What Does It Mean to Be Cyber Resilient?
Resiliency is a popular trending term describing anything from personality traits to business enterprise models, but what does it really mean to be resilient?
So what is cyber resiliency?
Cyber resiliency is an ever evolving construct directed around ensuring the security, recoverability, and continuity of systems and networks in the context of their value to a company. More specifically, a cyber resilient company can adequately train personnel and maintain the readiness of their resources, rapidly adjusting the system or network requirements when failures and damages occur, and continue business interactions regardless of the threat event. This means that a company has a strong grasp on the value of each resource exposed during a disaster and a solid order of operations for how to keep the system or network safe, using multiple contingency plans. As a result, a strong cyber resilient business plan would allow the company to continue to grow and become stronger, just as a person might, in the face of adversity.
How do you apply cyber resiliency?
Think of cyber resiliency as a cycle of continuity and growth. This cycle relies on four major steps that continuously revolve to drive a company toward success.
The Cycle of Cyber Resiliency
Prepare – Adapt – Respond – Recover
Prepare: This is the first step in any cycle. In order for someone to walk, they must first learn to stand. Few people go from sitting to walking without first standing. Similarly, few companies go from small office software development to conglomerate business-to-business advertising without experiencing growing pains. To be resilient, they must prepare for obstacles like building location changes and power failures, just as a child would prepare for corners and slippery floors. But these steps are just the basic disaster recovery plan objectives.
A cyber resilient company must develop an entirely new set of preparation objectives based on the perspective of online continuity and safety. This continuity and safety doesn’t just deliver business, such as an e-commerce site or protecting transferred and stored data, but it also keeps the business safe, just as a GPS coordinated driverless car is connected with safety fallback features in case the location system is interrupted or hacked. An organization must likewise be fully prepared for resources to fail, and ensure that there are instinctual responses for maximum safety and continuity.
Adapt: When we think of adaptation, we think of changing or adjusting a behavior or response because an obstacle has stopped our ability to accomplish an objective. Returning to our walking example, suppose that a child learning how to walk happens across an obstacle that impedes his forward movement. That child would need to adapt to his environment by maneuvering around the obstacle in order to continue walking. A resilient company might do the same by moving from an unsafe location to a safe one because of a natural disaster. Adaptation takes many roles, and for cyber resiliency it defines how a business will change to better safeguard data and technology in order to ensure that operations will continue smoothly.
Respond: The third phase within the resiliency cycle is often thought of as how to withstand a disaster, but the focus should instead be on the response. In the event of a dog attack, a person does not just sit around as the dog bites them, waiting for it to be over. Similarly, a company does not just sit by during a cyber attack and wait until all the data from a server is stolen; they respond. Success or failure when responding to a disaster depends on whether the company follows a well developed plan or suffers a last minute fumble due to lack of preparation. The response may involve disconnecting a system, or moving to a backup generator for power, but from a cyber resiliency perspective it involves an entirely different approach to prevent failure and ensure safety. Instead of merely reacting to ongoing events, such as rushing to make backups and finding secondary devices to start, a cyber resilient company tries to stay ahead of the curve. They may isolate the critical system from the failing system, preemptively start a recovery to a backup device, and initiate any failsafe mechanisms that prevent harm or loss of damage, ultimately staying ahead of the disaster.
Recover: In a resilient system, recovery involves addressing the failures, articulating necessary improvements, and sharing the lessons learned after a disaster. This process may include identifying key components and the roles they play in the system, evaluating their value and mission critical priority. If a person went skiing and brought a jacket with a poor chill rating, they might recover by creating a plan that involves bringing a warmer jacket for the next trip and never using the cold one in the future. Losing power at a corporate facility because of a flood might lead the company to create a backup site or create clusters in the cloud that allow continuous operations regardless of local damage. Due to the nature of hardware and software design, disaster and vulnerabilities are inevitable, and so it is vital to develop a recovery strategy that improves upon each previous response.
Why does it matter?
As cyber security risks and vulnerabilities increase, so too must the strategies used to combat them. A company must become more than just resilient and ready for disaster, but cyber resilient. They must be ready for any disaster, recognizing that at any time that will also include online and networking critical hardware and software for safety and security. Readiness and preparedness will not be enough. Cyber resiliency is a cycle of combating disaster, not an event, and so a company must be ready for cyber attacks to happen again and again. Adopting the cyber resiliency cycle will ensure that business continuity will prevail as the champion amid disaster.