How to Achieve Cyber Resilience
Cyber resilience is a hot topic lately, but not everyone agrees on what it means or how to achieve it. In a recent webinar Greg Virgin, CEO of Redjack, presented insights to help you on your cyber resilience journey. He covered:
The differences between cybersecurity and cyber resilience
Common challenges organizations are facing in transitioning to a resilience perspective
Standards, best practices, and key metrics that you can adopt at your organization
This blog is an overview of what was discussed during the webinar. Or, you can watch the webinar replay here.
An increased focus on cyber resilience
There has been an increased emphasis on resilience in recent regulations and in the cybersecurity industry as a whole. For example, if you walked through the recent RSA Conference, you would have seen the word ‘resilience’ used frequently. However, the cybersecurity industry has a track record of adopting new concepts while using the same products to address the problem. This trend persists today with resilience. Knowing what cyber resilience is is crucial, as companies must navigate it both as a cybersecurity trend and a regulatory requirement. Embracing cyber resilience presents you with significant opportunities, not only to reduce vulnerability to, and impact from, cyberattacks but to also transform business operations, making them more effective and profitable.
Cybersecurity is not cyber resilience
Cybersecurity and cyber resilience are distinct concepts. Cybersecurity involves creating defenses, like armor or walls, to protect systems, whereas resilience is about your overall strength and the ability of your organization to recover from incidents. True cyber resilience requires understanding which critical functions and systems are needed to keep your organization running, rather than merely ensuring that individual computers keep working. Often, the focus in IT and cybersecurity is too narrowly placed on keeping servers running, neglecting the critical business functions they support. If a crisis arises and your response is limited to addressing malware on computers, the battle is already lost. Effective resilience involves being prepared to quickly replace and restore components within the infrastructure needed to maintain essential operations.
Cyber resilience stakeholders
Many believe the chief information security officer (CISO) is responsible for cyber resilience. However, in the event of a ransomware attack or other cyber incident that disrupts operations, the company's focus shifts to business continuity and disaster recovery (BCDR), which is not typically within the CISO's purview. Even when dealing with traditional CISO responsibilities like reducing attack surfaces, minimizing vulnerabilities, improving patching and hygiene, and enhancing incident response effectiveness, the key is to prioritize efforts on critical areas of the organization.
Regulations increasingly require organizations to know where their critical business functions reside within their infrastructure. This knowledge is not only good to have but essential for protecting the parts of the organization that are vital to its survival.
In cybersecurity, there's significant emphasis on the value of threat intelligence—knowing where the threats are coming from and what they are targeting. However, with cyber resilience, the focus shifts to identifying the parts of your infrastructure that, if struck, would devastate your organization. Resilience is about ensuring that your business can continue to operate, not just keeping your computers running. This broader perspective involves a different set of stakeholders who must step up to provide and maintain resilience within the organization.
A heavily emphasized aspect of cyber resilience is the involvement of the board. Boards need to understand the financial impact of downtime and how to address associated risks. Their role, along with the C-suite, often centers on triage—deciding which parts of the organization are most critical and must continue operating under any circumstances. Since every Fortune 500 company relies on technology to function, they are essentially technology companies, and maintaining the functionality of their technology is paramount.
While cybersecurity has a crucial role to play, the IT team is ultimately responsible for restoring infrastructure from backups during incidents like ransomware attacks. They coordinate efforts to ensure readiness for various contingencies. While everyone in an organization has a part to play in cyber resilience, depending on the organization, the responsibility for cyber resilience may fall to someone other than the CISO.
The importance of business alignment
When it comes to maintaining operational resilience the importance of business alignment cannot be overstated. Organizations must focus on identifying which functions are essential for the organization to continue operating. For example, a pharmacy must ensure that medicine reaches customers. This doesn't require the entire IT infrastructure but a critical subset of assets. From a resilience perspective, knowing which IT assets support core business processes is crucial. Understanding the intricate ecosystem of IT systems that enable these essential functions is the first step toward achieving true cyber resilience.
The next step is understanding the current state of the assets that support critical business processes. This knowledge brings numerous benefits, including improved incident response. By prioritizing these critical parts of your infrastructure, you can respond effectively and proactively, rather than allowing adversaries to dictate your actions based on their activities.
When it comes to cyber resilience, the goal is for organizations to be able to handle disruptions like ransomware attacks without succumbing to paying ransoms, recovering seamlessly on their own. Achieving this goal is challenging because organizations must first determine their priorities effectively. Depending on company size, consultants or internal teams are tasked with meticulously mapping out all business processes, often manually and with incomplete information. The fact that an organization’s infrastructure is continuously changing by an average of 5-15% a month makes things more complicated. This underscores the necessity for an automated system to maintain your awareness of business operations. Automation is crucial for detecting new business processes and understanding your infrastructure and the complex web of dependencies that support them.
In the context of the pharmacy example above, the ability of the organization to ensure that customers receive their pills hinges on swiftly restoring the IT infrastructure supporting this function if it goes down. However, it’s not as simple as the pharmacy IT team maintaining a list of pharmacy servers. The assets supporting this function rely in turn on a complex network of dependencies. These include other internal functions, external third-party services, and broader infrastructure components. Mapping out these intricate connections is essential to restoring operations systematically and effectively.
Cyber resilience best practices
Many regulations address aspects of cyber resilience, while industry standards continue to evolve. To achieve resilience, focus on mapping critical business functions, ensuring accountability, maintaining a continuous asset and dependency inventory that includes third-party assets, and incorporating automation where feasible.
Additionally, implementing redundancy not only in terms of IT assets but also geographically is crucial to ensure operational continuity. For example, a municipal government might establish backup infrastructure located in a different state. This proactive approach allows them to mitigate the risks associated with natural disasters like hurricanes, demonstrating a forward-thinking strategy beyond cybersecurity concerns.
