I’ve written a blog series like this for many companies I’ve worked for, now I’m doing it on my own blog for everyone to read. Please drop me questions you’d like answered to me via Twitter/X/whatever it’s called this week @miketalonnyc – I’d love to get you answers explained without the jargon!
Cybersecurity resilience – the key term on just about every CIO/CISO/CSO/CTO’s mind these days. Tons of vendors say they can help with it. Regulators are beginning to demand it. Customers are expecting it. But, what isit? This is a question I’ve gotten from many readers over the last year, so let’s dive in and spell it out.
When we speak about resilience in the general technology world, what we’re really talking about is the ability to withstand events that would cause downtime or damage. An email server is resilient when it can continue to provide email services even if one or more servers/services go offline. SaaS technology is resilient when it can be maintained online at full or near-full capacity even if a Cloud provider has issues in one or more regions. For the most part – outside of cybersecurity – resilience is the practice that drives High Availability, Disaster Recovery, and Business Continuity operations. Stay online, or be able to get back up and online quickly.
In the cybersecurity world, resilience incorporates general technical definitions of the term with the addition of threat activity which may be encountered. This means that instead of the primary concern being uptime balanced against redundancy, we’re instead looking at the system’s ability to withstand an attack without allowing the attacker to gain control of the system or steal its data. As you might guess, this is a more complex operation than general technical resiliency, but the good news is that cybersecurity resilience is rated on much more of a sliding scale. Customers and regulators can demand that you must be within a certain level of uptime easily – the technology to perform that type of operation is available today within at least reasonable costs. Total cybersecurity resilience is not something that’s possible with today’s technology (and not likely to become available in the very near-term), and as such it is more about being able to prove you have done what you could, rather than proving you’re bullet-proof.
Key components of cybersecurity resiliency are:
1 – Layered security methodologies: Whenever we talk about cybersecurity resilience, we’re talking about being able to have security controls compensate for each other if one should be bypassed by a novel attack. So you would perform security awareness training for employees, implement endpoint controls (like anti-malware tools), identity solutions (like Active Directory, Okta, etc.), web gateways (firewalls, proxies, etc.), and other layers of security controls to allow for catching and blocking threat activity that could slip through any one control.
2 – Security-by-design development protocols: If you build technology – either hardware or software – you start by building in security as a primary development metric. This is different from traditional development which primarily addressed security as part of late-stage development operations. By understanding the threat landscape and building defenses into the hardware or software being developed, the likelihood of successful attack is reduced.
3 – Testing regularly: For any set of security controls, the only way to know that they are working (and being able to prove that they’re working) is to test them on a regular basis. This means running controlled threat activity within the production environment, and as such you may need to leverage professionals like penetration testers who know how to do that safely.
4 – Tuning regularly: No cybersecurity is “set it and forget it.” Every tool, policy, control, etc. must be reviewed on an ongoing basis to ensure that it isn’t falling behind in its primary role of defending the organization. This can be based on your testing in part 3 above, but can also include regular review of best-practice documentation from the vendors of your hardware and software. The cybersecurity threat landscape is changing all the time, so regularly tuning systems and controls to counter those threats is a necessity.
5 – Monitor your environments: Cybersecurity incidents happen fast, and your organization needs to know that they happened, that your controls held, or that you need to take immediate action to counter the threat activity. This requires monitoring the organization’s systems to make sure that if something does happen, technology and cybersecurity team members know about it fast and begin to deal with it immediately. As the tools and systems used to monitor can be complex – such as SIEM solutions and security orchestration (SOAR) platforms – this may be another area where your organization can benefit from a partner who has the expertise in-house already.
6 – Document everything. While it may sound like overkill, unless it is documented, it doesn’t exist. So all the layered compensating controls, security-by-design operations, testing, and tuning aren’t useful to an organization unless they’re documented; and that documentation is kept updated. This aids in satisfying auditors and regulators, but also greatly aids the cybersecurity team if something does happen. They can quickly assess the situation based on up-to-date information about the overall security of the organization, then take action.
Cybersecurity resilience is less a set of strict requirements, and more about knowing that your systems and data are as defended as possible, and what you will do if those defenses fail unexpectedly. Through the six areas above, you can provide a solid measure of that resilience that can be shared with auditors, regulators, and anyone else who may need you to show your work and prove that you’re taking the necessary steps to defend your systems, data, and customers.