Cyber resiliency means the organization can keep working regardless of what cyber attackers “can throw at me,” says Rosalie McQuaid, cyber resiliency department manager at MITRE, a not-for-profit entity, which operates federally funded R&D centers and public-private partnerships.
“It’s not about going down and recovering, where you might have slower or degraded operations. That’s really reactive,” McQuaid says. It’s akin to the catchphrase of the decades-old Timex watch ads, which feature watches surviving all manner of attacks where they “take a licking and keep on ticking.”
Clyde agrees, saying organizations who must pay a ransom to restore functions following a successful ransomware attack or revert to analog processes while IT restores compromised systems may have implemented “reasonable short-term solutions but they’re not cyber resilient.”
Saugat Sindhu, senior partner and general manager at IT consulting and services firm Wipro, makes similar observations, pointing to Colonial Pipeline’s performance in the aftermath of the ransomware attack it suffered in May 2021. The company recovered after paying a ransom, and it continued as a business. However, its decision to shut down its main business function — moving fuel through its pipelines — to help contain the damage did not demonstrate resiliency.
“In the case of cyber resiliency, if systems get compromised, there are other systems that can pick up and maintain BAU — business as usual,” adds Sindhu, leader of the Wipro’s strategy and risk practice.
High-level actions around cyber resiliency
That focus on BAU may explain increasing interest in and discussion around cyber resiliency. In the US, for example, the President’s Council of Advisors on Science and Technology (PCAST) in March 2023 initiated a working group on cyber-physical resilience, saying in an announcement that “the tightly coupled inter-dependencies among physical and digital components in systems can lead to high levels of ‘brittleness,’ when even minor disruptions lead to wide-scale and unpredictable effects.”
It continued: “We need a different approach, not just to defend ourselves from cyber-attacks and failures, but to presume that attacks will always get through and that failures of components are unavoidable. We need to be resilient in the face of attacks and failures so we can withstand or recover quickly. This needs a fundamental re-imagining based on taking a holistic, systems-thinking approach.”
The Information Systems Security Association (ISSA), a nonprofit professional organization for information security professionals, has its Cyber Resilience Special Interest Group.
And the European Union has its Cyber Resilience Act, a proposed legal framework governing the cybersecurity requirements for hardware and software products placed in the EU market.
Demonstrating cyber resiliency
Enterprise executives are also thinking about cyber resilience, according to an October 2023 report, The Cyber-Resilient CEO, from professional services firm Accenture. For the report, Accenture studied the cybersecurity practices of 1,000 CEOs of large organizations and found that 96% agreed that cybersecurity “is a key enabler for organization growth and stability.”
However, it found that 74% were concerned about their organization’s ability to avert or minimize damage to the business from a cyberattack.
“It is a disconnect that highlights that a majority of CEOs lack confidence that their organizations are truly cyber resilient, and their uncertainty is reflected in how they prioritize their cybersecurity investments,” the report’s authors concluded.
Furthermore, Accenture used its own index to benchmark 25 leading practices that measure cybersecurity resilience and found only 5% of CEOs lead on cybersecurity resilience.
An actual cyber event would certainly test whether those CEOs are as resilient as they appear and whether the remaining 95% are better or worse than they think.
However, security leaders point to other (safer) methods for measuring enterprise cyber resiliency — methods that allow CISOs to assess where they are, track improvement over time and articulate findings to their executive colleagues, their CEOs and the board itself.
Such analysis may seem like an esoteric exercise, says Sergio Tenreiro de Magalhaes, chief learning officer at Champlain College Online and an associate professor of cybersecurity and digital forensics.
“But it’s actually a concrete action you can take,” he says, adding that he believes cyber resiliency measures the organization’s ability “to provide a level of service that they’re comfortable with when under attack.”
Tenreiro de Magalhaes and others point to specific frameworks and assessment tools.
MITRE’s Cyber Resiliency Engineering Framework (CREF) is the oldest. In February 2023 MITRE released its Cyber Resiliency Engineering Framework (CREF) Navigator, a free, visualization tool that enables organizations to customize their cyber resiliency goals, objectives and techniques.
Meanwhile, NIST has its publication of 800-160 v2, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach.” According to NIST, the publication “helps organizations anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and compromises on systems — including hostile and increasingly destructive cyber-attacks from nation-states, criminal gangs, and disgruntled individuals.” (MITRE’s Navigator is aligned with the NIST SP 800-160 v2.)
Another tool that some cite is the CMMI Cybersecurity Platform from ISACA, which ISACA promotes as a tool to help organizations build cyber resiliency.
Commercial products to assess and measure an organization’s state of cyber resiliency are also available.
Cyber resiliency means practicing due care and diligence
As is the best practice when using other cybersecurity frameworks and assessments, these frameworks and assessments are not one-size-fits-all nor are they meant to be used as merely a check-the-box exercise, says Erik Avakian, technical counsellor at Info-Tech Research Group and former state CISO for the Commonwealth of Pennsylvania.
Rather, Avakian says they prompt CISOs to ask whether their organization “can anticipate attacks and can withstand them with the right controls and capabilities.”
“It’s about practicing due care and due diligence from a cybersecurity standpoint and having a layered defense with a layered people-process-and-technology-driven program with the right governance and services and tools to enable the mission of the organization so that if there’s an event, you can recover and adapt to keep business running,” he adds.
To do that, CISOs and their executive colleagues must have their cybersecurity basics well established — basics such as knowing their tolerance for risk, understanding their IT environment, their security controls, their vulnerabilities, and how those all could impact the organization’s operations.
CISOs aren’t limited to these frameworks or the assessment tools created specifically to measure cyber resiliency, says Tenreiro de Magalhaes and others.
CISOs can also run tabletop drills and red-team exercises to test, measure and report on resiliency. Repeating such drills and exercises can then track whether the organization’s cybersecurity program as well as specific additions to it help improve resiliency over time, experts say.
In fact, some say even anecdotal markers can help CISOs and executives get insights into their level of cyber resiliency.
Bergamo, for one, says she can get a sense of whether an organization has any degree of resiliency by looking at the security department’s everyday state.
“If they’re not running around dazed and crazed, they’re doing something right,” she says. “But those teams who are running around with hair on fire don’t have resiliency,” They’re just in defense mode.”