Cyber resilience anticipates a degree of uncertainty: it’s difficult to undertake completely comprehensive risk assessments about participation in cyberspace. Cyber resilience also recognizes the challenges in keeping pace with, or anticipating, the increasingly sophisticated threats from malspace. It encompasses the need for a prepared and comprehensive rapid-response capability, as organizations will be subject to cyber-attacks regardless of their best efforts to protect themselves.
Above all, cyber resilience is about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inevitable attack.
Becoming Cyber Resilient
Cyber threats are not just a challenge for IT departments; they require the involvement of every discipline within an organization, including its customers, suppliers, investors, partners and stakeholders.
Cyber resilience involves assembling multidisciplinary teams from across the organization, and beyond, to develop and test plans for attacks and breaches that may, or may not, occur. This team should be enabled to respond quickly to incidents by communicating with all parts of the organization, those external people and organizations that may be directly impacted, shareholders, regulators and other relevant stakeholders.
A vital component of cyber resilience is governance with senior support for monitoring cyber activities – including monitoring partner collaboration, and the risks and obligations in cyber space. Organizations must have a process in place for analysing, gathering and sharing cyber intelligence with stakeholders. They also need a means to assess and adjust their preparedness and resilience from past, present and future cyberspace activity.
Finally, organizations should partner internally – sharing knowledge of risk and best practice across business units and functional groups.
What Can You Do?
Businesses operate in an increasingly cyber-enabled world and traditional risk management just isn’t nimble enough to deal with the risks from cyberspace activity. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling. From cyber to insider, organizations have varying degrees of control over evolving security threats.
By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond appropriately.
About the Author:
As the Global Vice President of the Information Security Forum, Steve Durbin’s main areas of focus include the emerging security threat landscape, cyber security, consumerization, outsourced cloud security, third party management and social media across both the corporate and personal environments.
Formerly at Ernst & Young, Durbin was responsible for the growth of the firm’s entrepreneurial markets business in Europe, Middle East, India and Africa. He has been involved with mergers and acquisitions of fast-growth companies across Europe and the USA, and has also advised a number of NASDAQ and NYSE listed global technology companies.
Durbin has considerable experience working in the technology and telecoms markets and was previously senior vice president at Gartner. As global head of Gartner’s consultancy business he developed a range of strategic marketing, business and IT solutions for international investment and entrepreneurial markets. He has served as an executive on the boards of public companies in the UK and Asia in both the technology consultancy services and software applications development sectors.
He is currently a Digital 100 selection committee member in the United States, a body established to improve the talent pool for Fortune 1000 boards around information governance with the aim of helping them protect and monetize their technology investments. He is also chairman of the Digiworld Institute senior executive forum in the UK, a think tank comprised of Telecoms, Media and IT leaders and regulators.
He may be contacted as follows: