CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.
Resilience.
When the pandemic began, organizations faced a sudden change to their environment that prevented business as usual. Organizations adapted to remote work out of necessity. When CrowdStrike erroneously pushed out a flawed update, organizations faced a sudden change to their environment that prevented business as usual. Organizations adapted and applied the necessary fixes automatically or manually. And every time an organization is hit with a ransomware attack that is not blocked, organizations are faced with a sudden change to their environment that prevents business as usual. Mitigations and remediations are vital in order for the organizations to get up and running again.
In all of these situations, the rate at which an organization goes from not operating adequately to operating again depends on the organization’s resilience. That is why the topic of resilience needs to be front and center for organizations of all sizes. And that is why resilience is the topic of our discussion today.
What is resilience?
Broadly speaking, from a business perspective, operational resilience is the ability for an organization to readily adapt to a change in its environment. What this comes down to in practice is the ability to continue to function and provide essential services during and after disruptions. When we talk of resilience on a holistic level, that encompasses all the activities necessary to prevent, respond to, recover, and learn from operational disruptions.
Operational resilience encompasses adapting to both physical and cyber changes. For this conversation I’m going to focus specifically on cyber resilience because in today’s society, most physical environments come with a technology/cyber component. We saw this was clearly the case with the pandemic. Physical offices were closed and that necessitated adapting from a cyber perspective. The same can be said for other physical situations such as natural disasters. If a physical location is not functional because of a hurricane, earthquake, or tornado, technology/cyber operations need to happen elsewhere for all but a handful of types of businesses because technology is the underpinning of our society today.
So I’m going to discuss the core element of resilience: cyber resilience. This fits nicely with my background as I’ve been in the cybersecurity industry for 20 years now so I have been looking at business operations through the cyber lens for a very long time.
Why does cyber resilience matter?
In some ways cyber resilience is akin to business Darwinism. Generally speaking, the organizations that can better adapt to changes to their technology environments will fare better than those who struggle or fail to adjust. The resilient ones are able to either continue operations during technology disruptions or readily recover and resume operations when an event occurs. Their financial and reputational losses are minimized to the extent possible and the business remains a going concern.
This is in stark contrast to the businesses that have significant downtime and faces serious consequences as a result. According to Veeam, up to 60% of small businesses fail after a successful cyberattack due to the losses from business interruptions and the costs of recovering data.
For most businesses today, cyber resilience is an imperative.
Who owns the responsibility for cyber resilience?
This tends to be a difficult question to fully answer in many organizations because many of the requisite responsibilities are shared between IT and Infrastructure and Security.
Certainly, when it comes to security issues, it is the cybersecurity team that identifies what is a concern that can lead to a major disruption in operations should a successful cyber attack occur. But then it is often the IT or Infrastructure or Cloud or Networking team that has the responsibility of doing the work to address the security concern, whether it’s patching a vulnerability, fixing a misconfiguration, or the like.
Similarly, when there is a cybersecurity incident, it is the security team who does the response and investigation work. But often the recovery process, such as restoring data from backups, falls under the purview of the IT team.
Additionally, there are standard IT complications – servers going down, Internet connections going down, etc. – which don’t have a cybersecurity cause and squarely reside in IT’s lane.
So often cyber resilience is a shared responsibility jointly held by the CIO and CISO. Sometimes the CIO and CISO are peers in the reporting structure, but often the CISO reports to the CIO. However, there is some movement towards flipping that paradigm so that the CIO reports to the CISO. I recently posted about this on LinkedIn and was surprised to learn that the concept is gaining traction in some organizations.
What are the challenges to achieving cyber resilience?
Firstly, for many organizations the biggest challenge to achieving cyber resilience is the complexity of their technology environments. They have on-premises and cloud assets. The cloud assets can be in multiple clouds and are in a highly dynamic state of being created and torn down. They may have operational technology (OT) assets, Internet of Things (IoT) assets, and often have unmanaged (shadow IT) assets as well.
