Critical business processes and services are deeply entwined with IoT devices and third-party cloud providers. Because these new technologies increase overall risk, business leaders must incorporate the idea of resiliency into overall operations. Standard business continuity models don’t work any more.
In the latest Digital Trust Insights report, PwC asked 3,500 business and IT leaders around the world about resilience.The goal was to determine which companies are prepared to withstand and recover quickly from a cyber attack as well as to understand how these operations have developed this expertise.
Companies with a high resilience-quotient (high-RQ) had mastered or were developing these three capabilities:
- A detailed map of IT assets and business processes
- A reality-checked definition of survivable cyber attacks
- A real-time monitoring system that measures the health of operations
PwC reports that high-RQ group members have shifted their mindset away from the traditional disaster recovery/business continuity model to “resilience by design.” This broad approach involves gaining real-time views of higher-priority processes so that decision makers and responders can react to incidents with a unified front.
About a quarter of the people surveyed fit in the highly resilient group. These companies are more likely than other respondents to have revamped strategies in the face of new threats. They are also more confident that they can manage emerging risks that test resilience, 73% vs. 24%.
The report includes polling research from more than 3,500 business leaders about their business and IT practices. Here are the steps that business and IT leaders need to take to become more resilient.
Build a comprehensive asset map
It’s not enough to have a general idea of business processes and IT assets. Managers need to understand the complete picture of how data assets and processes connect to core business services and the corresponding interdependencies. The most striking difference between the high-RQ group and the rest is that 91% of high-RQ companies maintain an accurate inventory of assets.
The PwC report shared one example that illustrates the benefits of taking a detailed inventory:
“….a company mapped what it thought were all 50 of its critical assets and systems in one area, and thought itself well-protected against cyber incidents. Yet when it used software to probe its networks, it uncovered secondary and tertiary connections that brought the number of critical systems to 450—a ninefold increase. By virtue of lying ‘hidden,’ those 450 systems made the organization more vulnerable to disruption.”
Previous PwC research has found that IT professionals consider their capabilities least mature in the “Identify” function of the NIST Cybersecurity Framework. This framework includes five phases: identify, protect, detect, respond, recover.
Define what the company can withstand
This is the part where you plan for the worst. A cyber attack has disrupted a core business process. The IT team is still working on a fix. Your leadership team needs to know the nature, severity, and length of disruption the business can endure, before disaster strikes.
About two-thirds of High-RQ respondents have set impact tolerances for critical business services. Only 24% of the rest of the survey respondents have taken this step.
The first step is to define critical business services. The next step is to determine how long these services can be disrupted before crippling the business. In addition to figuring this out, the High-RQ group is also more likely to have define specific metrics based on these impact tolerances.
Once you define the scope of the hit the business can take, the next step is to test that assumption. PwC recommends simulating a few scenarios with tabletop tests: “Tabletop tests help teams rehearse vital communications during disruptions and discover gaps in governance and other processes. Some go beyond tabletop by mirroring systems in a simulated environment, testing dependencies and connections there.”
This is particularly important if disruptions could result in paying fines to business partners.
Adopt a “resilient by design” approach
This third step is the heavy lift, even for the over-achievers. Only 34% of the highly resilient companies have implemented this final piece of the puzzle. To be resilient by design, companies need to take the work from the other two steps and build an uber-dashboard that tracks in real-time the performance of core assets and the IT dependencies.
This monitoring system can become a tool to help IT leaders continually revise and refine business processes to respond to threats. Insights from this comprehensive monitoring will help you answer questions such as these:
Do you need to hold on to assets that increase exposure but don’t add value?
What alternative recovery methods do you have to restore services if systems cannot be recovered?
If your company is merging with another, expanding and complicating your network of vendors, risks, and processes, what changes do you need to make in security?
To build a team to manage this system, you may have to bring people together who have never worked together on threat intelligence or coordinated restore-and-recover actions before.
PwC stresses that collaboration is key because “the exposures you face today cannot be adeptly managed without visibility and communication across all affected areas.”