An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.
Building resilience into your cybersecurity strategy.
Navigating new and increasingly challenging cyber threats against the backdrop of an ongoing global pandemic, while facing the great resignation impact, sounds like a work of fiction—but for many, it’s a reality. The unfortunate truth is that many companies will likely continue to face escalating threats this year and for years to come, as cybercriminals become more creative and sophisticated. The only way to combat these threats is to meet them with equal creativity, sophistication, and most importantly, resilience.
The importance of resilience, the ability to withstand and recover from challenges, was introduced to me long before I joined PwC. It’s something that each of us innately knows, and we develop a greater appreciation for and application of through life experiences—both personal and professional. Being able to not only withstand and recover from challenges, and to grow and persevere in the face of stressors and changing demands has always been a central skill I have nurtured throughout my career. For example, I initially learned a great deal about resilience during my time in the U.S. Air Force. From meeting physical and mental challenges during basic training, to learning new skills requiring me to engage equally with service members from different backgrounds, resilience was a core building block throughout that experience. And, over the last two years, all of us have needed to be resilient in this once in a lifetime situation: to home-school our children, to work remotely and to care for loved ones—and all too often—all three simultaneously. Increasingly, companies engage with consulting firms to develop robust cybersecurity strategies to build resilience and combat challenges such as third-party vulnerabilities, to ward off ransomware attacks and to adapt to an increasingly virtual and digital workplace. In fact, chief executives in North America and Western Europe just named cyber threats as the top risk to business prospects for this year, according to PwC's 2022 Global Digital Trust Insights Survey. When the pandemic hit, companies had to go to a 100% virtual work environment overnight and some companies were more prepared than others. Now, with those lessons learned, business leaders are moving towards the adoption of resilience-centric cybersecurity strategies. PwC’s survey reveals that 40 percent of executives are planning to increase resilience testing in 2022 to prepare their critical business functions to survive disruption.
To account for impending cybersecurity risks, companies may adopt a “resiliency by design” strategy, building it into their end-to-end security, from development to operations. This creates a shift from haphazardly putting out fires as they arise to a holistic approach that anticipates risks and systematically embeds resilience into their core processes, ultimately providing a strategic advantage. The following are important to consider for your “resilience by design” strategy:
- Anticipate disruptions with a broad understanding of current and emerging risks to create a state of informed preparedness in case of compromise.
- Simplify and streamline cybersecurity processes to reduce the difficulties in creating urgency around combating cyberattacks.
- Prepare response procedures in case of a disruption to continue and restore critical functions.
- Conduct “restrospects” to leverage knowledge from previous disruptions to enhance resilience and reduce adverse impacts in the future.
- Nurture and train a diverse and collaborative workforce with unique perspectives and experiences to create the innovative strategies needed to combat ever-changing cyber threat actors.
To expand on the final point, with the talent demand higher than supply, grow talent from within while also recruiting a diverse and collaborative workforce. According to our 2022 U.S. Pulse Survey, 77% of executives say hiring and retaining talent is their most critical growth driver in 2022. This trend is even more prominent among CROs and risk management executives, with 75% of them identifying hiring and retaining talent as vital for their organization—and failure to do so as a significant threat to their business. With the recent jobs report finding that there are four million more jobs on the U.S. market than there are unemployed workers, it is time for companies to think outside the box—to retain and attract a more diverse workforce than ever before to become tomorrow’s cybersecurity professionals.
Diverse professionals can bring resilience, unique perspectives and unprecedented innovation that are proven to strengthen businesses, bringing them closer to their goals. A talent pool that has not yet been fully activated is one for which I continuously advocate: the female workforce. Women are still underrepresented in the cybersecurity industry, currently making up just under a quarter (24%) of the workforce according to this research from (ISC)².
As companies explore creative ways to meet the talent challenge and create a more diverse and inclusive workplace, there are opportunities to build more female leaders into the succession planning pipeline. When I joined PwC’s cyber team in the late 1990s, I joined with four other women out of ten new team members, and we strive to keep that balance and make it better. Retention is another opportunity, evident when PwC provided supplementary child care reimbursement to help support parents as they balance their work life and build resiliency. Providing women, including those in the cybersecurity industry, with equitable opportunities and the support and resources they need to advance in their careers is of the utmost importance to build the workforce of the future and address the talent gap. Adding and retaining female leaders in cybersecurity can greatly benefit the industry, which is why I am so passionate about it and am committed to making it happen any way I can.
In conversations I’m having with others, I hear an increased interest in being proactive rather than reactive. By adopting a “resiliency by design” strategy, companies can learn from the pandemic experience, and potentially recover and protect against cyber threats with unprecedented innovation through bringing together proactive and diverse perspectives.