The events of 2020 have brought to the forefront of everyone’s mind the need for organizational resilience. Employees found themselves working to ensure the delivery of key products and services as securely as possible. Some organizations leveraged existing disaster recovery and business continuity plans, while others expanded existing work-from-home (WFH) programs and increased their network capacity. Much has been written about the need for cybersecurity throughout this rapid implementation of both new or expanded WFH strategies and the accelerated (or net new) implementation of digital transformation models. Compounding security concerns was a sharp increase in ransomware activity that has caused significant impacts to business operations. Given these circumstances, it is easy to see that cybersecurity is more valuable now than previously, but the same challenges remain in gaining better traction for cybersecurity initiatives within organizations. A possible strategy to bridge this gap is to begin thinking less about cybersecurity and more about cyberresilience.
Cyberresilience may seem like a relatively new term, but it has been in the zeitgeist since US President Barack Obama’s administration introduced it via the US Presidential Policy Directive 21 (PPD-21) in 2013, with the US National Institute of Standards and Technology (NIST) releasing a cyberresilience standard in 2014. These documents have been eclipsed in popularity by the NIST Cybersecurity Framework (CSF) standard, but the philosophical underpinnings are just as important today as they were when they were introduced. These documents establish cyberresilience as a combination of cybersecurity and business resilience. Essentially, it is an umbrella term referring to what many individuals have been calling for inside the cybersecurity community: better business alignment. Cyberresilience is more important now than ever. With an increase in the number of digital-first businesses and legacy organizations transitioning to a digital marketplace, everyone needs better connections between technology and an overarching business plan.
Achieving cyberresilience means developing an engineering and architectural approach to systems development that allows for the implementation of a series of resilient techniques. It begins with a solid risk management strategy, preferably one underpinned by cyberrisk quantification (CRQ) to better connect cyber to business impact. The outputs of these risk assessment activities allow for a prescribed approach to strategic and structural designs meant to support 4 key goals for technology solutions: anticipate, withstand, recover and adapt. These 4 categories have cognates in the NIST CSF paradigm, but they make it apparent that security incidents can happen at any time—and systems should be designed with that in mind.
Cyberresilience encompasses an entire systems development life cycle (SDLC) including acquisition strategies, functional and nonfunctional requirements, architecture and design, implementation, and testing. It also calls for specific processes replicating adversarial testing which, in turn, necessitates design principles that support backup and recovery, surplus capacity, replication and general adherence to continuity of operations techniques. Cyberresilience essentially integrates many of the penetration testing (pen testing) and red-teaming practices into the design and test phases of the SDLC, and is something all practitioners should be focusing on from both a design and a risk reporting perspective. One should consider adding cyberresilience metrics to their security program to better connect business operations with cybersecurity.
Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE
Is head of cyberrisk methodology for VisibleRisk, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.