Cloud computing, remote work, and software as a service have transformed how we do business. But this rapid pace of innovation has left many companies unready for large-scale digital systems failures, regardless of whether that failure is caused by a cyberattack, a natural disaster or human error.
Just how dependent is your organization on computers, networks or the internet? Would you be able to conduct business if you couldn't use those services? If they went down, how long would it take you to get back up and running?
Planning ahead for such scenarios and making sure that you can quickly restore access to essential servers, endpoints, networks and cloud services is the essence of cyber resilience.
Cyber resilience is an organization's "ability to recover from an unexpected interruption," says Theresa Lanowitz, Chief Cybersecurity Evangelist and Head of Thought Leadership at LevelBlue, a managed security service provider jointly operated by AT&T and WillJam Ventures. "It requires all the stakeholders in the organization to come together to collaboratively work on a problem."
Getting past the obstacles and choke points that make it hard to recover from a systems outage is just the first step toward achieving cyber resilience.
Your company also must include cybersecurity in its budgets and plans, make sure that its cybersecurity and IT investments fit the organization's goals, be willing to accept help from outside consultants and service providers, and remain flexible and current with its cybersecurity and IT software, hardware and processes.
"Achieving cyber resilience is paramount for businesses striving to safeguard their operations against the relentless onslaught of cyber threats," says the most recent LevelBlue Futures Report.
Getting there will take self-examination and perhaps a reassessment of the organization's mission. For example, your company's leadership must ask itself which systems and processes must be restored first after an outage, and which can be lower priorities.
"How would you rate your organization on cyber resilience?" asks Lanowitz. "What does a cyber resilient organization look like? What characteristics would you the reader attribute to a cyber resilient organization?"
Here are five steps that will help answer those questions.
1. Identify the barriers to cyber resilience.
Does your organization monitor all its digital assets, including virtual machines, cloud instances, applications and endpoints? Does it have a plan for when some or all of them go down?
"When we ask organizations about visibility into the IT estate, most of them have very low visibility," Lanowitz says. "They don't understand their attack surface."
In a poll of 1,050 C-suite IT executives and senior managers for the LevelBlue Futures Report, almost two-thirds of respondents said cybersecurity in their organizations was "an afterthought" or "siloed," or that "there's a lack of understanding about cybersecurity at the board level."
Cybersecurity budgets often grow only after an attack, while recommended proactive measures are ignored. Executives who do understand cybersecurity may be working at cross-purposes.
"There's a big disconnect between the CIO, the CTO, and the CISO," Lanowitz says. "The CTO is all about innovation and doesn't really put much emphasis or focus on risk. The CIO is assuming that everybody else is managing risk, and the CISO is the one who's saying, 'No, you can't do this.'"
Another issue: Company leaders don't understand the difference between cyber resilience and cybersecurity.
"Many people in the organization think that cyber resilience is cybersecurity, and they're unwilling to fund it because they already think that it's being funded," says Lanowitz.
Different parts of the organization also need to break out of their siloed mentalities and learn to work with other teams toward a common goal.
"When there's a cyberattack or a natural disaster or some sort of man-made event inside of your IT system, you're not only looking at one team," says Lanowitz. "You're saying, all right, the cybersecurity team may have identified the issue, but we have to bring in the development team, the operations team, the networking team."
To overcome these obstacles, organizational leadership must promote cyber resilience, and that can only be done after the top brass understands the importance of the concept.
But in the meantime, conduct an inventory of all IT assets, and then evaluate and rank each item according to its importance to the business and the potential impact if it were to be taken offline. External assessors or penetration testers can help find hidden assets.
"A lot of organizations, they don't even know what their barriers are," says Lanowitz. "They don't know what cyber resilience is. And if they don't know what cyber resilience is, they can't really identify the barriers."
2. Be secure by design.
Most software developers know they should build security into their code and applications. Many claim to practice developer security operations, or DevSecOps, by testing software for security flaws at every stage.
