What makes some organizations more cyber resilient than others: How to manage cyber risk and threat

This global study tracks the ability of organizations to achieve a strong cyber resilience security posture. In the context of the research, a cyber resilient enterprise is one that can prevent, detect, contain and recover from a myriad of serious threats against data, applications and IT infrastructure.

What makes some organizations more cyber resilient than others

New this year are a closer look at the impact of ransomware and the adoption of approaches such as zero trust and extended detection and response (XDR). Finally, we offer recommendations to help your organization become more cyber resilient.

Figure 12 shows how many tools respondents said their security teams use to investigate and respond to a typical security incident. Among respondents, 45% used more than 20 tools when specifically investigating and responding to a cybersecurity incident.

The ongoing COVID-19 pandemic and other recent events have proven that some organizations are more resilient than others. But what makes these organizations different, and what steps should you and other business leaders take as a result?

Over the past decade, system resilience (a.k.a., system resiliency) has been widely discussed as a critical concern, especially in terms of data centers and cloud computing. It is also vitally important to cyber-physical systems, although the term is less commonly used in that domain. Everyone wants their systems to be resilient, but what does that actually mean? And how does resilience relate to other quality attributes, such as availability, reliability, robustness, safety, security, and survivability? Is resilience a component of some or all of these quality attributes, a superset of them, or something else? If we are to ensure that systems are resilient, we must first know the answer to these questions and understand exactly what system resilience is.

As part of work on the development of resilience requirements for cyber-physical systems, I recently completed a literature study of existing standards and other documents related to resilience. My review revealed that the term resilience is typically used informally as though its meaning were obvious. In those cases where it was defined, it has been given similar, but somewhat inconsistent, meanings.

However, system resilience is more complex than the preceding explanation implies. System resilience is not a simple Boolean function (i.e., a system is not merely resilient or not resilient). No system is 100 percent resilient to all adverse events or conditions. Resilience is always a matter of degree. System resilience is typically not measurable on a single ordinal scale. In other words, it might not make sense to say that system A is more resilient than system B.

Some resilience controls support detection, while other controls support response or recovery. A system may therefore be resilient in some ways, but not in others. System A might be the most resilient in terms of detecting certain adverse events, whereas system B might be the most resilient in terms of responding to other adverse events. Conversely, system C might be the most resilient in terms of recovering from a specific type of harm caused by certain adverse events.

Some organizations [MITRE 2019] include the avoidance of adverse events and conditions within system resilience. However, this is misleading and inappropriate as avoidance falls outside of the definition of system resilience. Avoiding or preventing adversities does not make a system more resilient. Rather, avoidance decreases the need for resilience because systems would not need to be resilient if adversities never occurred.

Companies have used the risk-based approach to effectively reduce risk and reach their target risk appetite at significantly less cost. For example, by simply reordering the security initiatives in its backlog according to the risk-based approach, one company increased its projected risk reduction 7.5 times above the original program at no added cost. Another company discovered that it had massively overinvested in controlling new software-development capabilities as part of an agile transformation. The excess spending was deemed necessary to fulfill a promise to the board to reach a certain level of maturity that was, in the end, arbitrary. Using the risk-based approach, the company scaled back controls and spending in areas where desired digital capabilities were being heavily controlled for no risk-reducing reason. A particular region of success with the risk-based approach has been Latin America, where a number of companies have used it to leapfrog a generation of maturity-based thinking (and spending). Instead of recapitulating past inefficiencies, these companies are able to build exactly what they need to reduce risk in the most important areas, right from the start of their cybersecurity programs. Cyber attackers are growing in number and strength, constantly developing destructive new stratagems. The organizations they are targeting must respond urgently, but also seek to reduce risk smartly, in a world of limited resources.

Many leading companies have a cyber-maturity assessment somewhere in their archives; some still execute their programs to achieve certain levels of maturity. The most sophisticated companies are, however, moving away from the maturity-based cybersecurity model in favor of the risk-based approach. This is because the new approach allows them to apply the right level of control to the relevant areas of potential risk. For senior leaders, boards, and regulators, this means more economical and effective enterprise-risk management.

Resilience may change over time as a function of development and one's interaction with the environment (e.g., Kim-Cohen & Turkewitz, 2012). For example, a high degree of maternal care and protection may be resilience-enhancing during infancy, but may interfere with individuation during adolescence or young adulthood. In addition, our response to stress and trauma takes place in the context of interactions with other human beings, available resources, specific cultures and religions, organizations, communities and societies (see Sherrieb, Norris, & Galea, 2010; Walsh, 2006). Each of these contexts may be more or less resilient in their own right and. therefore, more or less capable of supporting the individual.

A very simple way to begin to address this issue is to do longitudinal studies. In our laboratory, we have been studying how biological variables that are measured after trauma exposure change in people who are treated for PTSD. As we all know, some people respond better than others, and many do not respond to specialized PTSD psychotherapy. By asking about biological changes before and after treatment in responders and non-responders to treatment, it is possible to know whether responders are different biologically even before treatment is administered. That would suggest that predictors of recovery are predetermined even before treatment begins. However, if responders and non-responders only differ from each other biologically at post-treatment, this would indicate that what actually happens in treatment is the critical determinant, and that biological correlates of recovery can occur in anyone who responds to a therapeutic modality.

While studies show that companies who can respond quickly and efficiently to contain a cyberattack within 30 days save over $1 million on the total cost of a data breach on average,1 shortfalls in proper cybersecurity incident response planning have remained consistent over the past four years of the study. Of the organizations surveyed that do have a plan in place, more than half (54%) do not test their plans regularly, which can leave them less prepared to effectively manage the complex processes and coordination that must take place in the wake of an attack.

When asked if their organization leveraged automation, only 23% of respondents said they were significant users, whereas 77% reported their organizations only use automation moderately, insignificantly or not at all. Organizations with the extensive use of automation rate their ability to prevent (69% vs. 53%), detect (76% vs. 53%), respond (68% vs. 53%) and contain (74% vs. 49%) a cyberattack as higher than the overall sample of respondents.

Skills Gap Still Impacting Cyber ResilienceThe cybersecurity skills gap appears to be further undermining cyber resilience, as organizations reported that a lack of staffing hindered their ability to properly manage resources and needs. Survey participants stated they lack the headcount to properly maintain and test their incident response plans and are facing 10-20 open seats on cybersecurity teams. In fact, only 30% of respondents reported that staffing for cybersecurity is sufficient to achieve a high level of cyber resilience. Furthermore, 75% of respondents rate their difficulty in hiring and retaining skilled cybersecurity personnel as moderately high to high.

When asked what the top factor was in justifying cybersecurity spend, 56% of respondents said information loss or theft. This rings especially true as consumers are demanding businesses do more to actively protect their data. According to a recent survey by IBM, 78% of respondents say a company's ability to keep their data private is extremely important, and only 20% completely trust organizations they interact with to maintain the privacy of their data.

A second but related issue is that when a hacker obtains sensitive information about the organization it may find its reputation ruined. Few small organizations can survive the damage to its reputation that such lost data might cause. The damage to reputation and goodwill might be more crippling than the actual data loss itself. Loss of customer data may result in legal or regulatory action against the organization. A third party might file a suit against an organization as they have themselves incurred a loss. Organizations might also be subject to significant penalties and/or legal action arising from breaches of the privacy laws in many jurisdictions. 2ff7e9595c