By Kaustubh Vazalwar, Group Manager: Global Resiliency, IBM
One of the fundamental questions most people have when they first learn about cyber resilience is, “How does being cyber resilient differ from cybersecurity?” To answer this, we need to understand how the principles of resiliency differ from those of security.
The defining principles
Security principles primarily focus on:
- Defense in depth — or creating multi-layer defenses within IT infrastructure.
- The principle of least privilege — or limiting access to IT systems to relevant parties.
- Identifying and isolating threat areas.
- Processes and measures for continuous protection of systems, networks and data.
The principles of resiliency, on the other hand, look at enterprise-wide risk factors:
- Create simplicity in design and implementation.
- Continuously review critical assets, attack surfaces and evolving technical and nontechnical risks.
- Identify critical process and functional impacts, and implement redundancy and defense measures at each step.
- Focus on the technology and human aspects of end-to-end business continuity.
- Enterprise-level risk management and IT governance.
Ensure business continuity
While these principles are related in many ways, the overall goal of cyber resilience is to ensure continuity of business by being more proactive in an environment where advanced persistent threats are continuously maturing and evolving.
Why is this differentiation so important to understand? Because it requires a fundamental change in mind-set to adopt a risk-based approach. Organizations have to look beyond firewalls, IP/IDS, security operations centers or anti-virus control to ask deeper, enterprise-wide questions, such as:
- Does our organization have senior management approval and a defined, long-term budget to address cyber resilience requirements at every level?
- Is there an enterprise risk management program in place, in conjunction with IT security and disaster recovery colleagues? Are the right resources defined to implement and manage that program?
- Has the organization identified all of our critical resources and the business impact of their potential downtime? Are regular risk reviews, tests of failure scenarios and contingency plans being conducted?
- Is the organization’s disaster recovery and backup plan fail-safe? Do these plans comply with recovery time objectives, recovery point objectives, service-level agreements and other regulatory requirements?
In today’s global economy, things like international supply chains need cyber resilience plans to secure the IT environments that facilitate transactions, above and beyond standard IT security measures. Properly evaluating the potential risks, monitoring hardware and software across multiple vendors and geographies and ensuring transaction data privacy builds trust between buyers and sellers, elevates standards across the board and creates a more fair and productive marketplace for any industry.
Cyber resilience represents a new way of doing things in the always-on era. When organizations consider every possibility and test for any contingency, they are doing a great service for themselves and their clients. Cyber resilience encourages new innovation, empowers employees to do their jobs with confidence and elevates an organization’s standing among clients and competitors.