Resilience is both a technical and a business responsibility

How can organisations build cyber security resilience?

Resilience (the capacity to recover quickly from difficulties; toughness) is a concept that is being discussed because – as was highlighted in the recent (ISC)2 Secure Liverpool conference – the technical environment organisations are embedded today in is fragile, prone to error, failure and insecure. Single-point solutions, such as backup, are not necessarily suited to the current environment, so a wider, joined-up approach is needed: resilience.

Put simply, it is the ability of an organisation to keep operating during a disruption and recover afterwards. The concept embraces more than security – it touches topics such as backup and recovery, business continuity and crisis management – and looks to weave these together to allow an organisation to maintain its operational rhythm and keep delivering its services and products to its customers. 

Cyber resilience covers the ability to keep operating during a detected attack or incident, to keep operating under the assumption that an undetected compromise has occurred, to operate with reduced capability or capacity, and to provide graceful degradation and recovery during and after an incident.

Building resilience requires the application of standard IT and information security techniques such as backup, testing of recovery and business continuity procedures, use of hot/warm/cold sites, alternative service provisioning and incident response and management. 

Read more on cyber security and resilience

IT should be treated as a commodity, with easily replaceable components – “treat your servers like cattle, not pets” as a panellist stated in Liverpool – and design choices to build or purchase resilience in systems and infrastructure should be adopted. Organisations should also deliberately cause failures, as the best defence against major unexpected failures is to fail often. Frequent failures will reinforce the design, specification, purchase and build of services to be more resilient.

Finally, business must be involved in testing, response, setting the minimum capability required, and stating tolerance of failure during operations. Resilience is both a technical and a business responsibility.

Adrian Davis is managing director EMEA for (ISC)2

Read more on IT risk management