As digital transformation continues to present new business opportunities for organizations, it also brings unprecedented security risks. This includes a steady barrage of cyber attacks that don’t just lead to data loss, but can also encompass an array of other outcomes, including compliance violations, legal costs, business interruption, and customer churn. As a result, organizations have begun to incorporate the notion of cyber resilience—in addition to cybersecurity—into their organizational security strategy as they seek to both prevent and prepare for cyber events.
According to a recent Forbes survey, more than 82% of survey respondents said their IT security budgets have increased in the last year—and a large portion of these budgets are being allocated to cybersecurity resiliency. The National Institute of Standards and Technology (NIST) defines cyber resiliency as:
“The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
In practice, cyber resilience will likely look very different to every organization, depending on their product, their technology stack, their customers, and their security priorities (e.g., ensuring data privacy vs. preventing service disruption). However, one thing remains the same: resilience is about more than just tech. In this post, we’ll discuss what cyber resilience is, why it matters, and how organizations can implement cyber resilience practices into their approach to people, processes, and technology.
Cybersecurity & Cyber Resilience—What’s the Difference?
Historically, the main purpose of a cybersecurity program has been to protect an organization’s data—especially confidential data (e.g., PII, PHI, and PCI). This was easier when traditional corporate boundaries were finite and contained, but digital transformation has complicated network environments and dramatically expanded the attack surface. At the same time, cybercriminals continue to change their attack methodologies, always looking for new vulnerabilities or access points to exploit.
As a result, a defensive approach alone is no longer sufficient. Instead, organizations must also focus on incorporating the more proactive notion of cyber resilience by seeking to limit the impact of an attack—if one occurs—and its ability to disrupt key business operations. Cyber resilience starts with implementing risk mitigation controls to help prevent an incident, but it also includes what to do after an incident occurs in order to ensure the availability of key business systems.
Why Cyber Resilience Matters
Researchers have detected over 131 million new malware variants in the last 12 months and nearly 34 ransomware variants in Q4 of 2021 alone. It takes an average of 92 minutes for a threat actor to establish a foothold in an organization’s environment and begin moving laterally, and organizations often take an average of 287 days to identify and contain a breach. Taken together, these statistics are sobering, but that doesn’t mean there’s nothing to be done.
While cyberattacks may seem inevitable, organizations cannot surrender to that idea. Instead, they must shift their strategy to focus on enhancing their ability to quickly identify a breach, minimize its impact, and ensure business-critical operations remain viable. The reality of cyberattacks must drive organizations to enhance their preparedness, and a key to doing so is to focus on organizational cyber resilience.
To maximize an organization’s ability to maintain business-critical functions, it is imperative that cybersecurity teams understand the overall business strategy and balance their cybersecurity approach to align with the overall mission. Understanding what drives the business forward allows an organization to build a resiliency approach that shifts from defense to offensive proactive measures.
Key Trends in Cyber Resilience
While a framework has not been specifically curated for cyber resilience to date, many trends are taking a strong foothold amongst cybersecurity programs that include a focus on people, processes, and technology.
Develop Succession Planning: Retention rates in the field of cybersecurity are at an all time low. As a result, it is important to ensure there is no single knowledge holder on a cybersecurity team. Succession planning allows security teams to plan for expected and unexpected events around key personnel. Additionally, such planning allows current leaders to actively train their workforce and ensure the next generation of defenders receive the time and attention they need to develop into the next era of leaders, a key to resilience.
Minimize Team Stress: Minimizing burnout is imperative to ensuring cybersecurity teams are able to maximize their part in resiliency. Giving teams an opportunity to air grievances—like unrealistic responsibilities or lack of necessary tools—and showing progress in addressing those grievances is key. Investing in automated technology that can reduce the workload of team members—such as breach and attack simulation (BAS) tools that fully automate and simulate thousands of attacks—also plays an important role in increasing resiliency and reducing burnout.
Provide Clear Development Paths: Providing opportunities for team members to continue their education and see a clear career path for growth and promotion within an organization are critical in keeping members engaged, getting their buy-in, and showing appreciation for their efforts. A career roadmap will also allow employees to prepare for their potential future responsibilities, so there is no gap to be filled when the time comes to promote internally.
Document Current State: Before an organization is able to increase resilience, they need a thorough and accurate understanding of the existing escalation routing process for incidents, the team members that are responsible for specific activities within that process, and where cyber events would have the most debilitating effects. Through a thorough current-state assessment, where organization’s map their environment to standards such as NIST or ISO, they can then prioritize their resiliency approach to focus on streamlining their escalation processes and limiting disruption to key systems and operations.
Invest in Proactive Training: One of the key shortcomings of incident response teams is their lack of muscle memory when in a crisis based on their limited experience with real-world breach scenarios. Organizations must invest in opportunities to help build the muscle memory necessary to adequately handle a cyber incident by leveraging technologies that can realistically simulate cyberattacks. Available tools, like BAS platforms, can provide valuable hands-on training, which is not typically part of a tabletop exercise, to ensure security teams have the knowledge and skills necessary to effectively detect, investigate, and respond to a real attack when the time comes.
Iterate Response Processes: A key to building a resiliency program is an organization’s ability to perform lessons learned and iterate incident response processes appropriately. BAS solutions give security teams the hands-on experience needed to test processes and technology with real-world scenarios, while providing valuable data about failures and areas in need of improvement. That information can be used to iterate and re-test to ensure improvements had the intended effect. Given the ever-changing landscape in cybersecurity, a resiliency program needs to continually be improved to stay on top of the latest threats.
Optimize Effectiveness: Ensuring cybersecurity technologies are properly configured and deployed is key to a resilient security approach that ensures an organization is able to withstand an attack of any significance. Continuously testing security controls—with a tool like BAS—can identify misconfigurations and necessary remediations, check whether remediations worked by re-running simulations, and provide data to show that optimizations improved key metrics like mean time to detect (MTTD) and mean time to investigate (MTTI). This not only enhances resilience by enabling teams to detect, investigate, and respond more rapidly, but it can also help organizations eliminate unnecessary or redundant tooling.
Investment in Proactive Tools: When investing in technology, an organization’s cybersecurity team should select tools that support a proactive strategy, will align with the organization’s business approach, and will harden security operations to effectively respond to a cyber event. BAS tools have proven to be a fast-rising investment category in this area due to their ability to address many of the cyber resilient strategies listed above. BAS not only helps guide an organization along their security journey but provides a quantitative level of assurance that organizations can share with key stakeholders.
While cybersecurity’s approach to minimizing the risk of an attack is still important, organizations must also begin investing in a proactive approach that seeks to also limit the impact of a security incident. Organizations that have been successful in enhancing the resilience of their cyber programs have used the strategies above to continuously test, validate, and support the people, processes, and technologies that play an integral role in their cybersecurity strategy.
BAS solutions have proven to be a valuable complement to many of these strategies, by providing an effective way to automate security control testing, train security teams, and optimize processes and tool configurations. Interested to see if the SafeBreach BAS platform can help your security team? Connect with a SafeBreach cybersecurity expert to discuss your use case or schedule a personalized demo today.