Over the past decade, the workplace IT landscape has been transformed. Employees regularly work remotely, applications and databases have moved to the cloud, and identity has replaced the network perimeter as the front line of defense against cyberattacks.
As a result, the modern organization's IT estate — the entirety of its digital and computing assets and systems — is no longer confined to a static, physically circumscribed network, but has become dynamic and boundaryless.
This has created opportunity, efficiency and innovation. It has also drastically raised the risks of digital compromise or system failure as users and defenders scramble to keep up with the pace of change.
Because of these elevated risks, organizations must bolster their cyber resilience, their ability to quickly restore their IT estates and recover from a paralyzing outage. To achieve this, they must include the concept of cyber resilience in their budgeting, their planning and their business philosophies.
"Securing dynamic computing requires new thinking," says the most recent Futures Report from LevelBlue, a managed security service provider jointly founded by AT&T and WillJam Ventures. "Organizations need cyber-resilience strategies to recover from large-scale DDoS attacks, business email compromise, and attacks executed by state-sponsored threat actors as well as man-made and natural disasters."
How cyber resilience differs from cybersecurity resilience
Despite the similarity of the terms, cyber resilience is not the same as cybersecurity resilience.
"Cyber resilience [is] something that focuses on the entire IT estate and includes the business as it pertains to computing and its ability to recover from an unexpected interruption," says Theresa Lanowitz, Chief Cybersecurity Evangelist and Head of Thought Leadership at LevelBlue. "Cybersecurity resilience just focuses on the cybersecurity estate and the ability to withstand and recover from cyber specific threats and attacks."
In cyber resilience, it doesn't matter whether the cause of the unexpected interruption is a ransomware attack, a power blackout or an earthquake. What matters is the preparation and the response that allows the organization to quickly get back to normal business.
Cybersecurity resilience is a subset of cyber resilience. Quick recovery from a cyberattack demonstrates both cybersecurity resilience and cyber resilience, while quick recovery from a natural disaster or blackout demonstrates only cyber resilience.
Of course, the differences blur when you're scrambling to get all systems back online.
"When there's a cyberattack or a natural disaster or some sort of man-made event inside of your IT system, you're not only looking at one team," Lanowitz says. "You're not just looking at the cybersecurity team. You're saying, all right, the cybersecurity team may have identified the issue, but we have to bring in the development team, the operations team, the networking team."
Today, almost every business relies heavily on computing and their cyber resilience is a top concern, although some company leaders may not realize it. A generation ago, most industries were far less dependent on digital systems and most companies could function if their telephones, copiers and fax machines still worked.
That's no longer the case. Systems going offline will paralyze manufacturing, logistics, distribution, inventory and billing, whether your organization sells paper clips or it builds websites.
The best practices of cyber resilience owe much to cybersecurity. Incident response, playbooks for likely scenarios, dry runs, backup systems, remediation plans — all these are familiar to cybersecurity practitioners. Cyber resilience takes these concepts and extends them to cover the entire company.
Obstacles that get in the way of cyber resilience
To move forward with cyber resilience, you first have to explain to the company leadership exactly what it is and distinguish it from cybersecurity resilience. Lack of understanding is the first obstacle to overcome.
"Many people in the organization think that cyber resilience is cybersecurity," notes Lanowitz. "They're unwilling to fund it because they already think that it's being funded."
For its 2024 Futures Report, LevelBlue conducted a survey of 1,050 C-level and senior executives across seven industries in 18 countries. The results revealed a startling amount of confusion and lack of clarity about how technology was used in their organizations.
While 85% of respondents agreed that digital innovation creates more risk, 74% admitted that cyber resilience was not a top priority in their organizations. Seventy-five percent said that complying with regulations was impossible because it relied on unobtainable information, and 67% said it wasn't clear who was responsible for cyber resilience in their companies.
Credit: LevelBlue
"When we asked organizations about visibility into the IT estate, most of them have very low visibility," Lanowitz says. "And if they have low visibility into their IT estate, that means they don't understand their attack surface."
This lack of comprehension doesn't dampen the C-suite's appetite for risk. Seventy-four percent of survey respondents said that implementing the latest technologies outweighed the increased risks those innovations might bring, and 79% agreed that "our organization must accept some uncertainty when it comes to cyber threats."
Breaking the barriers
Cyber resilience may not be able to end uncertainty, but it can certainly lessen risk. Unfortunately, it's generally harder to achieve cyber resilience than it is to achieve cybersecurity resilience.
To make sure your cybersecurity systems are hardened and ready, you need to spend more money. A bigger budget lets the cybersecurity team expand, buy better tools and implement training and proactive strategies that anticipate future issues. It would also be ideal to include security in all aspects of software design, but the main problem is convincing the C-suite to increase the cybersecurity budget.
Cyber resilience is tougher and more complicated. Not only must you convince the top brass that you need more money, but you have to change their whole way of thinking.
To extend the analogy of incorporating security into software design, you must incorporate cyber resilience into regular business practices. You must create an organizational attitude adjustment.
Cyber resilience "requires all the stakeholders in the organization to come together to collaboratively work on a problem," says Lanowitz. "It requires ongoing collaboration and communication across stakeholders in the business."
Every budget decision and spending plan must include cybersecurity and other IT resources. Executives and managers will need to shed the perception of IT and cybersecurity as dollar-draining cost centers. Instead, they should see them as business enablers that give the organization a competitive advantage during tough times.
Managers and executives should also be comfortable reaching out to external consultants and service providers for expertise and advice in implementing cyber resilience. And company leadership needs to be in the vanguard of these changes.
"It's a whole-organization problem, and it has to come from the top down. It can't be bottom-up," says Lanowitz. "From the leadership on down, you have to set the agenda that says, 'Cyber resilience is something that we're concerned with.'"
