Developing a successful cyber resilience framework
- Published: Wednesday, 15 February 2023 11:02
Cyber resilience brings the areas of information security, business continuity, and organizational resilience together says Alberto G. Alexander, Ph. D. In this article he presents the elements of a successful cyber resilience strategy and highlights the components of a cyber resilience framework.
Cyber resilience is an evolving perspective that has rapidly gained recognition. The concept essentially brings the areas of information security, business continuity, and organizational resilience together.
Adverse cyber events are those that negatively impact the availability, integrity, or confidentiality of networked IT systems and associated information and services.
These events may be intentional (e.g., cyber attack) or unintentional (e.g., failed software update) and caused by humans, nature, or a combination thereof.
The objective of cyber resilience is to maintain the entity's ability to deliver the intended outcome continuously at all times. This means doing so even when regular delivery mechanisms have failed, such as during a crisis or after a security breach. The concept also includes the ability to restore or recover regular delivery mechanisms after such events, as well as the ability to continuously update or modify these delivery mechanisms as risks and threats change. Backups and disaster recovery operations are part of the process of restoring delivery mechanisms.
In this article the elements of a successful cyber resilience strategy will be presented, the components of a cyber resilience framework will be discussed, and best practices will be suggested for cyber resilience management.
In a utopian world, an organization's systems run without problems 24 hours a day, seven days a week, 365 days a year. But the reality is that adverse cyber events (whether intentional or unintentional) negatively impact the ability of organizations to operate effectively every day. And when they do, how well the organization responds to and recovers from cyber attacks and data breaches will depend on the resiliency of its systems.
Being a cyber resilient organization means being able to fight through adversity and continue to operate, even if it's only in a degraded mode.
Usually there is certain confusion in the definition of the terms ‘cyber security’ and ‘cyber resilience’. It is important to be clear about these terms.
The difference between cyber security and cyber resilience is key. Cyber security focuses on protecting an organization from cyber attack. It involves things such as firewalls, VPNs, anti-malware software, and hygiene, such as patching software and firmware, and training employees about secure behavior.
On the other hand, “cyber resilience focuses on what happens when cyber security measures fail, as well as when systems are disrupted by things such as human error, power outages, and weather,” (Petrenko, 2019). Resiliency takes into account where an organization's operations are reliant on technology, where critical data is stored, and how those areas can be affected by disruption.
Then it involves putting measures in place to minimize the impact of those disruptions. For example, the protocols to be followed in the event of a system breach would be part of a resiliency plan.
Organizations need to understand what cyber resilience is, why it matters, and how to lay the groundwork for an effective rollout.
The need for organizational cyber resilience
One reason that organizations need to pay attention to cyber resilience is to avoid the kinds of catastrophic failures that occur when there is an all-or-nothing approach to security. Such an approach might assume, for example, that all attacks can be stopped at an organization's perimeter, so internal controls are unnecessary.
In a similar vein, giving people free rein on an internal network because they have a valid username and password could also lead to disastrous consequences. That's why a resilience plan will consider actions and outcomes before, during, and after an event.
"The primary goals of resiliency are anticipating, withstanding, and adapting. Companies need to anticipate that they are going to be attacked. They need to withstand that attack and continue to operate their critical business functions,” (Petrenko, 2019). Organizations need to adapt to an evolving threat landscape.
If an organization is targeted by persistent threat actors, it's very likely that the organization's networks will be compromised. That's why a business must be ready to persevere through such attacks. Resiliency allows an organization to do that, minimizing the impact of persistent threats. “Building resiliency into an organization's information architecture will lower the probability of an attack's success and minimize the damage if an attack is successful,” (Minteer, 2017).
Resilience is also important for lowering the long-term risk profile of specific organizations and society as a whole. It is only by thinking of overall network resiliency that businesses can not only surmount existing threats, but also overcome future threats from technologies such as artificial intelligence, the Internet of Things (IoT), and quantum computing.
What is cyber resilience?
Cyber resilience is the “ability to adapt and continue business operations and accomplish objectives, regardless of the cyber incidents,” (Greiman, Bernandin, 2021).
Cyber resilience includes preparation for business continuity and involves not just cyber attacks or data breaches, but other adverse conditions and challenges as well. For example, if the workforce is working remotely due to a catastrophic scenario, like the COVID-19 pandemic, but still able to perform business operations well and produce results in a cyber-secure habitat, the company is demonstrating cyber resilience.
Cyber resilience is the process of how a business responds to cyber threats. In today’s modern landscape, businesses not only need to defend from attacks – they must also plan responses to successful security breaches.
Cyber security primarily focuses on a business’s capability to defend itself against cyber attacks. “Cyber resilience has a wider focus, encompassing security but also business resilience – adopting a culture of awareness and an ability to recover from cyber attacks,” (Ching, 2022).
Elements of cyber resilience
Cyber resilience can be achieved through specific steps, which bring to the organization sustainability and agility. In figure one, four indispensable elements of cyber resilience are presented:
Figure one: Basic elements of a cyber resilience approach.
A brief description of each of the four elements follows.
