Cyber resilience must not be used to legitimise window-dressing practices around cyber security
Although the theme is gaining momentum, there is a certain amount of confusion around what cyber resilience really means for organisations.
For many, it is just another piece of consultant jargon: An abstract managerial concept with little real-life substance or meaning.
As a matter of fact, it is very real and rooted in the “When-Not-If” paradigm around cyber attacks which is changing completely the dynamics around cyber security in many firms.
At the heart of cyber resilience lies a real application of “defence in depth” principles which have been well established for decades: Acting at preventative, detective, mitigative AND reactive levels, AND across the real breadth of the enterprise – functionally and geographically. It is about the enterprise being enabled by the use of data and technology, whilst remaining protected from active threats.
It requires managerial and governance practices to be active across corporate silos and the supply chain (once again, functionally and geographically), and it cannot be dissociated from a broader approach to operational and corporate resilience.
It is hard to deliver at scale and presents many large organisations with significant cultural challenges. So the temptation is high for many to over simplify it and to focus only on alleged quick wins.
Of course, the “When-Not-If” paradigm implies that security breaches are unavoidable. But it does not represent a licence to ignore all protective, detective and mitigative measures to focus only on the reactive ones. This is the type of simplistic approach to “resilience” which may put a few ticks in audit or compliance boxes, but in the long term, can only aggravate security postures and lead to regulatory issues, in particular in the face of a worldwide tightening of regulations around the protection of personal data.
“Cyber resilience” cannot be limited to an annual desktop exercise with board members and corporate functions during which they simulate how to react to a cyber-attack, in order to minimise the impact on the share price, media coverage or the reactions of customers.
All those factors are important, but “cyber resilience” must not turn into an excuse to legitimise a top-down window-dressing culture around cyber security practices.
Corporate resilience is the ability of an organisation to continue operating in the face of disruptive events, and to return to normal operations over time. It implies a deep knowledge of operational processes, their integration and their inter-dependencies. It also implies a deep knowledge of the supply chain and its actors.
To operate efficiently in disrupted situations, it also requires a collaborative and positive culture, which needs to be created and fostered from the top down.
All this is even more acute in cyber resilience scenarios, due to their relative novelty, the speed at which the organisation often needs to react and the technical complexity which may be involved.
Instead of being treated as another box checking exercise and a quick win, cyber resilience must be embedded into the right corporate structures and used to channel a different culture from the top down around cyber security:
- A culture where cyber security (the need to protect the business from cyber threats) and the protection of individuals’ privacy are not just matters of risk management or necessary evils imposed by compliance and regulations, but key business concepts and – increasingly –matters of competitive advantage and of corporate social responsibility.
- A culture which fosters the transversal nature of many security problems in large firms (looking across corporate silos, and certainly much beyond the mere technology horizon), because the security measures needed to protect the firm are transversal in nature: Their execution is the only factor that will protect the business and it requires transversal capabilities
- Finally, a culture rooted in transparency around security breaches because trust is the cornerstone of the digital economy and transparency is its foundation