The latest 'version' of cyber resilience includes "testing", according to a new report published by Cybersecurity Ventures. (Disclaimer: Steve Morgan is the CEO and founder of Cybersecurity Ventures.)At a recent cyber resilience 'Think Tank' held in San Francisco during RSA Conference 2017, the heads of IT security, CISOs, cybersecurity industry experts, and vendor executives gathered to come up with a new definition of an old term.The report states that cyber resilience is an organization\u2019s capacity to adapt to adverse cyber events\u2014whether the events are external or internal, malicious or unintentional\u2014in ways that maintain the confidentiality, integrity, and availability of whatever data and service are important to the organization.The definition combines five key elements:1. The psychological definition of resilience, or the notion of bouncing back from adverse events.2. The CIA triad \u2014 confidentiality, integrity, and availability \u2014 prized by cybersecurity experts, is a model designed to guide policies for information security within an organization.3. The recognition that adverse cyber events \u2013 sudden events threatening the organization\u2019s computing resources \u2013 don\u2019t always come from the outside and aren\u2019t necessarily malevolent.4. The idea that confidentiality, integrity, and availability mean different things to different organizations \u2014 and may include services that are not digital.5. The embodiment of preparedness. Not only do organizations need to plan and be prepared, they need to thoroughly test their plans.Cyber Resilience 2.0: TestingThe fifth element, the embodiment of preparedness - including thorough testing - was the dominant theme at the Think Tank.\u201cWhen I asked the Think Tank participants 'How many have incident response plans', most, if not every hand in the room, went up,\u201d says Ari Schwartz, the Think Tank Moderator, former director of cybersecurity for the White House, and currently the managing director of cybersecurity services for Venable.\u201cWhen I followed up by asking them 'How many of you test your plan regularly and update it accordingly?' the majority of hands went down", adds Schwartz. "This is consistent with anecdotal evidence that I have seen in the field that many companies draft a plan and do not exercise it and, many of those who do regular exercises, do not update their incident response plan based on what they learn. The Think Tank participants, even those that have not updated their plans recently, agreed that planning is essential to improve resilience. It is important to regularly exercise the plans and update them based on lessons learned from that exercise.\u201dThe world\u2019s most famous hacker shares the potentially catastrophic consequences of not planning and testing, and of not involving all of an organization\u2019s employees in their so-called cyber resilience strategy.\u201cCan your business be hacked by a 14-year-old with a lot of time?\u201d asks Kevin Mitnick, chief hacking officer at KnowBe4, a leading security awareness training provider. \u201cOne sure way to find out is to actually test your security controls, but not limiting the test to only your technology. In my experience, people have always been the weak link when it comes to security. A simple spear phishing attack can compromise your assets, or worse, lead to watching your company\u2019s security incident on the headline news. It\u2019s a no-brainer to build a resilient security program, your people need up-to-date security training and most importantly, to be inoculated by experiencing the types of tricks the bad guys use first hand. That\u2019s why it\u2019s important to test your employees by hacking them.\u201dThe quest for cyber resilience is aptly summed up by a CISO at one of the world\u2019s largest banking and financial services corporations, echoing the Think Tank\u2019s sentiment.\u201cCybersecurity touches every facet of an organization today; consequently, cyber resilience can no longer be something that is done as a secondary feature of an organization\u2019s strategy,\u201d says Rich Baich, CISO at Wells Fargo. \u201cWith customer expectations of constant online access only rising, resiliency considerations are transforming the traditional cybersecurity defensive mindset into one focused on business enablement as it becomes part of an organization\u2019s DNA.\u201dBaich has held several executive security positions within the public and private sectors, including Deloitte and Touche, Pricewaterhouse Coopers, ChoicePoint, and the FBI, and previously served in the United States Navy for 20 years as an information warfare officer, cryptology officer, and surface warfare officer.