Proactive risk management
When the cyber resilience journey gets started, the threats need to be understood and proactive ways to protect the company have to be identified. What are the risks, and how can the organization take precautions before being under attack?
This step includes analyzing the systems and networks to detect vulnerabilities. Cyber resilience knowledge needs to start with a healthy and well-protected infrastructure. Next, comes integrating security software into the systems and network.
Efficient detection system
Even when having protection, the company can still be the victim of cyber attacks. “It takes an average of 287 days to identify a data breach,” (Ching, 2022), during this time, the data security is violated, and the data within the systems are open to malicious users. Therefore, rapid detection is a great help to respond to malicious acts before the violation gets bigger.
Cyber resilience depends on success in tracking the network and system. As malicious acts become ever-more sophisticated, organizations need to have a robust detection system to enable immediate action in case of a cyber security event.
Response and recovery system
Once a breach or attack is detected, the response system must come into play. In this step, an incident plan is needed, identifying roles and responsibilities. Also, an automated and granular back-up will enable the isolation of vulnerable data efficiently and quickly. Operations will then be able to continue while the teams and technologies are recovering after an attack.
Self-assessment and improvement
The final element of cyber resilience is assessing the process and continuously learning from experience. “The hacking tactics are evolving, and so should the cyber resilience strategy,” (Ching, 2022).
When paying attention to persistent improvement, the company will naturally align to the changing requirements.
Companies need to have a framework to manage the process of cyber resilience. A set of consistent and reliable methodologies needs to be identified and used on a formal basis in the organization.
The cyber resilience framework
Cyber resilience is a framework designed to help organizations withstand attacks. It is not a single layer of protection or a single product but a way for organizations to structure their defenses / defences such that no one event is catastrophic. Cyber resilience is an iterative process that provides the means of recovery from an attack. Compared with traditional defenses that become useless once bypassed, cyber resilience allows constant vigilance across the organization.
Cyber resilience frameworks help teams address cyber security challenges, providing a strategic, well-thought out plan to protect data, infrastructure, and information systems. The framework offers guidance, helping IT security leaders manage their organization’s cyber risks more intelligently.
“The key advantage of the cyber resilience framework is that it puts business forward,” (Greiman, Bernandin, 2021). Traditionally, security has operated as an overlay to the business. Cyber resilience integrates security into the business itself, allowing for the following five components to be present in all areas of the organization.
- Identify critical assets, systems and data. The enterprise must understand the resources that support all critical functions within a business context.
- Protect critical infrastructure services. In this step, the enterprise installs first-line security systems that will limit or contain the impact of any potential threat.
- Detect unusual events and suspected data breaches or data leaks before major damage occurs. This step demands constant security monitoring.
- Respond to a detected security breach or failure. This function involves an end-to-end incident response plan to ensure business runs as usual in the face of a cyber attack.
- Recover - restore any affected infrastructure, capabilities, or services that were compromised during a cyber security incident. This step focuses on making a timely return to normal activities.
It is important to be aware that a successful cyber resilience framework rests on vigilance and visibility. With a top-down approach, companies can develop an enterprise-wide incident response strategy that enables them to handle threats quickly, while also maintaining the integrity and efficiency of their business model.
Improving the cyber resilience framework
Cyber resilience frameworks give managers a reliable, standardized, systematic way to mitigate cyber risk, regardless of the environment’s complexity.
Any framework needs to be improved over time and figure two, below, depicts five basic activities that an organization should consider to help improve the cyber resilience framework.
Figure two: Improving the cyber resilience framework.
Identification of top management coordinator
With a top senior manager assigned as responsible for cyber resilience, the enterprise will have someone to champion cyber resilience at the C-suite level. The senior manager responsible for cyber resilience will help educate board members and obtained their support for investment in incident response automation tools and developing a more comprehensive cyber resilience framework.
Nurture a culture of cyber resilience
Many companies make the mistake of leaving cyber resilience solely in the hands of the security team. If only one or two people understand the systems, and how to protect them, the security posture will only get weaker as the company scales.
Enterprises must educate the first line of defense by encouraging the entire workforce to adopt a mindset of cyber resilience. All employees should know how to identify and detect malware and phishing threats, and they should understand the results of a data breach.
When it comes to security matters, leaders must promote teamwork, open communication, and sharing across teams. Through peer learning and ongoing education, an enterprise can instill a security-focused culture that serves as a solid foundation for the cyber resilience framework.
Create formal cyber security policies
A strong risk management policy is an integral aspect of a cyber resilience framework. When the organization has documented proven security processes as part of their official guidelines, the employees then have a reliable set of protocols to guide their efforts.
Make cyber resilience a priority at board meetings
Be aware that an incident response strategy and overarching cyber resilience framework are live, evolving, assets. They are not one-and-done tasks that can be shelved away. It’s crucial that policies and security practices are reviewed and kept updated.
A robust security posture is not possible if all security issues are siloed in a single department. Enterprise leaders must check in with key stakeholders on security policies at least once a month. In doing so, the business can maintain a high level of cyber resilience, so the organization is prepared to respond to and manage any threats.
