What is Cyber Resilience?
See how dramatically spending on Cybersecurity solutions has gone up in a short period of time in the US? We don’t have to rehash the self-evident reasons for this. The mainstream media has helped raise awareness somewhat but not everything that happens makes the national news. Organizations, regardless of size, can’t count on fancy hardware and software solutions to avoid getting hacked. Spending on Cybersecurity solutions isn’t enough.
There are a lot of estimates, depending on where we read them, but the average of these is that cybersecurity events impact around 1000 small businesses in the US every day. The vast majority of cyber attacks occurs against businesses with fewer than 100 employees. Small businesses are valuable targets because they give hackers access to their larger clients. Among many other large companies that use small, third-party service providers of all sorts, Target Corporation has learned this lesson the hard way.
Defense and prevention is only a part of the solution. Organizations of all sizes also need tools and strategies to absorb and mitigate cyber events when they happen. Because they will happen.
Cyber Resilience, in this context, defines an organization’s collective ability to withstand cyber events through a combination of preparations made with regard to threats and vulnerabilities, defenses in place, a culture of awareness education and a detailed plan of action for mitigating a cyber event after it happens that includes clearly defined roles and actions so that when something happens, everyone knows what to do, how to do it and when.
Cyber Resilience, in this context, is not synonymous with “recovery” and it’s not event-specific. It’s not just disaster recovery, restoring files that were lost or closing a security hole in a web server or configuring a firewall correctly or securing data in a database. Your organization’s Cyber Resilience strategy has a beginning and continues to evolve as things change, growing stronger over the long term as a baseline component of your organization’s overall, long-term business strategy.
Your organization is cyber resilient by going beyond information technology planning and making risk evaluation a normal part of that strategy, defining cyber risk just like any other risk that you have to contend with to achieve your goals.
Why is Cyber Resilience important?
We wouldn’t set out on a long camping trek without planning. If we did, we’d regret it. Organizations that don’t plan ahead what actions to take and what outcomes to expect before, during and after a cyber event will be subject to losses greater than just revenue. Their clients will never trust them, again. Their competitors who do plan for these scenarios therefore have strategic advantage far superior to a disaster recovery plan, for example, that only considers a single instance in time.
It’s vital to the survival of the US’s overall economic and societal resilience that we starting thinking beyond information security to overall cyber resiliency that ensures we are prepared for existing risks and that our strategy is adaptable to new risks that are coming.
As Artificial Intelligence (AI), the Internet of Things (IoT) and Quantum Computing (QC) rise into our industries, cultures and homes, organizations have a responsibility to ensure Cyber Resilience is included in their overall strategic planning. Having a Cyber Resilience strategy now will greatly aid our ability to adapt and iterate based on the emerging threats from these rapidly evolving technologies.
For the moment, there are clear and field-tested tactics and strategies for helping to protect organizations and information available for them to adopt in order to elevate their awareness and minimize their risk. However, the risk of taking only an information-security approach is that, once an emerging technology like AI, IoT or QC is fully realized and implemented into our world of work, organizations’ risks will have to be looked at in a completely new light. Starting from scratch at a fast approaching time will mean doing so in an ad hoc fashion. Not awesome.
Cyber Resilience is a long-term strategy which includes anticipating which technologies a business will implement over the next 3-5 years at-a-time. It’s a conversation between technology and business leaders within an organization. This approach means you will be ready when you need to be ready or, at the very least, not starting from scratch.
Why “Resilience” more than “Security”?
By definition, security is all or nothing. A system is either secure or it isn’t. Since vulnerability in a single system can compromise other systems, Cyber Resilience is focused on an organization as a whole, rather than on just systems or on isolated components of the whole.
You can’t concede to clients that you can protect your systems 100 percent of the time. You can concede, however, to be prepared for when your organization is breached by planning ahead and having a complete understanding of your systems, their interdependencies and a tested plan for how to respond when a breach of any kind occurs.
It’s everyone’s responsibility to protect themselves, their families, friends, partners and clients. Leaders who set the priorities are ultimately responsible and have been increasingly held accountable for including (or not including) Cyber Resilience in their organization’s overall strategy. This is quickly becoming a differentiator for clients as they choose partners who show awareness and commitment to protecting their interests in this crucial way.
How do you make the move towards Cyber Resilience?
Partnerships are key. Cyber Resilience is risk management. It has a starting point but it doesn’t have an end. Choose a Cyber Resilience partner dedicated to helping your organization all the way through the continuum. Begin by diagnosing your organization’s current, overall risks and resiliency. Then, based on prioritizing those risks, establish and implement a baseline Cyber Resiliency strategy which you can then continue to improve on. Make sure your chosen partner is committed to the follow through by helping your organization sustain the strategy, tools and help continue to build a culture of awareness through periodic education. Cyber Resilience isn’t a project, it’s a process.
What are some good sources for more information?
Cyber Resilience as a component of business strategy has been a focus of the World Economic Forum. Since 2011, they have been furthering principles, frameworks and tools for raising awareness and understanding of Cyber Resilience. Also Computer Emergency Readiness Teams (CERTs) provide resources to help organizations assess their overall Cyber Resilience.
While these are appropriate for large businesses, WIMZKL has designed elegant and friendly programs tailored to the unique requirements of small and medium-sized organizations.
If any of this resonates with you, please learn more about the Resiliency Diagnostic and commit to preparing yourself and your clients before something unplanned and preventable happens.
Thanks for reading.