Our Guide to Surviving Uncertain Times – Part 1 of 3 Parts Series
Business Resilience is probably most discussed topic in the last couple of months. Is it only a derivative of the recent pandemic? Please consider other events with global impacts like the
Need for resilience has always been integral to business requirements. Business are facing uncertainty on frequent basis and sometime of catastrophic proportions. Over last several decades businesses were successful at managing risks but managing uncertainties is many folds more complex. Uncertainties come with unknown variables, duration is often unpredictable, outcome is unknown and can be disastrous if not adequately handled.
Peter Drucker quoted ‘You Can't Measure It, You Can't Improve It’. I would like to restate it as “You can’t predicate it, you can’t handle it“
Considering that the traditional approach of recovering from an adverse event CAPA (Corrective Action – Preventive Action) may not be effective in all or most uncertain cases, the potential approach for all the impacted entities is demonstrating Resilience .
Risk Management is a process for developing insights into emerging uncertainties, while Resilience is a behavior strait to withstand setbacks and crisis with agility and adoptability.
An analogy can be drawn to the human immunity system - those with better immunity are less likely catch an infection and/or recover relatively faster from an infection from those with poorer immunity.
Similarly, purpose of Cyber Resilience is that mission/business critical systems are architected to withstand an cyber incidents and continue to operate, may be at an degraded level but not below the threshold which impact the defined minimum business objective, for which the systems are designed for.
From an enterprise view point, such a System is a combination of People, Process and Technology for all or at a minimum of identified critical departments and/or resources.
Cyber incident can be any event which adversely impacts the mission/business. It’s not limited to a cyberattack, and can include component failures, inadvertent / malicious misconfigurations, outage etc.
As per NIST SP800-160, cyber resiliency is defined as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
Entities with Agility, Adaptivity and capability to Withstand the uncertainties have not only survived through the disruptive stage but have also benefitted by means of innovations and repurposing. So how do we achieve an agile, adaptive and resilient framework ? The following pre- cursors lay the foundation to building cyber resilient resources.
Pre Cursor #1 Set Security as a DEFAULT in the design and architectural element.
Pre Cursor #2 - Define a roadmap with essential and minimal requirement like uptime, scalability, compliance to applicable regulation based on the geography /type of data/industry, adoption of the global standard for enhanced customer confidence etc.
Pre Cursor #3 – Adopt a harmonized framework for security and cyber resilience.
Note: NIST CSF (Cyber Security Framework) and NIST SP800-160v2 are excellent resources that help harmonize architectural and operational efforts.
Pre Cursor # 4 – Develop a measurement based continuous improvement cycle