Additionally, there is often a spectrum of assets that organizations must contend with, from legacy systems that are outdated or end of life but cannot easily be extricated from operations to new technologies such as AI models that bring a novel set of security concerns that are not fully understood or addressed. This complexity tends to only increase as the business grows.
Secondly, a lack of resources is often a major obstacle to cyber resilience. When an organization is having a difficult time making ends meet, it is not going to focus on what would happen if there is a problem. Even when an organization has sufficient funds, it doesn’t mean that cyber resilience is a priority. As a result, it is common to see organizations that lack the talent needed to plan and implement cyber resilience strategies and/or lack the technologies that make cyber resilience possible.
Thirdly, there is the challenge to cyber resilience that we cybersecurity folks understand all too well: cyber incidents are a primary cause of disruption and cyber threats are growing in intensity. Cyber attacks are happening at a greater frequency; the sophistication of attacks is continually growing; and the sheer number of threat actors is expanding.
Fourthly, the organization’s dynamics can be an impediment to cyber resilience. To build an effective cyber resilience program requires strategy, planning, and implementation. If there isn’t support and buy-in from senior leadership, or there is not a clearly defined set of roles and responsibilities for IT versus security, the organization will face an uphill battle in making its cyber resilience initiatives successful.
What is needed for success in cyber resilience?
Here is a simple, straightforward guide to how you can make cyber resilience work in your organization:
#1. It starts with the tone at the top. There must be support from your senior leadership that is demonstrated to the entirety of the organization. This includes delineating who is responsible for each element of the cyber resilience program.
#2. Identify what your critical functions are. This means knowing which assets and systems must be running in order to continue critical operations, generate revenue, and/or achieve missions. If you do not have this crucial set of information, you are setting yourself up for failure. Granted this is often a very challenging process, especially for large businesses, and many organizations resort to manual procedures, such as interviews and surveys to obtain this information. But there are technologies that can accomplish this as well. (Full disclaimer: my startup, KeyCaliber, provides this technology.)
#3: Devise your plans. There are several essential documents for cyber resilience: your business continuity/disaster recovery plans and your incident response plans for both security and IT incidents. These must be drafted with the knowledge of the critical functions and any regulatory compliance that applies, and they must remain as “living” documents that you revisit and refine as necessary. Both the Security and IT teams need to know these two documents. Yes, this is a step in the direction of breaking down the silos that Security and IT often reside in.
#4: Modify (or build) your Security and IT programs according to the specifications of your organization’s cyber resilience needs. This means that all of the critical functions that are identified in step #2 become your key priorities. Make sure that you have proper backups of all your critical assets and systems and that you can quickly and easily access the backups in the event of a cybersecurity or IT incident. Make sure that you are effectively applying security controls to your critical assets and systems. This can include implementing zero trust, and ensuring that it has prevention, detection, and response technologies in place such as vulnerability scanners, EDRs, firewalls, etc. And make sure that the Security and IT teams are aware of the critical assets and systems so when they see an alert or notification related to one of these assets, they know that it is a high priority, a “SEV 1” as I’ve heard it called in IT circles, and they can respond accordingly.
#5: Learn and iterate based on real world or tabletop testing. The best way to determine whether your plans are solid is to put them to the test. Ideally this is done in a controlled situation, such as a tabletop exercise, but in some cases the testing will happen while you’re in the midst of an incident. In either case, spend time reflecting after the fact to figure out what could have been done better so that you are more prepared for future incidents. Then go back to step #2 with this newfound knowledge and work through the paces to this step again. As the basic tenets of Darwinism stipulate, surviving and thriving are based on the ability to evolve.
Key Takeaways
As is the case with most aspects of cybersecurity, cyber resilience is a journey. No organization will be able to achieve it overnight. It will take significant internal support, talent, and perseverance to bring it to fruition. But it is achievable. And just the process of moving in the right direction helps to bridge the gap between cybersecurity operations and business operations. Of the three components of the security triad, which are confidentiality, integrity, and availability, it is availability that is most salient and most clearly linked with business needs. So by focusing on availability, with cyber resilience at the forefront, the cybersecurity program is making its business case and showing its value. And that is key for any program to get the resources it needs to be successful.