What Does it Mean to be Cyber Resilient?
Resiliency is a popular trending term describing anything from personality traits to business enterprise models, but what does it really mean to be resilient?
So what is cyber resiliency?
Cyber resiliency is an ever evolving construct directed around ensuring the security, recoverability, and continuity of systems and networks in the context of their value to the company. More specifically, a cyber resilient company can adequately train and maintain the readiness of their resources and personnel, rapidly adjust the system or network requirements when failures and damages occur, and continue business interactions regardless of the threat event. This means that a company has a strong grasp on the value of each resource exposed during a disaster and a solid order of operations for how to keep the system or network safe, using multiple contingency plans. As a result, a strong cyber resilient business plan would allow the company to continue to grow and become stronger, just like a person might, in the face of adversity.
How do you apply cyber resiliency?
Think of cyber resiliency as a cycle of continuity and growth. This cycle relies on four major steps that continuously revolve to drive a company toward success.
The Cycle of Cyber Resiliency
Prepare - Adapt - Respond - Recover
Prepare: The first step in any cycle. In order for someone to walk, they must first learn to stand. They must be prepared to walk. Few people go from sitting to walking without first standing, just as few companies go from small office software development to conglomerate business-to-business advertising without growing pains. To be resilient, they must prepare for obstacles like building location changes and power failures, just as a child would prepare for corners and slippery floors. But those steps are just the basic disaster recovery plan objectives.
A cyber resilient company must develop an entirely new set of preparation objectives based on the the perspective of online continuity and safety. This continuity and safety is not just serving business from an ecommerce site and protecting the data transferred or stored, but also keeping a gps coordinated driverless car connected with safety fallback features, in case the location system is interrupted or hacked. An organization must be fully prepared for resources to fail, ensuring instinctual responses for maximum safety and continuity.
Adapt: When we think of adaptation, we think of changing or adjusting a behavior or response because an obstacle has stopped our ability to do it. For instance, suppose someone eats two eggs and toast every morning for breakfast, but someone else comes along and eats the last two eggs. Now that person has to compromise and eat something else. A resilient company might do the same by moving from an unsafe location to a safe one because of a natural disaster. Adaptation takes many roles and for cyber resiliency it defines how a business will change for the protection and safety of the user, data, or device to ensure that operations will continue smoothly.
Respond: Typically when in a resiliency cycle, the third phase tends to have focus on withstanding a disaster, but really the focus should be on the response. A person does not just sit around while a dog bites them, waiting for it to be over, and a company does not just sit by until all the data from a server is stolen, they respond. For a company, responding to a disaster may be a well developed plan or a last minute fumble depending on the preparation. The response could be disconnecting a system, or moving to a backup generator for power, but from a cyber resiliency perspective it may involve an entirely different approach to prevent failover and safety. Instead of rushing to make backups and find secondary devices to start, the company may have already initiated a response. They may isolate the critical system from the failing system, preemptively start a recovery to a backup device, and initiate any failsafe mechanisms that prevent harm or loss of damage, ultimately staying ahead of the disaster.
Recover: In a resilient system, recovery involves addressing the failures, articulating the improvements, and sharing the lessons learned after a disaster. This process may include identifying key components and the roles they play in the system, including their value and mission critical priority. If a person went skiing and brought a jacket with a poor chill rating, they might recover by creating a plan that involves bringing a warmer jacket for the next trip and never using the cold one in the future. Losing power at a corporate facility because of a flood might lead the company to create a backup site or create clusters in the cloud that allow continuous operations regardless of local damage. Due to the nature of hardware and software design, disaster and vulnerabilities are inevitable, and so it is vital to develop a recovery strategy that improves upon each previous response.
Why does it matter?
As cyber security risks and vulnerabilities increase, so too must the strategies used to combat them. A company must become more than just resilient and ready for disaster, but cyber resilient. They must be ready for any disaster, any time that will also include online and networking critical hardware and software for safety and security. Readiness and preparedness will not be enough. They must be ready for it to happen again and again. Cyber resiliency is a cycle of combating disaster, not an event. Adopting the cycle will ensure that business continuity will prevail, as the champion amongst disaster.