The Cyber Resilience Imperative

Better Evaluation of Risk, Improved Response, and Continuous Improvement

From the beginning of the Cybersecurity issue the industry has been focused on defending and responding to the latest threat to knock on the door of the business. Trying to find better tools, technology, and processes to get ahead of the next attack, and striving for the goal of a proactive defense. While this has led to effective defenses, it has not “fixed the glitch”. Recent Harvard Business Review research from May of 2023 points out that:

“We surveyed 600 board members about their attitudes and activities around cybersecurity. Our research shows that despite investments of time and money, most directors (65%) still believe their organizations are at risk of a material cyberattack within the next 12 months, and almost half believe they are unprepared to cope with a targeted attack. Unfortunately, this growing awareness of cyber risk is not driving better preparedness.”

Harvard Business Review

Preparedness is an important word to use when we think about cyber resilience vs cybersecurity. Preparedness allows us to consider not only what we are configured to defend and respond against, but more importantly how are we going to respond and recover from things that we were unsuccessful in stopping? Cyber resilience is based on being proactive in dealing with the impact of a bad day in cybersecurity and the planning and testing of resilience steps to recover and bring the business back into operation as quickly as possible.

Stopping the Bad

Cybersecurity has always been focused on “stopping the bad thing from happening.” The trouble is that this method doesn’t always work. In our ever changing and advancing world, bad things proliferate, and defenses advance, but generally not at the same speed. It’s been said that defenders have to be right all the time, but attackers only have to be right once to be successful.

Cyber resilience is the admission of this fact, and the recognition that while we can prevent many attacks from being successful, we need the capability to anticipate and prepare for successful attacks, weather attacks with a minimum blast radius, and ultimately learn something, to improve our cybersecurity posture to ensure that the next attack does even less damage than the one before.

A cyber resilient enterprise is one that understands their business relies on the understanding and preparation of their cyber and IT infrastructure. They have identified the magnitude of risk to their business that interruptions in that infrastructure represent, and they are focused not simply on prevention, but on minimizing the impact of what they cannot prevent, and planning their response or remediation to the issues that get through.

To change their focus to resilience as the primary goal of cybersecurity, directors could ask their operating leaders to create a vision for how the company will respond and recover when an attack occurs. Minimization of the possibility of a successful cyberattack in the first place should only be the secondary goal.

Harvard Business Review

The Deepwatch commitment to cyber resilience includes not only responding to cyber threats, but also actively preparing and equipping organizations to withstand, adapt, and thrive in the face of evolving security challenges. Proactive cyber resilience encompasses a holistic approach that combines advanced technology, expert analysis, strategic planning, and continuous improvement.

The Cyber Resilience Journey

Resilience is a concept we understand in other areas of our lives. Businesses seek resilience in the face of recession or fickle consumers. Many seek resilience against the declines inherent in aging. Our structures are built in different areas of the country to be resilient against the prevalent weather threats for their area – hurricanes, tornados, earthquakes, blizzards, extreme heat, extreme cold, and the like. Deepwatch is the measured, managed path to cyber resilience for our customers who recognize this same approach is appropriate for their business.

Cyber resiliency as defined by NIST is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.¹ The Deepwatch Managed Security Platform^TM delivers on each of these four pillars of cyber resilience. (1. Source: NIST SP 800-160.)

As we review the market, we are seeing different organizations attempt to operationalize the concept of cyber resilience. Recently Kumar Avijit from the Everest Group broke cyber resilience down into “5 Rs” Read, Respond, Recover, Reinforce, and Revamp”.

While a majority of C-suite executives concentrate on preventive controls and response, equal importance needs to be allocated to the recovery, revamp, and reinforcement stages of cyber resilience. For any business, having a comprehensive cyber resilience strategy is critical in safeguarding long-term viability and success.

Kumar Avijit, Everest Group

¹ https://www.darkreading.com/operations/everest-group-research-c-suite-must-recognize-critical-difference-between-cybersecurity-and-cyber-resilience

The Three Pillars of Cyber Resilience

While I agree with Mr. Avijit, I think we can talk about, and start to measure cyber resilience based on three pillars.

Better Evaluation of Risk

• Internal, External, System and Business Risks
• Go beyond prioritization based on scan results
• Dynamic Alerting and prioritization based on internal and external context

Response Actions

• The right action at the right time. Automation is critical, but so is understanding the risk of taking an action. Planning and executing the combination of active responses needed, along with policy changes, that enable preventative defenses.
• Precise mix of policy based, automation, and human enabled responses
• Active response capability beyond the detection point

Continuous Improvement

Based on these three pillars Deepwatch charts the security journey a company will need to take to enable cyber resilience. Companies are at different security maturity levels, have a security posture that leans more towards detection, than toward proactive measures. We need to understand where the cybersecurity program sits and what is the direction, and the buy in from the business.

Deepwatch is different in that we understand, and can demonstrate, that there is a diminishing curve for security from a cost and business operations perspective. It is a delicate balance to strike between the right budget, with the right tools, security and business capabilities, and the right expectations from both security and the business. 

Once we review the current state of the security program and help a customer to understand their risks and response capabilities then we can start working on the improvement of the response plans, the processes, and communication.

Why Focus on Cyber Resilience Now

Attacks aren’t getting easier to detect and stop at the gate. We constantly hear that the attack landscape is expanding and getting more and more complex. As we continue to interconnect our devices and our world, the overlap and the threat surface continues to expand. 

The security market is also starting to mature towards the understanding that despite our best efforts, bad things are going to continue to happen.

Only 67% of board members believe human error is their biggest cyber vulnerability, although findings of the World Economic Forum indicate that human error accounts for 95% of cybersecurity incidents.

Harvard Business Review

If we can stop humans from making mistakes, then we can be secure. However; we all know this isn’t going to happen. So the time has come to start looking at the response and coordinated efforts necessary to identify, triage, enrich, value, and respond after an event happens.

Security tools have always been looked to as the fix for any security problem. In today’s market the average company invests in more than 70 tools for enterprise security.

The market has also reached a point technically, through automation and advanced detection capabilities, that responses can now be taken without a human in the loop. This is an incredible capability, but has shown the cracks in the system around trust of the actions and the core requirement of “do no harm” from a business standpoint. 

Cyber Resilience Starts with Awareness

We have reached a point in our industry where cybersecurity decisions are key to the health of any organization This means, that while we can still define our roles as if “securing the company” when asked what we do, additional information and ways of asking the question are starting to change. In order to answer these questions where they originate, security leaders must take their cases to senior decision-makers in the company, to discuss risk and expectations with executive and board members.

Cyber resilience provides a measured way to have those conversations and to enable different business stakeholders to communicate and to improve security posture. In a future blog Deepwatch will discuss the outcomes that can be created through improved cyber resilience, moving beyond security. Think about your company’s response capabilities, the level of trust in the organization, and how preventative you could be when thinking about security across the different organizations in your business. Cyber resilience is not a tool, or a specific piece of technology. It is a journey that leads toward managed and improved outcomes.

↑