Crossbow Labs

Establishing Cyber Resilience As A Business Essential – Part 1

establishing-cyber-resilience-as-a-business-essential

Part 1 : Understanding Cyber Resilience

Business Resilience is probably most discussed topic in the last couple of months. Is it only a derivative of the recent pandemic? Please consider other events with global impacts like the

  • World war II bringing the planet under the threat of a nuclear holocaust.
  • Trade war between the super economies in the world has had a global uncertainty on the economic front.
  • Disruptive innovations like
    • Personal computers disrupted the Mainframe market, Smartphones disrupted the laptop markets.
    • Digital cameras disrupted the Film Cameras, Smartphones disrupted Digital Cameras.
  • Disruptive business model like
    • Online education is poised to be disrupt the institutional – classroom education.
    • P2P accommodation sharing apps are proving to be disruptive to the hospitality business.
    • E-Commerce is disrupting the traditional brick and mortar businesses
    • Cloud services continues to disrupt traditional data center services and IT services market.
  • Regulatory regimes like GDPR, NAFTA, ITAR, FISMA, GLBA, SOX etc. has had its equal share in impacting the conduct of business in various geographies and between geographies.

Uncertainty is riskier than RISK

Need for resilience has always been integral to business requirements. Business are facing uncertainty on frequent basis and sometime of catastrophic proportions. Over last several decades businesses were successful at managing risks but managing uncertainties is many folds more complex. Uncertainties come with unknown variables, duration is often unpredictable, outcome is unknown and can be disastrous if not adequately handled.

Peter Drucker quoted ‘You Can’t Measure It, You Can’t Improve It’. I would like to restate it as “You can’t predicate it, you can’t handle it“

Potential Solution Uncertainty

Considering that the traditional approach of recovering from an adverse event CAPA (Corrective Action – Preventive Action) may not be effective in all or most uncertain cases, the potential approach for all the impacted entities is demonstrating Resilience .

So what is Resilience?

Risk Management is a process for developing insights into emerging uncertainties, while Resilience is a behavior strait to withstand setbacks and crisis with agility and adoptability.

An analogy can be drawn to the human immunity system – those with better immunity are less likely catch an infection and/or recover relatively faster from an infection from those with poorer immunity.

Similarly, purpose of Cyber Resilience is that mission/business critical systems are architected to withstand an cyber incidents and continue to operate, may be at an degraded level but not below the threshold which impact the defined minimum business objective, for which the systems are designed for.

From an enterprise view point, such a System is a combination of People, Process and Technology for all or at a minimum of identified critical departments and/or resources.

Understanding a Cyber Incident

Cyber incident can be any event which adversely impacts the mission/business. It’s not limited to a cyberattack, and can include component failures, inadvertent / malicious misconfigurations, outage etc.

As per NIST SP800-160, cyber resiliency is defined as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

Building cyber resilient resources is the foundation

Entities with Agility, Adaptivity and capability to Withstand the uncertainties have not only survived through the disruptive stage but have also benefitted by means of innovations and repurposing. So how do we achieve an agile, adaptive and resilient framework ? The following pre- cursors lay the foundation to building cyber resilient resources.

Pre Cursor #1 Set Security as a DEFAULT in the design and architectural element.

Pre Cursor #2 – Define a roadmap with essential and minimal requirement like uptime, scalability, compliance to applicable regulation based on the geography /type of data/industry, adoption of the global standard for enhanced customer confidence etc.

Pre Cursor #3 – Adopt a harmonized framework for security and cyber resilience.

Note: NIST CSF (Cyber Security Framework) and NIST SP800-160v2 are excellent resources that help harmonize architectural and operational efforts.

Pre Cursor # 4 – Develop a measurement based continuous improvement cycle

We continue to discuss on the implementation and measurement strategies for establishing cyber resilience in Part 2 and Part 3 of this 3 Part Series.