Maintaining security in an organization is a never-ending process. However, this does not mean that it is a simple “rinse and repeat” operation, as some frameworks would indicate. Yes, a continual review is necessary, but the threats are no longer repetitive. It is almost as if the threats have created a living, breathing beast that creeps into the most unassuming crack in your otherwise impervious defenses. This calls for more than just a recovery plan; it calls for a level of adaptability we have come to know as resilience.
Resilience is more than just business continuity and incident response plan, two areas that are often relegated to a select team that operates in near secrecy. However, if your business functioning and reputation are on the line, resilience demands more. It requires a level of vigilance that only comes from transparency and inter-departmental collaboration. How can you achieve the buy-in to make resilience a force multiplier in your organization?
Invest in People
One way to achieve resilience is to make a true investment in your people. This doesn’t mean just spending money on training people to recognize threats. It means understanding how teams and individuals work together in a department, as well as how they interact with other departments. Group dynamics can impact the time to report and respond to a perceived threat, and it can mean the difference between early intervention against a problem, and a fast response.
To augment the dynamics, the security professionals should have a working knowledge of the systems used in the other departments in the organization. Liz Waddell, of Cisco Talos, makes the valid point to “Make sure you have the right people in the right places. Invest in their training so they know your environment and technology and are ready to respond and protect it.” This can only occur with a collaborative approach, which strengthens resilience.
Information security professional Lidia Giuliano echoes this sentiment by stating “One of the most effective ways to achieve resilience in any organization is to take a team approach, even if it is an informal team – a collaborative environment, rather than an established corporate grouping.” Resilience demonstrated through collaboration is a positive business enabler.
Manage the Change, Whether Good or Bad
Richard Archdeacon, of Cisco Secure, observes that “Resilience requires the ability to manage change in such a way that the operations of the organization can still function. The change may be positive, for example, a new partner acquisition, or negative, such as being the target of a What is a Cyberattack? A cyberattack is a deliberate and malicious attempt to exploit vulnerabilities in computer systems, networks, or software applications to cause damage, steal information, disrupt services, or... More.” This is a welcome observation, as it shows that resilience can be part of a positive change in an organization, rather than the idea that resilience only functions in a disaster.
By making a resilient approach part of the normal functioning of the organization, it reduces the panic that often ensues when change occurs. If the teams know how to work around change, they can shift to alternate methods of processing in order to keep the business functioning. Archdeacon further observes that resilience requires “Gaining support from leadership teams across the whole organization. This is not a technology or security issue, but a business challenge.” By showing that resilience is a business concern, it shows how the value extends beyond technology.
What Can You Live Without?
Asset identification is not new in the world of cybersecurity. It has always been understood that you cannot protect what you don’t know you have. This is still true, but in order to create resilience, the opposite approach is suggested by Goher Mohammad, who heads the InfoSec practice at L&Q Group.
“Come up with a list of assets that you absolutely can’t live without, sometimes referred to as the crown jewels, as well as assets you can live without for a short period of time. And then layer your security based on that . . . It is not always possible or feasible to have the highest level of security on every single asset.”
Similarly, Martin Lee, of Cisco Talos, astutely adds“Resilience means being able to manage the threats that we face, and not immediately crumbling when a threat succeeds in causing harm.”
Most continuity plans focus entirely on bringing the entire environment back to full operation as quickly as possible. This is exactly the right approach. However, if your plan can also show how the business can be operational prior to full restoration, that makes a convincing case for resilience buy-in.
Decreasing the Mean Time to Resilience
An important part of any cybersecurity program includes the Mean Time To Detect (MTTD), and the Mean Time To Respond (MTTR). When combined with the classic Recovery Point Objective (RPO) and Recovery Time Objective (RTO) parameters of a disaster recovery plan, a Resilience Recovery Time emerges. Haroon Malik, of NTT Data, describes it this way: “Threats exist and incidents happen. Resilience is achieved when both the likelihood of an incident occurring is reduced, and the impact caused is minimized.” This could be thought of as the Decreased Mean Time To Resilience. As all of these previously separate disciplines converge into a unified approach, the ability to achieve buy-in for a resilience strategy becomes easily apparent.
The movement towards resilience is gaining more and more traction as the answer to the old reactive security approach. Instead of the threats being treated as the untamable beast, an organization that builds resilience into its environment becomes more proactive, able to handle the greatest challenges, anticipate what can happen next, and understand how to work around any contingency.
Achieving buy-in for a security resilience program is possible when it can be shown that the business need not be fully halted in the face of a security event.
Bora had the pleasure of collaborating with Cisco on an eBook where we questioned 13 cybersecurity leaders around the world to hear their stories and understand how they have successfully integrated security resilience into their organizations. You can get their perspectives and advice in their latest eBook here: Building Security Resilience: Stories and Advice from Cybersecurity Leaders