At least that's the theory. In reality, developers are under constant pressure to get software into production, and DevSecOps can be an impediment to meeting deadlines.
"You hear all these people saying, 'Yes, we're doing DevSecOps,' but the reality is, a lot of people aren't," says Lanowitz. "If you're really focused on being secure by design, you're going to want to do things right from the beginning, meaning you're going to want to have your network architecture correct, your software architecture correct."
To achieve cyber resilience, cybersecurity needs to become part of all of the company's planning and budgeting discussions so that its inclusion becomes second nature. It also must be part of all software development and IT hardware implementation.
"Take a look at your organization's computing needs and embed security from the beginning," Lanowitz recommends. "Security is not an afterthought."
3. Align cybersecurity with the organization's business goals.
All too often, cybersecurity personnel are nay-sayers who tell members of other teams that a procedure shouldn't be done, or that an innovation shouldn't be tried.
That needs to be flipped around. Cybersecurity teams should help their colleagues understand why certain methods are dangerous and then offer safer alternatives. They should help rather than hinder the business in achieving its overall goals, communicate better with other teams and help raise the organization's security posture.
"We have to be able to speak the language of the business," says Lanowitz. "Break down the silos that exist in the organization, get the cyber team and the business team talking, [and] align cybersecurity initiatives with overarching business initiatives."
Again, executive leadership needs to point the way, but it often needs convincing. Compliance is a great place to start, because most industries have rules, laws, or insurance providers that mandate a basic level of cybersecurity. Explain to the CEO how the right cybersecurity measures can satisfy regulators and lower insurance premiums, and the rest of the organization will follow.
"New compliance conditions is one of the things that is going to trigger cyber resilience," says Lanowitz. "From the leadership on down, you have to set the agenda that says cyber resilience is something that we're concerned with."
4. Build a support ecosystem.
One thing you quickly learn in cybersecurity is that there's always more to learn. It's not possible for one person, or even one team, to know everything or to keep up with all the latest developments.
The more eyes you have on a cybersecurity problem, the more quickly a solution can be found. Because of this, even large companies rely on external managed service providers (MSPs), managed security service providers (MSSPs), managed detection and response (MDR) providers, consultants and advisors.
Sometimes those external services are just covering nights and weekends when the in-house SOC team is understaffed. But increasingly, they're offering expertise and experience that the organization's own people may not have.
The LevelBlue survey found that "40% or more organizations rely on external experts for strategic planning, security architecture, and data management." Thirty-two percent of respondents used outside services to partly or entirely cover their cybersecurity needs.
Like them, your company should foster a network of firms and individuals that you can rely on for advice and guidance in cybersecurity, IT management and cyber resilience.
"[Get] consulting organizations to come in and run red-team, blue-team exercises, do crisis-prevention scenarios, crisis-management scenarios," Lanowitz recommends. "That brings you expertise. It brings you people who have done this before."
5. Energize your cybersecurity strategy
To keep your organization cyber resilient, remember this essential rule of cybersecurity: The game is always changing. The bad guys are always finding new ways to attack. Defenses, countermeasures and protections quickly go obsolete. And both sides rush to take advantage of new technologies.
Your cybersecurity strategy, and your company leadership, must be flexible, alert and ready to redirect money and resources where they're needed.
"[Make] sure that you understand what new types of threats are coming, what new types of technology they're using," says Lanowitz. "Regularly update your tools and capabilities to meet the demands of that evolving attack surface."
Key to this adaptability is a proactive security approach. Don't wait for the next attack to come before you act. Prepare for the attack ahead of time, and you'll recover much faster even if you can't completely block it. When your CISO says there's a new threat the company should guard against, pay attention.
"By prioritizing cybersecurity as a fundamental business dependency and embracing a proactive approach to risk management," says the LevelBlue Futures Report, "businesses can navigate the complexities of the digital landscape with confidence and agility."
