Cyber resiliency is the ability of an organization to continue operating despite cyberattacks and disruptions. It goes beyond just recovering from an attack and instead focuses on maintaining normal operations, even in the face of compromise. This concept is gaining increasing attention and interest as businesses realize the importance of being able to withstand and quickly recover from cyber incidents.
One example of the need for cyber resiliency is the ransomware attack on Colonial Pipeline in May 2021. While the company was able to recover by paying the ransom, it had to shut down its main business function of moving fuel through pipelines to contain the damage. This decision showed a lack of cyber resiliency, as the company was unable to maintain business as usual despite the attack.
The importance of cyber resiliency is recognized by various organizations and government bodies. The President’s Council of Advisors on Science and Technology (PCAST) in the US initiated a working group on cyber-physical resilience in 2023. They emphasized the need for a different approach that assumes attacks and failures will always happen and focuses on being resilient in the face of these events. Similarly, the European Union has proposed a Cyber Resilience Act to establish cybersecurity requirements for products in the EU market.
There is also growing awareness among enterprise executives about the importance of cyber resiliency. A report from Accenture found that while the majority of CEOs recognize the importance of cybersecurity, many lack confidence in their organization’s ability to prevent or minimize damage from cyberattacks. Only a small percentage of CEOs are leading on cybersecurity resilience, highlighting the need for improvement in this area.
Measuring cyber resiliency is a challenge, but there are frameworks and assessment tools available to help organizations evaluate their level of resilience. MITRE’s Cyber Resiliency Engineering Framework (CREF) and NIST’s publication 800-160 v2 are examples of such resources. These tools enable organizations to set goals, assess their capabilities, and develop strategies to improve resilience. Commercial products are also available for assessing and measuring cyber resiliency.
However, it is important to note that these frameworks and assessments are not meant to be used as a check-the-box exercise. They should prompt CISOs and executives to evaluate whether their organization can anticipate and withstand attacks with the right controls and capabilities. Cyber resiliency requires a layered defense, with a focus on people, processes, and technology, as well as proper governance and services.
In addition to using frameworks and assessments, organizations can also conduct tabletop drills and red-team exercises to test their resiliency. These exercises simulate cyber incidents and allow organizations to identify weaknesses and areas for improvement. Regularly repeating these drills can track the progress of the organization’s cybersecurity program and its impact on resiliency.
Ultimately, cyber resiliency requires a holistic and proactive approach to cybersecurity. It involves establishing a strong foundation of security controls, understanding the organization’s risk tolerance, and continuously improving incident response capabilities. By prioritizing cyber resiliency, organizations can ensure that they can “take a licking and keep on ticking” in the face of cyberattacks and disruptions.