense, especially when it only takes a single loophole for bad actors to exploit a vulnerability to breach an organization's security. However, organizations can take some key measures to minimize the damages and defend themselves against these cyber-attacks.
Today it has become imperative for organizations to focus on security policies and practices as the foundational structure of their overall risk management strategy. In addition, they need to ensure compliance with new laws and regulations that govern how they protect information assets. It is also important to note that network and systems administrators alone cannot protect corporate systems and information assets—the onus falls on the organization as well. All these factors point to the compelling need for organizations to have a Computer Security Incident Response Team (CSIRT) in place.
The CSIRT is a center of information security, incident management, and response in an organization. Establishing a CSIRT enables organizations to quickly respond to increasingly sophisticated and complex incidents such as cyber-attacks. Maintaining a CSIRT program enables organizations to identify and tackle the vulnerable areas with both reactive and proactive measures to safeguard and secure critical assets, build trust and confidence, and foster a culture of security in the business and the industry.
Cyber crimes can pose serious threats to businesses and the absence of a mature cyber resilience program can put organizations in jeopardy. Unfortunately, it is a reality that these threats are not going to let up. While organizations cannot always prevent a cyber-attack, an effective cyber resilience strategy can ensure a quick response, which could be a game-changer when it comes to minimizing the financial damage, and protecting the business and its reputation.