Offer career paths for security professionals
The best security professionals want opportunities for continuous learning and career growth. If they don’t see viable pathways upwards in their job, they will move to another one.
By growing talent within the company with ongoing training, staff are kept engaged. In return for offering a platform that facilitates personal and professional growth, the organization cultivates a loyal workforce of highly-skilled security professionals.
Cyber resilience best practices
To achieve cyber resilience, it’s important to strike the right balance between people, processes, and technology. A common mistake made by organizations is becoming over-dependence on tools and technology while ignoring the importance of well-informed and skilled people and well-designed processes for cyber resilience. What organizations should strive for is bringing all three components of cyber resilience together in a complementary and streamlined manner:
- People are considered to be the weakest link in the cyber security chain and are usually targeted by bad actors. Needless to say, ensuring cyber resilience is everyone’s responsibility and it is important that every employee is aware of their roles, responsibilities, and accountability.
- To make the workforce cyber resilient, here are some key measures that organizations can undertake:
- Providing relevant cyber security training to employees depending on their roles.
- Ensuring that the cyber resilience program is supported by the top management and leadership who undertake periodic review of cyber resilience initiatives and monitor the readiness to face a cyber security attack or data breach.
- Educating board members so that they aware of basic cyber security terms relevant to their business and industry cyber security trends.
- Establishing specialist functional groups within the organization to monitor and address risks in real-time.
Having the right governance and strong processes in place is crucial for achieving cyber resilience. In terms of governance, some of the best practices include:
- Maintaining regulatory compliance.
- Validating that proper controls are in place and operating effectively on data.
- Having a responsive, agile, adjustment of policies, processes, and technologies.
- Monitoring the preparedness to face cyber breaches using strategies such as scenario-based prediction, war-gaming, and proactive reporting.
- Devising an effective communication plan, documenting when and how to notify key stakeholders.
- Ensuring alignment with the organization’s overall governance framework.
- With regards to processes, organizations can put into practice a number of key measures for cyber resilience, including:
- Creating a comprehensive documentation process for collaboration and information sharing within the organization as well as externally with third-party organizations.
- Implementing a centralized asset management system for software, hardware, and data, both internal and external, for full visibility into critical assets and security controls.
- Using continuous monitoring systems, such as security information and event management (SIEM), and data analytics for identifying and detecting security incidents.
- Deploying various controls to prevent cyber security incidents such as application control, patch applications, multi-factor authentication, and restricting administrative privileges.
Technology is the biggest enabler in the fight against cyber criminals and is the most trusted and important pillar to achieve cyber resilience. Key focus areas for organizations in this regard include:
- Achieving a balanced technology portfolio i.e. in terms of investments in tools and technologies, more investment should be directed towards response and recovery capabilities.
- Ensuring that the technologies being used are securely updated based on industry standards, as older systems and technologies grow increasingly vulnerable.
- Adopting a more mature and advanced approach to protect assets - using automation and orchestration technologies as a part of response and recovery capabilities.
- Creating an air-gapped copy of critical assets, ensuring robust protection against the corruption or deletion of data by using write-once, read-many / immutable storage technology.
- Leveraging point-in-time technology to identify potential breach or infections and devise corrective measures, and using advanced technologies, such as deception, to deceive attackers
- Cyber resilience is how today’s organizations refuse to be knocked offline by cyber attacks. It is the measure of an organization's ability to get back up and running quickly, no matter what.
- Being a cyber resilient organization means being able to fight through adversity and continue to operate, even if it's only in a degraded mode.
- The key to building cyber resilience is to focus less on technology and more on people. After all, the company can only tap into the power of data and leverage the latest technology when there is a skilled team in place to oversee the security operations.
- Cyber resilience should not be left to the security team alone. Instead, C-suite members must work hard to establish a strong culture that promotes peer learning, open discussion, and ongoing training.
- Cyber resilience is an iterative process that provides the means of recovery from an attack. To achieve cyber resilience, it’s important to strike the right balance between people, processes, and technology.
- Any framework, needs to be improved over time. There are several support activities that the firm needs to plan and implement.
- Compared with traditional defenses that become useless once bypassed, cyber resilience allows a constant vigilance across the organization.
Dr. Alberto G. Alexander holds a Ph.D from The University of Kansas, and a M.A., from Northern Michigan University. He is a MBCI, BCMS, ISMS and QMS, IRCA Lead Auditor and Approved Tutor. He is the managing director of the international consulting and managerial training firm www.gerenciayproductividad.com located in Lima, Peru. He can be contacted at firstname.lastname@example.org . He is a professor at the Graduate Business School of UESAN, Lima, Perú.cyber
- Petrenko, Sergei. Cyber Resilience River Publishers. 2019
- Minteer, Andrew. Analytics for the Internet of Things (IoT) Packktpub.com 2017
- Greiman, Virginia. Bernardin, Emmanuelle. Cyber Resilience a Global Challenge 2021 ACPIL Publishers.
- Ching, Amelia. The Art of Cyber Resilience: Into the Mind of Cyber Criminals. Agilenlight Pte Ltd 2022
- NIST Cybersecurity Framework version 1.1