"Robert S. Mueller III, former Director of the FBI and the current Special Counsel investigating Russian interference in the US election, famously stated, 'There are only two types of companies: Those that have been hacked and those that will be hacked.' This thought-provoking quote underscores the inevitable reality that virtually every company will, at some point, face the threat of a cyberattack.
In this context, it is vital to recognize that while defenders tirelessly work to protect their digital realms, adversaries need just one successful breach to unleash chaos. This compels us to confront fundamental questions: Can our company not only endure a cyberattack but also maintain operational effectiveness throughout the ordeal? Will it ultimately emerge from such a crisis intact? This is where the concept of Cyber Resilience comes to the forefront.
Understanding the foundations of Cyber Resilience
According to NIST SP 800-160, VOL. 2, REV. 1, " Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources."
NIST SP 800-160, VOL. 2, REV. 1 defines the following 4 Goals in its cyber resiliency engineering framework:
Anticipate: Anticipating potential threats and vulnerabilities is the first step in building cyber resiliency. This involves continuously monitoring the threat landscape, staying informed about emerging threats, and conducting risk assessments to identify vulnerabilities within an organization's digital infrastructure.
Withstand: Secure the capacity to sustain critical business or mission operations in the face of adversity. To attain this objective, it is vital to pinpoint the critical missions or business functions within the organization.
Recover: Recover operational capabilities during and after cyberattacks. This might involves not only restoring systems and data but also analyzing the attack to learn from it and improve future defenses.
Adapt: Adapting to new threats, technologies, and vulnerabilities is essential for long-term cyber resilience. Modification mission or business function might be necessary in light of changes in the technical environments.
In addition to the 4 Goals presented, the framework includes 8 objectives and 14 techniques.
Objectives are a precise declarations outlining what a system aims to accomplish within its operational context and over its entire life span to satisfy stakeholder requirements for mission assurance and robust security.
Techniques refers to a collection or category of practices and technologies designed to attain specific goals or objectives by offering capabilities.
Source: MITRE CREF Navigator*
The hierarchy of cyber resiliency goals and objectives depends on the mission or business goals. As a result, the choice of particular cyber resiliency techniques and methods is influenced, at least in part, by the relative importance of the objectives they uphold.
Useful Tool from MITRE
In February 2023, MITRE launched the Cyber Resiliency Engineering Framework Navigator.
It is a visualization tools which helps organizations better structure their cyber resiliency strategies. The tool is based on the NIST SP 800 160 which can be used by solution architects and cybersecurity professionals to embed cyber resiliency in their systems.
The navigator could be as well used to check the relationship between the different components of the cyber resilience framework.
Source: MITRE CREF Navigator*
Benefits of Cyber Resilience
Enhanced Security Posture: Cyber resilience is proactive rather than reactive, focusing on identifying vulnerabilities and weaknesses in a system before they can be exploited. This approach helps organizations strengthen their overall security posture by continuously improving their defenses against evolving cyber threats. By assessing, monitoring, and adapting to potential risks, organizations are better equipped to withstand attacks and protect their digital assets.
Customer Trust and Reputation Management: Cyber resilience contributes significantly to building and maintaining customer trust. When customers are assured that their data is secure, they are more likely to engage with an organization and remain loyal to its services. A reputation for strong cyber resilience can differentiate an organization from its competitors, attracting customers who prioritize security and data privacy.
Stakeholder Confidence: Cyber resilience strengthens the confidence of stakeholders, including investors, partners, and board members. Demonstrating a strong cybersecurity posture provides assurance that the organization is proactive in managing risks and protecting its interests. This confidence can translate into increased investments, partnerships, and collaboration opportunities, further fuelling the organization's growth and sustainability.
Cost-Effectiveness: While investing in cyber resilience measures requires an upfront investment, the long-term benefits outweigh the initial costs. Proactive measures, such as regular vulnerability assessments and staff training, are more cost-effective than dealing with the fallout of a successful cyber attack.
Don't confuse Cyber Resilience with Business Continuity
It's essential not to confuse Cyber Resilience with Business Continuity. These are two distinct but interrelated concepts that serve different yet complementary purposes within the realm of organizational preparedness. Below is a summary table showcasing the key differences between Cyber Resilience and Business Continuity (BCP), highlighting their distinct purposes, scopes, components, and impacts on organizations:
Aspect | Cyber Resilience | Business Continuity |
Definition | The ability to prepare for, respond to, and recover from cyber threats while ensuring business continuity. | The ability to maintain essential business operations in the event of disruptions, including cyber threats. |
Scope | Primarily focused on adapting to cyber threats and mitigating their impact | Encompasses a broader range of disruptions, including natural disasters and others. |
Purpose | Mitigate cyber risks and protect digital assets, data, and systems | Ensure the overall continuity of business operations in case of various disruptions |
Timeframe | Emphasizes real-time responses and proactive measures to mitigate immediate threats. | Focused on short-term and long-term continuity strategies, including recovery and restoration. |
Focus | Cybersecurity measures, including threat detection, prevention, and mitigation. | Wider-reaching strategies that include disaster recovery, incident response, and IT resilience planning. |
Components | Continuous monitoring, vulnerability assessments, incident response planning, employee training, and more. | Backup and recovery solutions, off-site data storage, crisis communication, and infrastructure redundancy |
Applicability | Relevant to any organization that relies on digital assets and systems. | Primarily focused on businesses that require uninterrupted operations for success. |
Cost-Effectiveness | May require an initial investment in cybersecurity measures but helps mitigate long-term financial losses. | Investments may include disaster recovery planning, redundant systems, and other continuity measures. |
In conclusion, as technology continues its relentless advance, the inescapable reality of cyberattacks becomes increasingly apparent. Organizations must stand prepared, acknowledging the potential for their systems to be breached and compromised. It is imperative for them to not only acknowledge this potential but to rigorously assess their capacity to endure and sustain operations in the face of such adversity.
References:
NIST SP 800-160, VOL. 2, REV. 1 (https://csrc.nist.gov/glossary/term/cyber_resiliency)
MITRE Cyber Resiliency Engineering Framework Navigator (https://crefnavigator.mitre.org/navigator)
Comments