Rick Howard: The word is: resiliency
Rick Howard: Spelled: R for robustness, E for elasticity and siliency because I got tired of finding synonyms for the word resiliency for all the letters that make up the word.
Rick Howard: Definition: The ability to continuously deliver the intended outcome despite adverse cyber events.
Rick Howard: Example sentence: The bottom line is that network defenders can use resiliency tactics associated with identity, protect, detect, respond, and recover to reduce the probability of material impact to our organizations.
Rick Howard: Origin and context: As a concept, ASIS International coined the phrase cyber resilience as early as 2009, but it was really describing what turned out to be business continuity. In 2010, the US Department of Homeland Security identified resilience in cyberspace as the ability to adapt to changing conditions and prepare for withstand and rapidly recover from disruption.
Rick Howard: The World Economic Forum formalized a cyber resilience definition in 2012, the ability of systems and organizations to withstand cyber events. Since then, other thought leaders have refined it. US President Obama even signed a presidential policy directive dictating resilience for the country's critical infrastructure in 2013. In 2017, the International Standards Organization, ISO published this definition, the ability of an organization to absorb and adapt in a changing environment, to enable it, to deliver its objectives and to survive and prosper. Then in 2019, NIST standardized the definition of cyber resilience as the ability to anticipate, withstand recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources. NIST also states that the cyber resilience discussion is predicated on the assumption that adversaries will breach defenses. This statement is often overlooked and not understood. Cyber resilience is not about protecting the system and preventing the adversary from breaching your systems, it means assuming the system is or will be breached, and figuring out what you need to do to continue your mission after the fact.
Rick Howard: So the definition I like best comes from two Stockholm University researchers in 2015, Janis Stirna and Jelena Zdravkovic, they define it this way, the ability to continuously deliver the intended outcome despite adverse cyber events. In other words, assume that the bad guys will successfully negotiate the intrusion kill chain. Find a weak spot in my zero trust armor, or in general, assume that there will be a massive IT failure at some point in the future. Then devise a strategy to ensure that your organization's essential services will still function.
Rick Howard: Nerd reference: the difference between merely surviving a catastrophe and demonstrating resilience in the wake of one can be found in two science fiction classics. Terminator and Terminator 2 Judgment Day in the first movie, Skynet, the artificial intelligence that took over the world. Designed the first Terminator robot played by Arnold Schwarzenegger.
Arnold Schwarzenegger: I'll be back
Rick Howard: For survivability. Arnold was loaded with various functions to identify, protect, detect, and respond to ensure that he would survive and be able to defend himself. However, as he accumulated damage, he began to lose functionality. By the end of the movie, he couldn't perform any of his tasks, but he was surviving. In the second movie, Skynet designed the new and upgraded Terminator two robot, played by Robert Patrick to be resilient. He was leaner, smaller, and could anticipate, withstand, recover from, and adapt to attacks. His buddy would absorb the bullet and heal if he was shot. He could take the damage and continue to perform his higher order functions, that's resilience.
Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Pelzman. Thanks for listening.