Cyber Resilience 2.0, now shipping

The heads of IT security gathered at a recent Think Tank and agreed on a next generation definition of cyber resilience.

employees technology planning data [Computerworld, January-February 2017 - HR IT]
Credit: Thinkstock

The latest 'version' of cyber resilience includes "testing", according to a new report published by Cybersecurity Ventures. (Disclaimer: Steve Morgan is the CEO and founder of Cybersecurity Ventures.)

At a recent cyber resilience 'Think Tank' held in San Francisco during RSA Conference 2017, the heads of IT security, CISOs, cybersecurity industry experts, and vendor executives gathered to come up with a new definition of an old term.

The report states that cyber resilience is an organization’s capacity to adapt to adverse cyber events—whether the events are external or internal, malicious or unintentional—in ways that maintain the confidentiality, integrity, and availability of whatever data and service are important to the organization.

The definition combines five key elements:

1. The psychological definition of resilience, or the notion of bouncing back from adverse events.

2. The CIA triad — confidentiality, integrity, and availability — prized by cybersecurity experts, is a model designed to guide policies for information security within an organization.

3. The recognition that adverse cyber events – sudden events threatening the organization’s computing resources – don’t always come from the outside and aren’t necessarily malevolent.

4. The idea that confidentiality, integrity, and availability mean different things to different organizations — and may include services that are not digital.

5. The embodiment of preparedness. Not only do organizations need to plan and be prepared, they need to thoroughly test their plans.

Cyber Resilience 2.0: Testing

The fifth element, the embodiment of preparedness - including thorough testing - was the dominant theme at the Think Tank.

“When I asked the Think Tank participants 'How many have incident response plans', most, if not every hand in the room, went up,” says Ari Schwartz, the Think Tank Moderator, former director of cybersecurity for the White House, and currently the managing director of cybersecurity services for Venable.

“When I followed up by asking them 'How many of you test your plan regularly and update it accordingly?' the majority of hands went down", adds Schwartz. "This is consistent with anecdotal evidence that I have seen in the field that many companies draft a plan and do not exercise it and, many of those who do regular exercises, do not update their incident response plan based on what they learn. The Think Tank participants, even those that have not updated their plans recently, agreed that planning is essential to improve resilience. It is important to regularly exercise the plans and update them based on lessons learned from that exercise.”

The world’s most famous hacker shares the potentially catastrophic consequences of not planning and testing, and of not involving all of an organization’s employees in their so-called cyber resilience strategy.

“Can your business be hacked by a 14-year-old with a lot of time?” asks Kevin Mitnick, chief hacking officer at KnowBe4, a leading security awareness training provider. “One sure way to find out is to actually test your security controls, but not limiting the test to only your technology. In my experience, people have always been the weak link when it comes to security. A simple spear phishing attack can compromise your assets, or worse, lead to watching your company’s security incident on the headline news. It’s a no-brainer to build a resilient security program, your people need up-to-date security training and most importantly, to be inoculated by experiencing the types of tricks the bad guys use first hand. That’s why it’s important to test your employees by hacking them.”

The quest for cyber resilience is aptly summed up by a CISO at one of the world’s largest banking and financial services corporations, echoing the Think Tank’s sentiment.

“Cybersecurity touches every facet of an organization today; consequently, cyber resilience can no longer be something that is done as a secondary feature of an organization’s strategy,” says Rich Baich, CISO at Wells Fargo. “With customer expectations of constant online access only rising, resiliency considerations are transforming the traditional cybersecurity defensive mindset into one focused on business enablement as it becomes part of an organization’s DNA.”

Baich has held several executive security positions within the public and private sectors, including Deloitte and Touche, Pricewaterhouse Coopers, ChoicePoint, and the FBI, and previously served in the United States Navy for 20 years as an information warfare officer, cryptology officer, and surface warfare officer.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Healthcare records for sale on Dark Web