When discussing the critical functions of the business, communication emerges as the top priority for the board and C-suite, especially in crisis scenarios where effective communication is vitally important. Beyond basic email capabilities, many large companies rely on message-passing middleware, often overlooked by teams focused on core business functions. Despite not being directly claimed by any specific team, this middleware is indispensable due to its role supporting numerous critical business functions.
The ability to conduct disaster recovery tests that demonstrate an organization’s ability to sustain operations during a crisis is also important. However, it's uncommon to find organizations capable of doing so. Regulatory frameworks stress the importance of disaster recovery testing, such as the NYDFS mandate requiring annual testing of disaster recovery plans for critical operations. Compliance necessitates providing evidence of these tests being conducted, highlighting the rigorous standards set to ensure operational resilience and readiness in the face of potential disruptions.
The foundational elements of cybersecurity rarely contribute directly to a company's profitability, but cyber resilience presents a unique opportunity to do so. The fundamental elements of cyber resilience, crucial for withstanding disruptions, also form the backbone for successful digital transformation initiatives, zero trust projects, and IT optimization efforts. For example, understanding critical assets, operational processes, responsibilities, and having a snapshot of how your operations currently work is essential for designing effective digital transformation plans.
An effective IT organization is one that focuses on accountability, prioritizes business-critical functions, and optimizes third-party dependencies. Instead of investing in overhead with uncertain future payoffs, leveraging cyber resilience-driven insights in real-time allows organizations to seize immediate opportunities. This transformative aspect of cyber resilience is particularly exciting as it aligns cybersecurity efforts with driving business success rather than merely preventing failure.
How do you know if you are resilient?
Determining your resilience requires that you have tangible evidence of the ongoing activities within your environment. The specific path toward resilience varies for each organization, contingent on its unique structure, operations, and methodologies.
Many recommended metrics focus on tactical concerns, such as the number of phishing exercises conducted and employee responses, rather than metrics that truly drive impact. Rather, an important metric for effective risk analysis is to understand and quantify the impact per hour—in dollars or lives—that a critical function is disrupted. By aligning business functions with IT infrastructure, organizations can quantify the cost or consequences associated with each infrastructure component. This understanding enables you to assign ownership to these components and establish accountability, thereby mitigating potential impacts before any cybersecurity incidents occur.
A real-time understanding and record of how your infrastructure operates is also crucial. It allows you to look back in time and identify the state of your systems just before an incident occurs. This record is vital because attempting to reconstruct how your infrastructure works after a failure or breach is often ineffective and time-consuming if you don’t have this information on hand. Knowing how your systems operate enables you to prepare for potential disruptions before they happen, ensuring swift recovery and minimal impact on operations.
A critical aspect of achieving cyber resilience involves focusing on reducing your attack surface—the points where potential vulnerabilities could be exploited. This entails conducting a thorough risk analysis to assess the likely impact if essential functions were disrupted, identifying all interconnected assets, and evaluating the security posture of each asset. By prioritizing vulnerabilities that would have the most severe impact on business operations, cybersecurity and IT teams can strategically fortify weak points in the infrastructure. This collaborative approach, involving multiple teams and stakeholders, ensures a comprehensive effort towards achieving robust cyber resilience across the organization.
Finally, you need to be able to demonstrate to regulators that your organization is resilient. If regulators arrive and you lack the necessary proof, it poses a significant problem for your organization. Given the stringent nature of these regulations, relying on manual processes is insufficient; you must have automated systems and products in place to ensure compliance and deliver the required evidence.
Redjack for cyber resilience
Redjack leverages automation and AI to provide comprehensive visibility into every part of your IT infrastructure and align assets with critical business functions. Our platform features a dashboard that highlights where you need to focus resources to mitigate potential damages to the organization. We generate a resilience score that evaluates how isolated or exposed an asset is, how hardened it is based on its security capabilities, and its redundancy—how quickly it can come back online. Additionally, we create a criticality score to rank the importance of an asset to the operation of a business function.
The Redjack platform is built around detecting communications flows and using them to reveal the relationships and dependencies within your infrastructure. Understanding this is crucial for cyber resilience. Simply having a list of computers without knowing how they interconnect leaves you unprepared if something happens. Among other things, the Redjack platform is designed to detect the overlooked IT assets that are critical to a key business function. It ensures that all essential assets and dependencies are identified and accounted for, thus enhancing your overall preparedness and resilience.
Contact us to discover how Redjack has helped large organizations achieve genuine cyber resilience.
The focus of cyber resilience: keeping your business running
To sum up, prioritize your security resources in areas that would cause the most damage to your business. Ensure you can quickly restore your most essential functions after a breach. Focus on complying with the business alignment aspects of regulations and standards, and understand how these complex functions work so that you can modernize and transform them. Use this as an opportunity to enhance the effectiveness and profitability of your organization.
Webinar Q&A
Q: What exactly is a business function?
A business function must align with what the business delivers, which varies depending on the nature of the business. For example, in a large retail company, critical business functions could include finance, logistics and shipping, and payroll. IT infrastructure, such as a Kafka system, is not a critical business function. It is essential for the C-suite and the board to agree on what is most important for the business.
Q: How do you determine the ownership of a business function?
Once you've defined what the critical business functions are, you need to assign an accountable person for each one. Who that person is depends on whether the business functions roles are clearly defined within the organization, which is not always the case. If your organizational structure is designed this way, the process is straightforward, but often it is not. This underscores the need for the C-suite to take charge, as they must organize the business around the concept of critical business functions and ensure accountability.