The heads of IT security gathered at a recent Think Tank and agreed on a next generation definition of cyber resilience. Credit: Thinkstock The latest ‘version’ of cyber resilience includes “testing”, according to a new report published by Cybersecurity Ventures. (Disclaimer: Steve Morgan is the CEO and founder of Cybersecurity Ventures.)At a recent cyber resilience ‘Think Tank’ held in San Francisco during RSA Conference 2017, the heads of IT security, CISOs, cybersecurity industry experts, and vendor executives gathered to come up with a new definition of an old term.The report states that cyber resilience is an organization’s capacity to adapt to adverse cyber events—whether the events are external or internal, malicious or unintentional—in ways that maintain the confidentiality, integrity, and availability of whatever data and service are important to the organization.The definition combines five key elements: 1. The psychological definition of resilience, or the notion of bouncing back from adverse events.2. The CIA triad — confidentiality, integrity, and availability — prized by cybersecurity experts, is a model designed to guide policies for information security within an organization. 3. The recognition that adverse cyber events – sudden events threatening the organization’s computing resources – don’t always come from the outside and aren’t necessarily malevolent.4. The idea that confidentiality, integrity, and availability mean different things to different organizations — and may include services that are not digital.5. The embodiment of preparedness. Not only do organizations need to plan and be prepared, they need to thoroughly test their plans.Cyber Resilience 2.0: TestingThe fifth element, the embodiment of preparedness – including thorough testing – was the dominant theme at the Think Tank.“When I asked the Think Tank participants ‘How many have incident response plans’, most, if not every hand in the room, went up,” says Ari Schwartz, the Think Tank Moderator, former director of cybersecurity for the White House, and currently the managing director of cybersecurity services for Venable.“When I followed up by asking them ‘How many of you test your plan regularly and update it accordingly?’ the majority of hands went down”, adds Schwartz. “This is consistent with anecdotal evidence that I have seen in the field that many companies draft a plan and do not exercise it and, many of those who do regular exercises, do not update their incident response plan based on what they learn. The Think Tank participants, even those that have not updated their plans recently, agreed that planning is essential to improve resilience. It is important to regularly exercise the plans and update them based on lessons learned from that exercise.” The world’s most famous hacker shares the potentially catastrophic consequences of not planning and testing, and of not involving all of an organization’s employees in their so-called cyber resilience strategy.“Can your business be hacked by a 14-year-old with a lot of time?” asks Kevin Mitnick, chief hacking officer at KnowBe4, a leading security awareness training provider. “One sure way to find out is to actually test your security controls, but not limiting the test to only your technology. In my experience, people have always been the weak link when it comes to security. A simple spear phishing attack can compromise your assets, or worse, lead to watching your company’s security incident on the headline news. It’s a no-brainer to build a resilient security program, your people need up-to-date security training and most importantly, to be inoculated by experiencing the types of tricks the bad guys use first hand. That’s why it’s important to test your employees by hacking them.”The quest for cyber resilience is aptly summed up by a CISO at one of the world’s largest banking and financial services corporations, echoing the Think Tank’s sentiment.“Cybersecurity touches every facet of an organization today; consequently, cyber resilience can no longer be something that is done as a secondary feature of an organization’s strategy,” says Rich Baich, CISO at Wells Fargo. “With customer expectations of constant online access only rising, resiliency considerations are transforming the traditional cybersecurity defensive mindset into one focused on business enablement as it becomes part of an organization’s DNA.” Baich has held several executive security positions within the public and private sectors, including Deloitte and Touche, Pricewaterhouse Coopers, ChoicePoint, and the FBI, and previously served in the United States Navy for 20 years as an information warfare officer, cryptology officer, and surface warfare officer. Related content feature Cyber NYC boosts the Big Apple's cybersecurity industry New York City Economic Development Corp. launches Cyber NYC to foster public-private partnerships focused on building a vibrant cybersecurity community and talent pool in the largest U.S. city. By Steve Morgan Feb 06, 2018 6 mins Internet Security IT Skills Careers opinion Young girls are society's future cyber crime fighters There are lots of opportunities for girls in cybersecurity. The problem is they don't know what those opportunities are. Parents and guidance counselors can help. By Steve Morgan Feb 05, 2018 5 mins Internet Security IT Skills Careers analysis Why healthcare cybersecurity spending will exceed $65B over the next 5 years Hospitals and healthcare providers remain under cyber attack, causing organizations to spend more to protect their systems and patient data. By Steve Morgan Feb 02, 2018 15 mins Data Breach Cyberattacks Hacking news Cybersecurity M&A deal flow: List of 200 transactions in 2017 Rising tide of mergers and acquisitions in the trillion-dollar cybersecurity market. By Steve Morgan Jan 26, 2018 35 mins Data and Information Security Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe