This post is also available in: 日本語 (Japanese)
Too often, I find that organizations believe they are “cyber ready” without considering “cyber resilience.” Over the course of assisting hundreds of clients of all sizes across all industry verticals, it's become clear to me that many organizations would benefit from understanding what it means to be cyber resilient, how to achieve resilience and why resilience should be top-of-mind for executives. This understanding makes it possible to prepare for a cybersecurity incident proactively, and to get the most out of the time and effort required.
Organizations typically determine their state of “cyber readiness” based on implemented offensive and defensive security measures – in other words, how prepared and capable the organization is to “block and tackle” cybersecurity threats. While blocking and tackling undoubtedly play a role in thwarting threat actors, this conventional approach to security does not specifically highlight business considerations and complexities. How can organizations ensure that, even while handling the consequences of a cybersecurity incident, customers are satisfied, business objectives are met, critical systems are available and sensitive data is protected? This is where cyber resilience comes into play.
Cyber resilience is a tactical state of preparedness that enables organizations to pivot business delivery mechanisms and core system functionality to minimize business disruptions and maintain reputation in the event of a cybersecurity incident. To summarize: Resilient organizations can continue delivering critical services, even when navigating a cybersecurity incident, because there is a tactical plan for how to operate in a degraded state. Organizations that have a thorough understanding and dedicated approach to resilience will thrive above competitors when faced with a cybersecurity incident – minimizing business disruptions, maintaining customer trust, lessening the remediation timeline and lowering the overall cost of a breach.
Achieving a state of cyber resilience does not happen overnight. Organizations should consider the following steps when building a foundation of resilience.
First, organizations must thoroughly understand their current resilience posture – inclusive of capabilities, practices, risk tolerance and business objectives. In order to identify current-state cyber resilience, organizations should conduct an assessment against a dedicated cybersecurity resilience framework. This is different from a conventional cybersecurity risk assessment due to an additional emphasis on operational requirements and organizational mission, objectives and goals. It is important to choose a framework that is inclusive of resilience-specific techniques, safeguards and processes such as service continuity management, situational awareness and external dependency management. For example, the Cybersecurity and Infrastructure Security Agency (CISA) offers extensive resources to assist organizations in defining current-state resilience posture.
It is impossible to protect infrastructure that you don’t know exists. Organizations should ensure that the attack surface, inclusive of assets and data, is meticulously managed. Additionally, it is essential to consider implications arising from the use of “Shadow IT” or cloud-based applications. Organizations should deploy appropriate tools or configurations to restrict the use of non-authorized software, hardware or applications wherever possible. Most importantly: “Crown Jewels” (i.e. critical business/service infrastructure) must be identified, managed, monitored, protected, prioritized and maintained. Resilient organizations recognize the value and necessity of putting security above convenience when it comes to ensuring their most critical assets are protected. For example, small steps such as leveraging application allow listing, disabling extraneous system functionality and implementing the principle of least privilege can significantly reduce attack surface risks.
Resilience is not achieved by maintaining homeostasis. It is essential to regularly “stress test” critical infrastructure, services, capabilities and organizational dependencies. Stress testing can be accomplished by introducing aspects such as complex breach scenarios, technical testing and controlled threat deployment to the most critical areas of an organization. It is essential to continuously push the envelope – conducting the same “paper-based” annual tabletop exercise to simply check the box is not enough. Organizations should explore tactical exercises that aim to specifically target the most critical assets – chipping away at defensive capabilities and controls. This can be accomplished through “Purple Teaming,” in which offensive tactics and techniques are strategically applied in order to test – and hopefully validate – the success of defensive cybersecurity measures. Purple Teaming provides extremely valuable insight regarding how weak or underperforming defensive controls can be improved.
Additionally, organizations should ensure that purposeful “lessons learned” meetings are conducted after all stress testing exercises. Specific projects, initiatives or takeaway actions to drive continuous improvement should be the key outcomes of every lessons learned meeting.
Most organizations believe they have a backup plan for service delivery – whether that be an alternate business site, maintained network backups, or processes for outsourcing service responsibilities to a partner or third-party. However, the majority of organizations have no idea how they would actually go about executing an alternative service delivery plan. In fact, most organizations are not even confident about how they would (or if they could…) complete a full network restore by leveraging backups. Most alternative service delivery plans sound great in theory, but they are not realistically as effective and efficient in practice. It is essential for organizations to identify, test, re-test and continuously improve alternate paths and processes to deliver critical services. By ensuring that alternative service delivery plans work like well-oiled machines, organizations can quickly pivot when core assets become unavailable during an incident, minimizing business disruptions and associated costs. While these exercises tend to be very planning-intensive, and sometimes costly, organizations that are hit with ransomware or another service-disrupting cyberthreat will save precious time and money by ensuring alternative delivery plans are fine-tuned.
It is essential that organizational leadership is aligned on the answers to these and similar questions. Leaders should ensure that decision trees are formally defined and socialized with key stakeholders to facilitate discussion and buy-in. When a change in stakeholder personnel occurs, these decision trees should be revisited and updated as required. Having the tough conversations before an incident occurs will save valuable time and enable organizations to focus on what matters most – maintaining critical operations and recovering to a state of normalcy.
It is typical for cybersecurity to be left off of the roster during board or executive meetings. Organizations shy away from overloading business-minded leaders with security operation metrics, information about new risks or threats, and reports on the status of tools and technologies due to a fear of being “too technical.” However, resilient organizations are invested in permeating security throughout their workforce – including the most senior leaders.
Cyber insights and data points should be correlated with key performance indicators (KPIs) and security metrics that should be shared in the boardroom. “Meaningful” metrics are not necessarily synonymous with “highly technical” metrics. Consider your organization's primary mission, customer commitments and regulatory requirements; this is a great starting point for developing insightful metrics that demonstrate how cybersecurity plays a role in organizational success. These metrics can inform data-driven decisions regarding business investments, resourcing, strategic roadmaps and budget allocation.
Cybersecurity resilience is achieved by shifting organizational culture, and should be a topic that is frequently discussed with the board of directors or senior executives. Given our increasingly digital world, it is imperative that business leaders are equipped with the facts and knowledge that is required to successfully navigate cybersecurity risks, dependencies and business considerations.
If you’re ready to get started on strengthening your cyber resilience, Unit 42 offers a number of proactive assessments, including the Ransomware Readiness Assessment and the Business Email Compromise (BEC) Readiness Assessment.
Unit 42 Principal Consultant and cybersecurity risk management expert LeeAnne Pelzer has written several proactive security articles, including her series on the true cost of cybersecurity incidents. Follow her on LinkedIn to be notified of future publications and insights.