During the pandemic, many businesses could not continue to operate in the same old ways, because their security programs were not able to adapt quickly enough. When remote workers left behind the protection of corporate firewalls to work at home, many companies overwhelmed their virtual private networks by having all employees connect back to the corporate network, backhauling tremendous amounts of traffic in the process.
Companies failed to anticipate the impact posed by a global pandemic, which left cybersecurity to be sacrificed in the interest of business continuity and availability. This demonstrates that instead of focusing on cybersecurity as the ultimate goal, organizations should focus on cyber resilience. You can have cybersecurity without cyber resilience, but you cannot expect to be cyber resilient without the foundations brought by cybersecurity.
Now that we seem to be at the beginning of the end of the pandemic, it is time to review what we have learned from the experience. Cybersecurity is about identifying the important cyber assets, protecting your systems and data, detecting attacks, and recovering to a known good state. Cyber resilience is more strategic and focuses on the capacity to endure.
Companies need to create plans to anticipate problems, design their systems to withstand disruption and attack, have strategies for recovery, and constantly review their approach to improve their strategy.
Here are the four stages companies need to take on the journey to cyber resilience.
1. Anticipate your risks
While a global pandemic is a black swan event that, by definition, cannot be anticipated, pressures from employees to move to more remote work and occasional disruptions to business could both be anticipated. These are not necessarily cybersecurity issues but are risks that businesses need to anticipate.
“The moment to help is before it happens” is a great saying that encompasses the importance of anticipation. One way to do this is through threat modeling, which has become a popular way to delineate and anticipate risks. When conducting threat modeling as part of your approach to cyber resilience, remember to broaden the definition of “threats” to all business risks.
2. Withstand attacks and disruption
While cybersecurity focuses on preventing and enduring threats to systems, data, and networks, cyber resilience focuses on making sure the business can withstand any disruption. CISOs no longer have to worry just about whether the company is secure against attacks, but also about whether it is able to continue operating in the event of disruption.
Turning models of a wide variety of threats into resilient systems and procedures requires a fast cycle of assessment and feedback as well as constant testing and evaluation. Companies should automate as much of these tests as possible—not just against applications and systems, but against procedures and processes as well.
3. Respond and recover from disruption
Cybersecurity response tends to be very tactical. Attack traffic needs to be blocked, malware removed, and users’ systems reinstalled. Yet the plethora of threats that could disrupt business means that the response to such risks needs to be broader. Cloud-service outages, denial-of-service attacks, ransomware incidents, sustained power outages from climate change, and other crises need to be managed and recovered from quickly.
The creation of playbooks is not enough. A team of business decision makers needs to be ready to convene and have redundant channels to ensure that they can communicate. In addition, every member of the team needs to have a backup to ensure resilience in a time of crisis.
4. Continually evolve
Creating a cyber-resilient business is not a single effort and is not ever completed. A leadership team should regularly review progress and potential new threats and refine the company’s approach to risk management. Reviewing the potential adversaries—and the evolution of those adversaries—can help the company see how its countermeasures might need to evolve.
An active threat intelligence can help the company gather data on potential adversaries and prepare for any attacks. Revising threat models can help determine what other types of incidents could cause widespread damage to the business.
I’m not dismissing cybersecurity as a viable approach, but it is tactical, covering the day-to-day management of systems, data, and security. There needs to be an overarching discipline governing the entire process of determining the most critical threats to your business and preparing the company for those risks to minimize disruption.
That is cyber resilience in a nutshell. It’s not a product or a service. It is a mission.