Cyber resilience is not a new concept. There has been a language change but not a change in concept. Cyber security is part of cyber resilience, which in turn is a part of business resilience.
Building cyber resilience has always been about understanding actual threat, not perceived threat. From that comes a realistic understanding of risk and from there you can build your strategy to mitigate risks.
Getting ahead of the threat is the key. Too many organisations focus on dealing with the event that is here and now, without investing time, attention and resources into looking to the horizon and planning ahead.
There are reasons why this happens. The main reason is that many organisations (around 63% according to Ponemon Institute research) place the responsibility for cyber security with IT, which deals with what needs to happen right now. This also means information sitting outside IT security may not even be scoped.
The other problem is that just 5% of organisations have chief risk officers, which explains why just 38% of them align their information (or cyber) security with their organisational risk appetite. Most align it with their IT policy.
Hopefully you are beginning to see the issue here. It is not about saying that IT cannot handle security, it is about IT handling IT security but policy being driven by risk to the business not risk to IT.
Every business goes through the process of horizon scanning as part of regular business planning, cyber needs to be built into this process; looking forward to what could become a risk to the organisation, deciding if this is within risk tolerance and appetite and then taking appropriate and proportionate steps based upon this clear understanding.
More on cyber resilience
- Five strategies to enhance cyber resilience
- UK signs up to WEF cyber resilience plan
- Government can learn from private sector cyber security, says EY
- UK reaches key milestone in cyber security
Businesses that have embraced this approach understand that the threat landscape is constantly evolving and so have been able to foresee the potential risk from things like spear phishing or APTs. They understand that the current threat will change and therefore they need to be aware of emerging threat trends in order to successfully prepare.
For example, the increasing desire to implement flexible working and mobile technologies, to develop alternative business or supplier relationships or to move toward implementation of SaaS and other Cloud based offerings, all may have real potential business benefits delivering both operational and financial efficiencies. But they also have the potential to introduce vulnerabilities that can be exploited by previously unconsidered threat sources.
Of course it is an age-old saying that a battle plan rarely survives much past contact with the enemy and consequently it is vital that all of our cyber planning is adequately supported by appropriate and effective incident management and response, and that our planning itself is dynamic, iterative and capable of responding to changes as they emerge.
To do cyber resilience well, organisations absolutely must start with their business objectives, understanding future strategic and operational imperatives. By embedding an understanding of real threat into corporate risk planning they can fully align cyber and business strategy, allowing them to entrench cyber resilience into the wider aspect of business resilience. This can then be used to develop technical, personnel and educational ongoing priorities; ensuring a truly holistic and top-down approach is adopted.
Cyber more than ever before needs to be approached and implemented as a manifestation of corporate culture. Adapt, evolve and survive.
Mike Gillespie is director of cyber research and security at The Security Institute