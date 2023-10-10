As a vice president at Symantec from 2000 to 2009, Rob Clyde witnessed repeated attacks on the cybersecurity company\u2019s system that processed client requests for software updates. Constantly bombarded with illegitimate queries, the system could nevertheless handle the fraudulent volume and still process and respond to legitimate traffic.\n\nThe company built the system in a way that enabled it to withstand the onslaught: engineers designed the system to handle any and all spikes in requests for updates such as those that happen when clients all seek a critical update at the same time.\n\n\u201cWe had architected the system to just keep scaling,\u201d says Clyde. \u201cAs attacks occurred, it kept scaling so [legitimate] customers could get their updates without any delays,\u201d says Clyde, who is now a spokesperson for the IT governance organization ISACA, a managing partner of Clyde Consulting, and a board member for several companies.\n\nSymantec\u2019s intention was to build a system that could meet customer needs without any glitches, regardless of the level of demand. But company leaders also recognized the need for such a design to ensure the system could perform well even when under siege: that it could, in a nutshell, be resilient.\n\nResilient systems pay off over the long run\n\nClyde acknowledges that the design added costs, with the bills rising as the system scaled; engineers eventually brought costs down by implementing cyber defenses that could detect fraudulent requests further upstream and deflect them earlier, thereby reducing the number making their way to the application itself.\n\nAlthough this approach dates back 15 years, Clyde says Symantec\u2019s strategy for addressing the cybersecurity threats in a way that both defended the system and ensured its usual availability demonstrates the notion of cyber resiliency.\n\n\u201cWe should build systems to withstand changing conditions, to recover and just keep going,\u201d says Clyde,\n\nThe definition of cyber resiliency\n\nThe National Institute of Standards and Technology (NIST) defines cyber resiliency as \u201cthe ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.\u201d\n\nMITRE, which developed the Cyber Resiliency Engineering Framework in 2011, describes cyber resiliency as the need \u201cfor information and communications systems and those who depend on them to be resilient in the face of persistent, stealthy, and sophisticated attacks focused on cyber resources.\u201d\n\nIt\u2019s a concept that has been gaining traction over the past decade and is becoming a topic of board-level interest as the volume, variety, and intensity of strikes by bad actors spikes year after year.\n\nBoards fail companies by not focusing on resilience\n\nA May 2023 article in the Harvard Business Review titled \u201cBoards Are Having the Wrong Conversations about Cybersecurity,\u201d calls on boards to \u201cfocus on resilience,\u201d saying that \u201ceven though boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. And by not focusing on resilience, boards fail their companies.\u201d\n\nThe concept of cyber resiliency includes several longstanding cybersecurity and organizational elements \u2014 namely the principles and practices of business continuity and disaster recovery as well as cyber detection and response.\n\nHowever, according to multiple cybersecurity leaders, cyber resiliency is not synonymous with any of those elements and, in fact, pushes the enterprise to go beyond each of those four practices.\n\n\u201cResiliency is about keeping the lights on with no downtime,\u201d says Sue Bergamo, executive advisor, CIO and CISO with the advisory services firm BTE Partners. \u201cIt\u2019s normal to defend against a lot of attacks; that\u2019s what we do every day. But with that one attack that gets through, that\u2019s when we have to be resilient, that\u2019s when we have to stomp it out while keeping the lights on.\u201d\n\nIn other words, cyber resiliency is about maintaining business as usual during a cyber event, while the response to that event happens in the background.\n\nResiliency is like a generator that keeps things running\n\nOne expert compares the benefits of enabling cyber resiliency to that of an electric generator: that generator, like a cyber-resilient environment, keeps everything running when there\u2019s a problem with the electricity supply. On the other hand, if there\u2019s no generator, workers are scrambling for flashlights.\n\nCyber resiliency means the organization can keep working regardless of what cyber attackers \u201ccan throw at me,\u201d says Rosalie McQuaid, cyber resiliency department manager at MITRE, a not-for-profit entity, which operates federally funded R&D centers and public-private partnerships.\n\n\u201cIt\u2019s not about going down and recovering, where you might have slower or degraded operations. That\u2019s really reactive,\u201d McQuaid says. It\u2019s akin to the catchphrase of the decades-old Timex watch ads, which feature watches surviving all manner of attacks where they \u201ctake a licking and keep on ticking.\u201d\n\nClyde agrees, saying organizations who must pay a ransom to restore functions following a successful ransomware attack or revert to analog processes while IT restores compromised systems may have implemented \u201creasonable short-term solutions but they\u2019re not cyber resilient.\u201d\n\nSaugat Sindhu, senior partner and general manager at IT consulting and services firm Wipro, makes similar observations, pointing to Colonial Pipeline\u2019s performance in the aftermath of the ransomware attack it suffered in May 2021. The company recovered after paying a ransom, and it continued as a business. However, its decision to shut down its main business function \u2014 moving fuel through its pipelines \u2014 to help contain the damage did not demonstrate resiliency.\n\n\u201cIn the case of cyber resiliency, if systems get compromised, there are other systems that can pick up and maintain BAU \u2014 business as usual,\u201d adds Sindhu, leader of the Wipro\u2019s strategy and risk practice.