Resilience requires the ability to manage change in such a way that the operations of the organization can still function. The change may be positive, for example, a new partner acquisition, or negative, such as being the target of a cyberattack.
The starting point for security teams has always been planning. Using a risk-based approach looking at the threat, the vulnerability, the probability, and the impact are all parts of the full risk equation. To understand the risk, potential scenarios are played out in the following way: Assume a threat exists, then assess the likelihood that it may affect us, and finally, examine how we can block any vulnerability and reduce the impact. Continuity and recovery plans are built around these scenarios.
Increasingly, CISOs are looking at how they can maintain a high level of continuity in the face of other nonthreatening changes. Balancing risk with opportunity, control and adaptability, such as managing the secure deployment of an external team of consultants, or ensuring a new supplier can be linked in to care for systems without increasing exposure is all part of a resilience profile.
Gaining support from leadership teams across their whole organization. This is not a technology or security issue, but a business challenge.
Developing board-level representation to champion resilience.
Ensuring that processes are in place and practiced by all stakeholders.
Continuing to develop both general threat intelligence and specific industry threat intelligence.
Introducing flexible technologies that provide clearer visibility across their assets and the centralized ability to implement new policies and controls.
Resilience is about taking a risk-based approach to what the business can tolerate. Together with the CIO, and/or the board, security leaders as the subject matter experts should clearly steer and articulate the risks; and what to do about them – thus enabling the organization to weigh up the correct decision. If the cost of prevention is millions, but the total damage (if it happens), is only in the thousands, then that should be a factor in the decision and it would not be incorrect to accept the risk. However, it’s not just about finances – it’s also about reputation, and the long-term effect that a data breach might cause. All things should be considered, then try to reach a decision about what you can tolerate (and what you can’t tolerate) as an organization.
Also, come up with a list of assets that you absolutely can’t live without sometimes referred to as the crown jewels, as well as assets you can live without for a short period of time. And then layer your security based on that based on the threat model. It is not always possible or feasible to have the highest level of security on every single asset. No CISO has an infinite budget or resources. You can’t do everything and protect everything. And that’s OK. You aim to protect what is most important to you as an organization and anything that touches that. Using this approach you build your resilience and continue to do so proactively as quickly as you can.
Resilience means being able to manage the threats that we face, and not immediately crumbling when a threat succeeds in causing harm. Resilience is achieved through combining protection with incident response planning.
The first step in becoming resilient is to be aware of threats that we face. You can’t take steps to protect yourself if you have no idea of the nature of these threats. The foundation of successful resilience comes from understanding the threats and your own weaknesses.
Armed with this knowledge, you can implement protections to reduce the likelihood that threats will affect you, and ensure that if a threat does succeed, that the effects will be minimized.
However, we must accept that no protection can ever provide complete coverage, nor can we fully anticipate how threats may change and evolve. Hence, we need to prepare ourselves to respond swiftly and effectively when a threat impacts us.
Making sure that our systems have no single points of failure helps ensure that operations can continue even if one component has to be taken out of action due to a threat. Planning and rehearsing our responses to incidents allows us to remediate threats and restore normal function as soon as possible.
As a security advisor, one thing I look at in order to evaluate resilience is where an organization stands with practices such as data classification, and identity and access management. The overall holistic design of these areas needs to be examined from a security perspective to see if they are sound.
One of the most effective ways to achieve resilience in any organization is to take a team approach, even if it is an informal team – a collaborative environment, rather than an established corporate grouping.
This is important because a person is never alone in this endeavor.
For example, if I am working with developers, they need to be keenly aware that part of the responsibility of developing an application is not just functionality, but security - that is, making the application safe for our customers to do business with us.
Making sure that the organization shares the vision and actions of good security requirements is what will propel resilience; and ensuring that penetration testing, code scanning and data classification are all done at the appropriate time.
What I love is seeing the ways that security professionals are actually helping projects. It’s a different aspect than how security was traditionally treated. Communication with the security professionals is helping the business to design security into the project at the start. And that builds resilience by eliminating the scramble to bolt security on later, especially after an incident is discovered.
One of the areas where it’s crucial to proactively invest time is in the ability to get accurate and actionable threat intelligence in the right context. This can be very difficult because there are many different vendors and tools available that deliver very detailed threat intelligence, but often what they fail to do is make that information relevant and bring in a broad context. For example, the current turmoil in the world makes it important to anticipate cybercrime from a geopolitical standpoint.
Being able to show context adds real value to the business. If you can show executives how you account for the threats to your service delivery, operations and critical functions based on what’s going on in the real world, then they can see the importance of what you are doing. That gives the leadership meaningful confidence that your business is in the resilient state.
An important aspect of resilience comes with focusing on activities that actually align with what the business does. It's all well and good to try to conduct exercises to test your resilience, but with the new work models that have emerged in recent years, the exercises outlined in a variety of frameworks may not be the most valuable thing to be doing right now.
“It's all well and good to try to conduct exercises to test your resilience, but with the new work models that have emerged in recent years, the exercises outlined in a variety of frameworks may not be the most valuable thing to be doing right now.”
A better approach may be to pay attention to where others have fallen victim recently, and try to make sure that the resilience activities you're undertaking are aligned to what is going on in the real world, focusing on those things that are most likely to impact your industry, and specifically your organization. It gives you a real-world test of resilience.
To take that idea further, ransomware is very prevalent, but how do you test resilience against ransomware? The value comes in by looking at the ransomware types that most organizations are being hit by. Are those ransomware variants targeting specific sectors and specific organizations? How does that then apply to you, and how can you model your resilience exercises to answer those real-world scenarios using what has happened to similar businesses?
Too often, there is a very clear disconnect by the business. With ransomware, you may be running a resilience exercise, and some of the business teams may not have a technical understanding of the systems, what ransomware is, and its impact to their workflow. But, when you show that a service can be rendered unavailable, or that data may be stolen and extorted, then the stakeholders that are involved in those resilience activities can get an accurate view to understand how it would materially hurt the business.
Alternatively, they may determine that certain functions can be halted for a short period without harm to the business. These types of resilience activities add a lot of value by building that clear connection between the business and the technology.
Resilience is far bigger than just security, but of course, security is such a key part. Security is like the king piece on the resilience chessboard. If our processes topple over and never recover, the game is over. And yet – we’re surrounded by other disciplines, who have their own moves they need to make to protect the organization as a whole. There’s a lot to protect, and with limited moves, we need to be very calculated. And that’s why we’re seeing a big move towards risk-based security.
For example, I might have a server that doesn't have critical information within it. But the server has a known vulnerability that needs to be patched. It's a back-end server that we use for DevOps. You have the same server, with that same vulnerability, but it’s internet-facing, and it has customer data on it.
Our risks are different, even though it’s the same vulnerability. The need to patch is a far bigger priority for you.
In a world where we can only do so much, we need to focus on the things that matter. Address the critical issues first, and then make a plan to address the other vulnerabilities you might be exposed to. To do that, you need accurate, prediction-based threat intelligence, based on your uniqueness as an organization. This priority-based resilience building will address a lot of security operational issues that we've seen in the past.
“In a world where we can only do so much...Address the critical issues first, and then make a plan to address the other vulnerabilities you might be exposed to.”