The 10-second version is this: Cyber resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been. And the cybersecurity industry, for what it's worth, has generally avoided this concept because it goes against the narrative that their respective offerings—whether it's a firewall, IDS, monitoring tool, or otherwise—would be the one-size-fits-all silver bullet that can keep businesses safe.
But reality tells a different story: Worldwide cybersecurity spending has increased every year since the word was invented. And so have data breaches and their severity. One would assume that pouring billions into solving a specific problem would eventually yield some sort of indicator of improvement. Clearly, the status quo is wrong.
Fortunately, businesses and governments are waking up and understanding that cyber risk is a far more nuanced problem than any single product could tackle. They are realizing that achieving a resilient state requires more than technology—it requires information, awareness, people, and processes in place so each organization can understand their unique risk posture.
To get a sense of the scale of the problem, think about the cyber risks that exist for the very smallest of businesses. Even the simplest of mom-and-pop operations are subject to many of the same types of threats—let's consider the barest minimum of business computing: a spreadsheet on a workstation containing customer records. An entire small business can live in that file, but that file must be stored somewhere secure, must be backed up, and must have appropriate permissions. And that file faces a number of ongoing risks—its host machine contracting malware, hardware failure, weak passwords, malicious actors, and so on. Now extrapolate that out to the size of an enterprise—countless sensitive files spread among thousands of employees and thousands of servers with an ever-changing infrastructure—and it is easy to see one way in which understanding cyber risk can become very complicated, very quickly.
The first instinct when realizing the vastness of potential risks to your business is to lock everything down as much as possible. And that’s prudent to a degree, but if you go too far, you run the risk of grinding business operations and innovation to a halt—which is another type of risk in itself. As is the case so often in life, neither polar extreme is ideal and the appropriate balance must be found. That is the challenge—and really, the art—of cyber resilience—recognizing and understanding cyber risk as business risk, and making the most appropriate decisions going forward. Denying cyber resilience by marginalizing cyber risk as “an IT problem” or “something for the CISO to worry about” is a critical error which actively harms the entire organization.
That is one of the core reasons we built UpGuard—the realization that every device, every configuration item, every process implemented makes an adjustment to an organization's overall risk potential, either positive or negative. And no traditional or manual way of attempting to understand that risk could hope to keep up with the explosive rate of change now happening within organizations.
That's why we built UpGuard, the world's first cyber resilience platform.
Mike Baukes and Alan Sharp-Paul