Digital innovation is the order of the day. New software, intelligent technologies, and digital transformations are increasingly pervasive in organizations. At the same time, cyber threats and data breaches are on the rise. Organizations that want to ensure business continuity must know how to prevent, not just defend. To do so, they must be able to withstand the challenges and, above all, recover quickly. This is why it is essential to identify the key elements of an effective cyber resilience strategy
What is cyber resilience and how it protects businesses
If an organization wants to ensure business continuity for its stakeholders (customers, suppliers, partners, banks, shareholders, employees), it must be able to prevent, withstand and recover from activities disrupted by a cyber security incident in the shortest possible time. This is what is meant by cyber resilience: the ability to recover linked to proper assessment and preventive, investigative, and corrective controls. This is the only way to ensure business continuity and the protection of sensitive data.
Such an approach not only affects security by reducing the risk of suffering a cyber-attack but also has reputational and economic implications. This is why many companies strive for cyber resilience certification, aware of the impact such recognition will have in terms of trust, customer value, and competitive advantage.
Once this path is chosen, beyond the practical aspects to be implemented, it will be important to share the culture of cyber resilience inside and outside the organization. It will need to be aligned with the business objectives of the various business units, and at the same time, involve partners, customers, and suppliers in adopting similar practices to avoid disruptions in, for example, the supply or distribution of services.
In addition, research conducted by Accenture found that:
“organizations that incorporate key cybersecurity actions into their digital transformation efforts and apply robust operational cybersecurity practices across the organization are almost six times more likely to experience more effective digital transformations than those that do not do both.”
Translating this into practical actions, those who have embarked or are about to embark on the Digital Transformation journey need to audit solutions before and during implementation. In addition, they should add a cybersecurity expert to the digitalization team.
Difference between cybersecurity and cyber resilience
The word resilience in physics means: “the ability of a material to absorb a shock without breaking” (source: Oxford Languages). Metaphorically, this is exactly what a company should be able to do after a cyber attack. And also encapsulated in the meaning is the difference between cyber resilience and cyber security. While the latter focuses on preventing cyber attacks, cyber resilience focuses on preparedness and the ability to recover quickly after a cyber incident.
Not only that, but the approach also changes between the two terms. Cybersecurity takes a proactive approach, focusing on preventing attacks through preventative measures such as the use of firewalls, antivirus software, and data encryption. Cyber resilience, on the other hand, takes a reactive approach, recognizing that attacks may occur despite preventive measures and focusing on resilience and recovery after an incident.
Finally, cybersecurity usually primarily involves information security specialists, such as information security managers and network administrators. Cyber resilience involves a wide range of functions and stakeholders within an organization, including operations managers, business managers, and IT staff.
Cyber security is important, but it is not enough. A comprehensive cyber resilience strategy must include cyber security measures, but also recovery and business continuity plans. Most importantly, it must involve the entire organization’s leadership. But more on that in a moment.
Companies that want to prepare for the digital future will have to invest in IT resilience for uninterrupted business continuity. Click To Tweet
The key components of an effective cyber resilience strategy
Let’s get down to business. Having understood the importance of cyber resilience and how it actually encompasses cyber security activities, let’s look at what we need to implement in our organization.
As with any strategic approach worth its salt, a careful initial assessment will make the process easier and faster. We need to assess the risks and weaknesses in the system and involve all levels of the organization in the cyber resilience strategy. This step includes training staff to recognize cyber threats and education on cyber security best practices.
A valuable support specifically for cyber resilience is the Information Technology Infrastructure Library (ITIL) framework. Basically, it is a collection of best practices for IT service management that ensures alignment between IT services and business objectives. This way, when we change the objectives, we are sure that the IT services are also realigned.
Furthermore, the ITIL model ensures that the organization has well-defined processes to deal with IT incidents and to quickly restore IT services. This framework is administered and managed by AXELOS, and certification is required to implement it in the company. But in this case, it is the framework that interests us, because the phases of the ITIL service lifecycle are the same as for IT resilience, i.e:
- strategy: in order to define IT resilience objectives, one must start with an analysis of the vulnerabilities and risks that resources face. After identifying the critical nodes in terms of information, systems, and services that are crucial for the organization and its stakeholders, a portfolio of IT services to be implemented or modified can be outlined.
- design: once the IT service requirements have been defined, the services and processes can be designed. After identifying the resources that have the authority to make decisions and act accordingly, the appropriate control and training procedures are put in place proportionate to the risks.
