Cybersecurity professionals are tired of losing ground to cybercriminals, so they are working with members of their companies’ C-suites and boards of directors to put in place a process that some deem is more realistic than prevention: Cyber resiliency. Resiliency means a company can keep delivering the intended outcome, even in a crisis. It brings together information security, business continuity, and resilience, creating an organization that can survive cyberattacks.
By getting the decision-makers involved, information silos (which permeate most organizations) are torn down. And, more importantly, combined buy-in by the experts and decision makers will silence the “us vs. them” attitude.
SEE: Disaster recovery and business continuity plan (TechRepublic Premium)
Mistakes to avoid with cyber resiliency
Alex Manea, a security officer at Georgian Partners, offers an interesting perspective on what to avoid when enabling cyber resiliency in his article Avoid These Top Four Cybersecurity Mistakes on Chief Executive. In the article’s introduction, he said:
“Over the years, I’ve seen some fantastic approaches to risk mitigation and some not-so-fantastic approaches. What’s clear to me is that businesses that take a holistic approach and build cybersecurity into that strategy from the start, end up more successful down the line.”
Manea said in his experience four mistakes surface more often than not, and if people implementing cyber resilience avoid them, it will likely give their company a competitive advantage.
1st mistake: Trying to protect everything
Manea begins by sharing the well-worn axiom that defenders must protect every possible opening where attackers only need one way in. If realistic, that truism alone should be enough to replace a prevention attitude with one based on resilience.
Manea then suggests caution. “Make sure you understand your organizational constraints—be they technological, budgetary, or even political—and work to minimize risk with the resources that you’re given. Think of it as a game of economic optimization.”
2nd mistake: Lack of an all-encompassing threat model
Put simply, a digital threat-risk assessment is required. Manea suggests that a team including representatives from the IT department, business units, and upper management work together to create a security-threat model of the organization—keeping in mind:
What would an attacker want to achieve?
What is the easiest way for an attacker to achieve it?
What are the risks, their severity, and their likelihood?
An accurate threat model allows IT-department personnel to implement security measures where they are most needed and not waste resources. “Once you’ve identified your crown jewels and the path of least resistance, focus on adding obstacles to that path,” he said.
3rd mistake: Not getting an independent penetration test
According to Manea, there is no getting around an independent cybersecurity penetration test and evaluation. “Thinking you’re secure without conducting a ‘white hat’ (ethical) hacking assessment is like putting your product on the market before performing quality tests,” Manea said. “You can’t reasonably assert that you’re secure—or report to your board of directors that you are–until you’ve had ethical security researchers try to attack you.”
Manea also said it’s important to conduct penetration tests at least once a year, as new weaknesses are found and new attack vectors are developed all the time. And, as soon as possible, fix identified weaknesses.
SEE: Penetration Testing and Scanning Policy (TechRepublic Premium)
Something Manea does not stress enough is the need to get buy-in from upper management for this type of testing. Bruce Schneier in his post Is Penetration Testing Worth It? said, “You really don’t want a thick report documenting all the ways your network is insecure. You don’t have the budget to fix them all, so the document will sit around waiting to make someone look bad.”
Or worse, what if the penetration test report is discovered in a lawsuit? “Do you really want an opposing attorney to ask you to explain why you paid to document the security holes in your network, and then didn’t fix them?” Schneider said. “Probably the safest thing you can do with the report after you read it is shred it.”
4th mistake: Make cybersecurity an afterthought
C-suite executives and IT-department managers look at cybersecurity very differently. “Companies are often so focused on getting their product or service out the door that they lose sight of their cybersecurity risk,” Manea said. “Fast moving start-ups, in particular, may feel ‘safe’ because they’re flying under the radar—thinking they don’t have enough data, customer information, or money for hackers to care about them—but all of a sudden, their business has grown to the tipping point where it now has value and people are noticing, including hackers.”
Information sharing is the key
Sharing information relevant to a company’s cybersecurity status is paramount. The Department of Homeland Security report Cyber Resilience and Response (PDF) says that allowing stakeholders to create interdepartmental and intercompany relationships will lead to sharing information and resources, and significantly increase cyber-situational awareness, as well as resilience and threat mitigation.
On a much simpler note, sometimes magic happens when people pull together toward a common goal—like survival of the company that employs them.
More about cyber resiliency
If you want to learn more about cyber resiliency, read these TechRepublic articles: How to be cyber-resilient to head off cybersecurity disasters, CISOs forced to adapt to pandemic and other geopolitical risks, Only 17% of global organizations are considered cyber resilience “leaders”, and PwC: Boosting digital resilience is the best defense against cyber attacks.