\n\nHigh-level actions around cyber resiliency\n\nThat focus on BAU may explain increasing interest in and discussion around cyber resiliency. In the US, for example, the President\u2019s Council of Advisors on Science and Technology (PCAST) in March 2023 initiated a working group on cyber-physical resilience, saying in an announcement that \u201cthe tightly coupled inter-dependencies among physical and digital components in systems can lead to high levels of \u2018brittleness,\u2019 when even minor disruptions lead to wide-scale and unpredictable effects.\u201d\n\nIt continued: \u201cWe need a different approach, not just to defend ourselves from cyber-attacks and failures, but to presume that attacks will always get through and that failures of components are unavoidable. We need to be resilient in the face of attacks and failures so we can withstand or recover quickly. This needs a fundamental re-imagining based on taking a holistic, systems-thinking approach.\u201d\n\nThe Information Systems Security Association (ISSA), a nonprofit professional organization for information security professionals, has its Cyber Resilience Special Interest Group.\n\nAnd the European Union has its Cyber Resilience Act, a proposed legal framework governing the cybersecurity requirements for hardware and software products placed in the EU market.\n\nDemonstrating cyber resiliency\n\nEnterprise executives are also thinking about cyber resilience, according to an October 2023 report, The Cyber-Resilient CEO, from professional services firm Accenture. For the report, Accenture studied the cybersecurity practices of 1,000 CEOs of large organizations and found that 96% agreed that cybersecurity \u201cis a key enabler for organization growth and stability.\u201d\n\nHowever, it found that 74% were concerned about their organization\u2019s ability to avert or minimize damage to the business from a cyberattack.\n\n\u201cIt is a disconnect that highlights that a majority of CEOs lack confidence that their organizations are truly cyber resilient, and their uncertainty is reflected in how they prioritize their cybersecurity investments,\u201d the report's authors concluded.\n\nFurthermore, Accenture used its own index to benchmark 25 leading practices that measure cybersecurity resilience and found only 5% of CEOs lead on cybersecurity resilience.\n\nMeasuring resilience\n\nAn actual cyber event would certainly test whether those CEOs are as resilient as they appear and whether the remaining 95% are better or worse than they think.\n\nHowever, security leaders point to other (safer) methods for measuring enterprise cyber resiliency \u2014 methods that allow CISOs to assess where they are, track improvement over time and articulate findings to their executive colleagues, their CEOs and the board itself.\n\nSuch analysis may seem like an esoteric exercise, says Sergio Tenreiro de Magalhaes, chief learning officer at Champlain College Online and an associate professor of cybersecurity and digital forensics.\n\n\u201cBut it\u2019s actually a concrete action you can take,\u201d he says, adding that he believes cyber resiliency measures the organization\u2019s ability \u201cto provide a level of service that they\u2019re comfortable with when under attack.\u201d\n\nTenreiro de Magalhaes and others point to specific frameworks and assessment tools.\n\nMITRE\u2019s Cyber Resiliency Engineering Framework (CREF) is the oldest. In February 2023 MITRE released its Cyber Resiliency Engineering Framework (CREF) Navigator, a free, visualization tool that enables organizations to customize their cyber resiliency goals, objectives and techniques.\n\nMeanwhile, NIST has its publication of 800-160 v2, \u201cDeveloping Cyber-Resilient Systems: A Systems Security Engineering Approach.\u201d According to NIST, the publication \u201chelps organizations anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and compromises on systems \u2014 including hostile and increasingly destructive cyber-attacks from nation-states, criminal gangs, and disgruntled individuals.\u201d (MITRE\u2019s Navigator is aligned with the NIST SP 800-160 v2.)\n\nAnother tool that some cite is the CMMI Cybersecurity Platform from ISACA, which ISACA promotes as a tool to help organizations build cyber resiliency.\n\nCommercial products to assess and measure an organization\u2019s state of cyber resiliency are also available.\n\nCyber resiliency means practicing due care and diligence\n\nAs is the best practice when using other cybersecurity frameworks and assessments, these frameworks and assessments are not one-size-fits-all nor are they meant to be used as merely a check-the-box exercise, says Erik Avakian, technical counsellor at Info-Tech Research Group and former state CISO for the Commonwealth of Pennsylvania.\n\nRather, Avakian says they prompt CISOs to ask whether their organization \u201ccan anticipate attacks and can withstand them with the right controls and capabilities.\u201d\n\n\u201cIt\u2019s about practicing due care and due diligence from a cybersecurity standpoint and having a layered defense with a layered people-process-and-technology-driven program with the right governance and services and tools to enable the mission of the organization so that if there\u2019s an event, you can recover and adapt to keep business running,\u201d he adds.\n\nTo do that, CISOs and their executive colleagues must have their cybersecurity basics well established \u2014 basics such as knowing their tolerance for risk, understanding their IT environment, their security controls, their vulnerabilities, and how those all could impact the organization\u2019s operations.\n\nCISOs aren\u2019t limited to these frameworks or the assessment tools created specifically to measure cyber resiliency, says Tenreiro de Magalhaes and others.\n\nCISOs can also run tabletop drills and red-team exercises to test, measure and report on resiliency. Repeating such drills and exercises can then track whether the organization\u2019s cybersecurity program as well as specific additions to it help improve resiliency over time, experts say.\n\nIn fact, some say even anecdotal markers can help CISOs and executives get insights into their level of cyber resiliency.\n\nBergamo, for one, says she can get a sense of whether an organization has any degree of resiliency by looking at the security department\u2019s everyday state.\n\n\u201cIf they\u2019re not running around dazed and crazed, they\u2019re doing something right,\u201d she says. \u201cBut those teams who are running around with hair on fire don\u2019t have resiliency,\u201d They\u2019re just in defense mode.\u201d