- transition: this is the most delicate moment, the transition from theory to practice. It starts with planning and supporting the transition, moves on to change management and impact assessment, and finally to release and implementation, followed by monitoring, testing, and validation. Particular attention must be paid to maintaining a proper balance between all the Service Management processes.
- operation: this is the experience phase. Organizations learn from their mistakes, which is crucial for making the necessary changes in procedures, training, and design. This is because the cyber resilience environment is constantly improving, and, consequently, safeguards must evolve. In some cases, the incidents that occur during this phase also lead to strategic changes.
- improvement: the information gathered in the previous phase will compile the incident management plan that includes communication management, incident response, damage mitigation, and restoration of IT services. By assessing incidents, identifying weaknesses, and implementing improvements, organizations can strengthen the resilience of their IT systems and services over time.
By following all the macro-steps of this process, the organization ensures that its IT resilience process is always up-to-date and in line with customer requirements and business objectives. It is important to remember that business continuity depends on monitoring, control, and improvement activities, without which the process would quickly become obsolete.
The role of disaster recovery and backup in cyber resilience
Any discussion of IT resilience must include two essential components of this strategy: disaster recovery and backup. Disaster recovery refers to the ability to restore IT services after a computer incident. Backup, on the other hand, is the copying of data in a safe place to ensure its availability in the event of data loss or damage.
Even in this case, sporadic activity is not enough, but a disaster recovery plan must be defined that includes
- the processes for restoring IT services;
- communication with users;
- the management of resources during an incident.
In addition, it is essential to regularly back up data and test the recovery process to ensure that data is recoverable in the event of an incident.
The business environment is very diverse, and there are organizations that have already undertaken cyber resilience activities and others that have not yet recognized its importance. But between the cyber champions and the risk-takers, there is a typical middle ground. Let’s see which quadrant your company is in at the moment.
What is your company’s level of cyber resilience?
In a report entitled “How aligning security and the business creates cyber resilience”, Accenture has developed a matrix that intersects cyber security with the level of alignment with business strategy. The result is four quadrants outlining the characteristics of companies that have given more or less relevance to this relationship:
- Cyber Champions: in this quadrant are the most virtuous companies, those able to align an appropriate cyber security strategy with the achievement of business objectives. As a result, their IT resilience appears to be better, as they are able to respond in a timely manner while protecting their data.
- Business Blockers: these are the organizations that prioritize cyber security over alignment with business strategy. This translates into a better ability to cope with cyber attacks than Cyber Risk Takers and Vulnerable, but they lag behind Cyber Champions in all key cyber resilience measures. By adding an alignment to their already strong cybersecurity foundation, they could improve their cyber resilience without sacrificing business outcomes.
- Cyber Risk Takers: they are adept at achieving business objectives yet pay less attention to alignment with cybersecurity strategy. In some cases, the budget they allocate to cybersecurity is even higher than companies in the other quadrants, but this is not enough to ensure greater cyber resilience. In fact, the number of successful breaches is higher than the Business Blockers and the Vulnerable.
- The Vulnerable: these are the companies most at risk because they have not fully understood the importance of cyber resilience. They may be investing in cyber security, but it is little compared to the risks they face from a potential breach. At the same time, their cybersecurity strategy deviates from their business strategy, making any disaster recovery action more complex.
After this overview, everyone would like to become a Cyber Champion, but theory, as always, is easier than practice. Summarising the concepts that emerged from Accenture’s research, we should focus on three aspects that would increase cyber resilience:
- Give CISOs a seat at the top table: we cannot assume that the cybersecurity team works without fully understanding the risks and business priorities. To get this information, it is important that they interface with senior management so that they get a broad view that generates the right insights.
- Be threat-centric and business aligned: since prevention is always better than cure, security leaders need to have a thorough understanding of what is critical to the business so they can design a security plan aimed at reducing response and downtime. Only the right alignment between security and business strategy enables such knowledge and awareness. By continuously monitoring risk profiles and communicating the results with leadership, high levels of resilience are achieved.
- Get the most out of secure cloud: security must be built into the cloud upstream, i.e. when the data migration process starts, or even better, when the cloud data strategy is defined.
The future of cyber resilience
In the future, cyber resilience will become even more critical as technologies evolve, and networks become more interconnected. Organizations will need to remain agile and adaptable, ready to face new threats and protect sensitive data. Investing in cyber resilience today will ensure business continuity and data protection in the future.