Nature is inherently designed for resilience. The way trees are designed to bend but not break under the weight of high winds, storms, and snow, how they automatically renew and heal each season – we can learn a lot about resilience from nature and it is time for organisations to take a similar approach to cybersecurity.
What is the link, you may ask? Well, nature recognises that things can and inevitably will go wrong. That’s equally true of security incidents – there is no question that they will occur.
We believe that cybersecurity certainty is an unattainable goal and absolute security is absolutely impossible.
What is more attainable is a different approach in the architecture of systems and processes to shift from cybersecurity to cyber resilience, with systems that are highly automated, distributed, over-designed and redundant.
A few industries have already done it
In civil and mechanical engineering, over-designing systems is a must. One can imagine how important it is to have self-contained redundant systems to keep aircraft aloft no matter what happens.
In the information technology realm however, resilience has had a mixed track record. Technologists in the 1980’s failed to design ‘failure-proof’ systems.
After much experimentation and research, they later shifted their approach and developed ‘fail-over’ systems that automated switching to alternate sites when failures inevitably occurred. These sites provided fully equipped but rather expensive to maintain data centres.
More recently, systems have been architected to be ‘fault tolerant’. These systems are able to continuously deliver the intended outcome despite adverse cyber threat events.
Organisations thus design their systems to be difficult to attack, ensuring minimal impact and potential loss when an event happens, i.e. they’re ready for anything.
While you can never fully predict exactly when or how adversaries might initiate an attack, you can do something all the time. Cybersecurity is about reacting, while cyber resilience is about anticipating.
Cyber resilience progress
In the 2018 study on Shifting From Cybersecurity To Cyber Resilience, we detail six ways organisations can plant strong roots for cyber resilience, but how well are organisations actually adopting these practices and becoming successful at attaining resilience?
We sought to address that question by conducting a survey evaluating 33 cybersecurity capabilities across seven domains:
- Business exposure
- Cyber response readiness
- Strategic threat content
- Resilience readiness
- Investment efficiency
- Governance and leadership
- Extended ecosystem
We asked respondent organisations to rate their own performance from ‘1’ (no or very limited capability) to ‘7’ (extremely competent). The results showed five top strengths and five top weaknesses in terms of cybersecurity capabilities.
The following factors were rated a ‘7’ and proved as strengths in the survey results:
- Risk analysis and budgeting: Budgets provisions for protection of major assets and processes exist, and the budget design ensures defence and resilience, with security-budget accountability that covers cybersecurity.
- Cyber response readiness: Defined escalation paths exist based on incident impact. They escalate cyber incidents to the most appropriate management level, with inclusion of local, national, and international agencies, and consider impact vs. time trade-off.
- Resilience readiness: Organisations have integrated a cybersecurity recovery plan into business continuity and disaster recovery strategies, with the plan updated based on environmental changes. They restore cybersecurity controls after a cyber incident and routinely test cyber recovery capabilities using pre-defined test cases.
- Cybersecurity architecture approach: Defined policies exist to ensure investment in future enterprise security architecture based on a cybersecurity foundational approach, and a dedicated team responsible for the design of future security enterprise architecture.
- Strategic threat intelligence: This is about anticipating future threats. Respondents affirm they regularly communicate peer-monitoring to the business and IT organisations, with the overall process continually reviewed and improved.
Other factors were rated a ‘1’ and proved as weakness areas in the organisations.
- Identification of high-value assets and business processes
- Design for protection of key assets
- Physical and safety risks
- Cybersecurity investments for key assets
- Third-party cybersecurity clauses
Overall the results show that there is an opportunity to weave cybersecurity impact assessment into every new initiative and to strengthen organisation-wide awareness about the importance of key assets and processes.
Less than 20% of respondents told us that their organisation’s design principles segregate operational, functional, and corporate risks – all while protecting cyber controls and their highest-value assets. Furthermore, only a fifth of respondents have policies to enforce active defence in provider and partner contracts.
Most do not have accountability for contracts, and contracts are not updated regularly based on new threats. Extremely competent organisations incorporate protection into their local and global investment process, and senior leadership oversees the protection of these key assets and processes, as well as review and improve performance through dashboards and reports.
Creating the right conditions
In nature, there is a rhythm to growth and renewal. Just as living creatures take time to fully develop, so does cyber resilience.
Organisations have built their current infrastructures one system, one data set at a time, and cyber resilience will be achieved in the same way – the journey won’t be completed overnight.
Throughout the process, it is important for organisations to nurture the right cultural conditions by fostering a mindset of resilience. People and processes from across departments need to be adapted and brought together for a complete view of what is most valuable and how best to protect it.
An agile and managed approach that allows change and growth, while safeguarding daily operational objectives will minimise negative impact and loss of confidence from clients and partners.
By integrating IT modernisation and cyber security investments, organisations can achieve the biggest impact and be positioned for true cyber resilience. Heavy snow and rains will come, so prepare for the worst – be the tree that bends but doesn’t break.
We fully embrace participation in the 4IR and have been actively innovating in the technology space for many years prior.
Securing digital transformation is a core theme and we have become an intelligent operations partner-of-choice for organisations who wish to seamlessly navigate through the ebbs and tides of digital transformation to navigate the waves of success in this perpetual ocean of change.
We have worked with clients across the globe to plan and manage cloud rollouts to be compliant with local regulations, assessing, mitigating operational risks and helping gain regulatory approval.