Simply put, resilience is about remaining viable amidst adversity and being better for it. That means aligning technology strategy with business strategy and operations. It means moving away from a strategy of continually layering controls to mitigate cyber risk to a strategy where we consider different forms of risk treatments with an eye toward a collaboration among technology, people, processes and the organization.
Phil Venables, the CISO for Google Cloud and the Co-Chair of the Presidential Counsel of Advisors on Science and Technology (PCAST), said it best: “Connect the tone at the top with the resources in the ranks.”
Partnering with the business affords new opportunities for risk management. As cyber continues to grow as a business conversation, it gets the opportunity to influence the strategy and the operations. Why? How? Simple, that is how businesses work. As long as cyber was viewed as a technology problem with a technology solution, it was relegated to a reactive strategy where IT scrambled to implement controls. With a seat at the table, the cyber team can influence the strategy to find more secure ways of driving business value at lower risk. The same conversation could lead senior leadership to accept or avoid the risk. Senior management gets to make an informed decision if they want to just accept the risk as an inherent part of the business or alter the strategy to be more secure. The question becomes how much is acceptable in much the same way a beverage distributor needs to decide how much breakage is acceptable.
Presume breach. Resilience also means we presume breach, recognizing we need to detect faster and to recover more quickly while remaining viable. We understand the nature of the collaboration among technology, people, processes and the organization are modulated to suit the need while the role of governance is forever present.
This can be graphically represented.
Exploiting the human dimension. The malicious actors have figured out our technical defenses are strong, changing their tactics to exploit the human dimension and the weaknesses in our processes.
Verizon’s 2023 report on data breaches found that:
- The human element is the most common threat vector, causing 82% of data breaches.
- At least two-thirds of cyberattacks involve the impersonation of trusted users and systems to gain access to vital data and critical systems.
- A phishing attack is the first move in 91% of successful breaches.
The incidents at Las Vegas casinos last fall are prime examples. Malicious actors exploited the human dimension to penetrate the enterprise. Phishing attacks are an exploitation of human nature.
None of which can be mitigated through technical controls alone. Defenders must adapt. On or off is no longer the question. We can no longer measure an entity as on or off. In a world of resilience, we prioritize products and services based on value and significance to the ecosystem. This is most evident when it comes to essential services where the physical and digital worlds meet, like water, electricity, power and transportation.
In the US, the President’s Council of Advisors on Science and Technology (PCAST) produced a report, “Strategy for Cyber-Physical Resilience: Fortifying Our Critical Infrastructure for a Digital World,” dealing with many of these key issues and making a handful of focused recommendations. It is no longer about how long to restore but about ensuring no more than 100,000 people will be without water for more than one hour in a 20-mile radius (just for example).
Resilience requires an “all hazards” approach. The recent CrowdStrike incident is an example. While not from a cyber-attack, there were widespread outages because of the software supply chain – it just happened to be cybersecurity software. Our highly digitized and highly connected world has made us susceptible to a cascading effect that can be felt globally. Geographic distances, mountains and oceans no longer provide the isolation they once did. Bits don’t know borders.
We also need to look at our supply chains and use of External Service Providers (ESP) like the cloud. We are aggregating risk in the cloud. As more and more goes into the cloud, the more cost-effective it becomes for malicious actors to invest in breaching an ESP. Instead, of impacting one organization, they impact thousands. Higher rewards justify larger investments in time, and money, while accepting the increased risk of detection.
The world is moving toward resilience. The EU and the US have very different styles for handling standards and regulatory frameworks. In the EU, we have the second iteration of the Network and Information Systems Directive (NIS2) and Digital Operational Resilience Act (DORA). In the US we have seen updates to standards like Cyber Security Framework version 2.0 (CSF 2) and legislation like the second amendment to the New York Department of Financial Services (NYDFS). I suspect we will see the elements of resilience pop up more and more, especially now that the implementation of the recommendations contained in the PCAST report are underway.
Within the US, the Operational Resilience Framework (ORF) is the furthest along. The ORF is a highly comprehensive source for understanding specifics developed by the Business Resilience Council (BRC) and sponsored by the Global Resilience Federation (GRF). It is the result of three years of development by more than 100 organizations. The ORF consists of 37 rules grouped into seven domains. A maturity model is attached to the framework to craft an enterprise’s resilience journey. Scores are presented numerically and visually in the form of a spider diagram. The ORF is outcome-based, not prescriptive. The metrics are leading indicators, forward looking so defenders can act instead of always reacting.
A closing thought: Cybersecurity is now a business discussion, incorporating it into traditional business practices like risk management and strategy. Incorporating the core tenets of resilience while exposing yourself to the business is only going to mature your cyber program and enhance your career.