James Blake is the Vice President of Cyber Resiliency at Cohesity and has over 30 years of experience as a CISO and in incident response.
Politicians, business leaders, professional bodies and vendors are all discussing cyber resiliency. But what is it?
Let’s start with what cyber resiliency isn’t: It isn’t something you own; it is an emergent state that you become when you have built the capability to do the right things.
You can’t buy cyber resilience, despite what many vendors will tell you. Their products may help you achieve that goal, but they won’t get you over the finish line alone. There is a need to operationalize and integrate that technology with the right processes and suitably skilled people who know what they need to do.
Several technical documents and briefing papers exist on cyber resilience that are dozens, even hundreds, of pages long. All of the differing definitions align around an organization’s ability to withstand a cyberattack with minimal disruption. Most of them also have these three components:
• To be prepared for an attack.
• The ability to respond to the attack.
• The capability to recover to a secure state from the attack.
The Rise Of Cyber Resilience
One of the main reasons the focus has shifted from cybersecurity to cyber resilience is the rise in destructive cyberattacks. Rewinding just a decade, the major cyber threat to organizations was data theft. Data theft isn’t theft at all, which implies property is transferred from one party to another. When we say data theft, we mean unauthorized exposure.
When we faced unauthorized data exposure events, organizations still had a copy of their data. Their systems were intact to continue to deliver products and services to customers. Most losses were incurred simply because the incident happened: reputational damage, litigation and regulatory fines, all due to the inability to protect the data sufficiently. There were small increments in damages related to reputation if you messed up your incident response, handling of the press or impacted customers and maybe additional regulatory fines for non-reporting.
Contrast this with destructive cyberattacks, where the organization cannot service its customers. Every second spent on incident response and recovery is lost revenue or, in some cases—especially involving healthcare—lost lives.
Ransomware isn’t going anywhere soon, and the threat of nation-state wiper attacks grows with continuing global geopolitical instability. Just look at some of the ransomware attacks over the past year: These aren’t organizations with small security budgets and teams.
The reality is, with the shift of attackers from social engineering to weaponizing vulnerabilities in a handful of days far faster than we could ever patch, it’s impossible to rely on the moat-and-wall mentality of protection and detection: The adversary builds better boats and better ladders. This is the primary driver behind the push for cyber resiliency.
Becoming Cyber Resilient
So, how do we build a capability to deliver those three stages so we emerge into a state of cyber resiliency?
My first answer is pragmatically. Don’t myopically focus on one of the stages and seek perfection. Cyber resiliency is a chain, and the weakest link will bring down the whole capability.
An organization could have the world’s best recovery solution, but it would simply recover its vulnerable systems with the adversary’s persistence mechanisms back into production if the proper response steps aren’t taken. Likewise, there’s no real recovery if the right shared responsibility model isn’t built to integrate the security operations team’s incident response alongside the IT operations team’s recovery.
Preparedness is where we start.
Understand the adversary. This allows you to identify whitespace in your protection and detection. You can then build appropriate layered defenses to overcome the growing ability of adversaries to evade controls.
Understand your infrastructure and how it supports the delivery of your products and services. This provides you with an understanding of what you’re protecting and the prioritization for cleaning and recovery, your regulatory obligations and the method and impact of an attack.
Preparedness also allows you to build appropriate strategies based on the impact of their actions. How do we ensure that the systems needed to investigate and mitigate the attack before recovery are available and in a trusted state? Could we get access to our SOC if physical access controls are down? Do we trust our switches, routers and firewall firmware and configurations that we pass through to use our SaaS IT operations management apps and cloud-based security tools?
Many organizations focus on their minimum viable company and forget questions are a part of building resilience.
Unfortunately, when many organizations see downtime, they think of business continuity and disaster recovery. With this mindset, there is a danger of shortcutting the response stage and rushing to recovery. This inevitably leads to reinfection or reattack. In a destructive cyberattack, any time spent on incident response extends the achievable time to recover systems back into production securely.
Management and boards need to have their expectations set appropriately about the achievable recovery time objective for secure recovery including the time to investigate the incident and remediate the threats.
In a destructive cyberattack, this time spent on incident response extends the achievable time to recover systems back into production securely, so making this as efficient and effective as possible pays dividends.
Finally, the end-to-end process you’ve created should be drilled again. And again. This builds muscle memory, helps identify improvements and ensures your team knows exactly what to do when an incident evitably occurs.
When we get to recovery, we have two choices: Recover and clean, or rebuild to a trusted state. However, all efforts should be informed by knowledge of what the adversary did to ensure recovered systems have their attack surface removed, controls bolstered to prevent future occurrence and any attack artifacts removed.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
