The way businesses handle the risks posed by their technology is changing. As with anything, adaptability is survivability. When the techniques, methods, and philosophies of the past aren’t working, the time has come to find something better to replace them. Cyber resilience is a set of practices and perspectives that mitigate risk within the processes and workflow of normal operations in order to protect organizations from their own technology and the people who would try to exploit it. This includes all forms of cyber attacks, but also applies to process errors inside the business that put data and assets in danger without outside help.
Digitization has propelled the world into faster cycles, instant communication, data-driven analysis, and social media. But the technology powering these innovations is far from bulletproof, and the risks they pose are catching up to the value and functionality they provide. Unlike traditional approaches to this problem, resilience isn’t about putting something down on top of the IT infrastructure to make it more secure— it’s about rethinking how the infrastructure itself is built, managed, and maintained over time. It’s the day-to-day operations of the business that determine the durability of its assets, and it is inside of them that resilience must be created.
The History of Cyber Resilience
The first attempt to solve technological risk can be generally categorized as “security.” Cybersecurity is a powerful word, and it’s in heavy use today as a catch all for any time of cyber risk mitigation, but the history of practice reveals a trend away from traditional security-based approaches. In an article for the World Economic Forum, Daniel Dobrygowski stated that “Security, in contrast to resilience, can be seen as binary. Either something is secure or it isn’t… there is a difference between the access control of cybersecurity and the more strategic, long-term thinking cyber resilience should evoke.” Essentially, cyber risk was seen as a series of gaps in technology, which, when plugged with the right pieces, would prevent their exploitation. Problems with malware? You need an enterprise anti-malware appliance. Problems with open shares? You need a firewall. Problems with unauthorized network access? You need an intrusion prevention system.
The problem is that layering additional technology on top of technology that is fundamentally unsound does not and will not fix the original underlying issues. Companies in 2016 spent more than they ever have on cybersecurity, over $20B altogether. 2016 also saw a record number of breaches and cyber incidents around the world. That security solutions have not completely fixed the fundamental risk of technology is apparent. So people started to look for a new way.
The DevOps movement was born out of the frustration that IT workers encountered trying to deliver software in an enterprise environment. Developers would focus only on how their applications behaved in their test environments. When they tried to deploy them to production and encountered problems, it was because the ops guys had a messed up environment. Sysadmins and other ops crew would build stable, high-performance environments to spec that functioned perfectly on their own, but would run into problems as soon as a developer tried to deploy a new application. The problem was obviously the code.
Fortunately, this gridlock was surmounted and the DevOps movement sought a way to hold both developers and sysadmins accountable for the big picture goals of the business. But even as DevOps took off, it was evolving. DevSecOps emerged from the concern that security teams (in organizations large enough to have that level of specialization) were being omitted from the newly streamlined DevOps workflow. DevSecOps argued that just as development and operations needed to work together to build a successful software delivery environment, developers, operators, AND security professionals needed to work together to build a successful IT environment.
DevOps plus security gives us DevSecOps; DevSecOps plus business concerns gives us cyber resilience. While DevSecOps focused on securing the IT environment, cyber resilience is about protecting the entire business. DevSecOps can be both operational and secure, yet still miss out on delivering what matters. The consequences of a data breach aren’t technical, they’re social, financial, reputational. Businesses that rely on information technology - which is to say nearly every business - must include cyber risk as a critical business priority, integrating IT with business operations and goals instead of operating a technical island, opaque even to upper management.
Cyber risk is business risk. IT work is work. The workflow and processes that guide that work are what determine the resilience of the organization. Process controls, automation, and verification bolster normal IT operations and reduce the risks of the digital environment significantly. Many major cyber attacks only affect unpatched systems. But often this isn’t a technical problem with patching, it’s a cadence issue with IT work processes. Most of the largest data leaks are the result of misconfigured assets, not cyber attacks. This isn’t a technical problem with the assets. For example, Amazon’s S3 storage is private by default. It’s a process problem in how S3 buckets are deployed and maintained.
The McKinsey Global Institute and ‘Beyond Cybersecurity’
The McKinsey Global Institute is one of the top private sector think tanks in the world, and their resilience strategies for digital business have helped businesses realign their technology and processes to better protect against threats and error.
In 2015, a book called Beyond Cybersecurity was released which detailed exactly why resilience was the key to the future of digital business. In it, a study by the McKinsey Global Institute estimated a possible $3 trillion in lost value by 2020 due to a phenomenon known as digital backlash. According to McKinsey, digital backlash is the gradual loss of trust in technology that prevents innovation and the adoption of new technology due to incidents that disrupt services such as an outage, as well as security and privacy concerns that make the technology unsuitable for actual use despite the value it may provide.
The State of Cyber Resilience
Where Resilience Is Working
Europe and the UK have seen broader adoption of the cyber resilience strategy. The UK’s Financial Conduct Authority (FCA) holds cyber resilience as a central tenet. The FCA states that their “goal is to help firms become more resilient to cyber attacks, while ensuring that consumers are protected and market integrity is upheld.” The FCA regulates financial markets in the UK, so their cyber measures apply to some of the most sensitive transactions on the internet. In a speech delivered at the FT Cyber Security Summit, Nausicaa Delfas, the Director of Specialist Supervision at FCA, said “We strongly encourage firms to evolve and instil within them a holistic ‘security culture’ — covering not just technology, but people and processes too.”
The multinational Business Continuity Institute (BCI) uses cyber resilience ideas within their sphere of disaster preparedness and recovery. Business continuity is largely about planning for a disaster, which is an important part of resilience. But there’s no reason resilience should be confined to disasters in general; the same principles apply just as well to day-to-day operations, and can achieve the same benefits for normal business that continuity solutions offer for disasters.
Of course no sea change is easy. “The way we’ve always done it” has power within the enterprise for a reason— change overturns the applecart. Modifying processes and workflows, especially those rusted into long-standing grooves, takes time and willingness by the people who have to do the work day in and day out. This is why it is necessary for business leaders at the highest levels to spearhead resilience campaigns, and to provide their IT staff with the support and resources necessary to carry them out. Cyber risk is business risk. This is about keeping the entire organization afloat, securing its future, and protecting its customers. Buy-in can’t be optional.
Why Cyber Resilience Matters
Trajectory of Digital Business
The digital backlash scenario posited in Beyond Cybersecurity will affect organizations without resilient technology. In the competitive marketplace, the relative cyber risk between vendors has already become an important criterion for selection— this will only become more prominent as technology related incidents continue damaging businesses and their customers. Innovation isn’t just about new and better functionality, but about reducing the chances that the technology itself will bring down the business. To stay modern, to operate at scale, to move in real time, organizations must adopt a cyber resilience strategy to maintain business continuity and security.
But unlike security strategies that layer technology over the problems, cyber resilience brings real value to organizations by improving day-to-day operations for the IT team. Since resilience focuses on the work itself, and the processes necessary to get that work done, the benefits of a resilient IT shop manifest even without a security incident or outage to withstand. Visibility, documentation, automation, and validation make IT professionals’ lives easier. Resilience reduces firefighting and hastens troubleshooting, leaving teams to work on business projects instead of constantly deferring to unplanned work. This too provides a competitive advantage for those organizations that utilize it.
Consumer Savvy, Computer Savvy
Business isn’t the only thing being digitized at a steady pace. The daily lives of most people now involve a great deal of abstraction through apps, the internet, smart devices, and other personal and social technologies. This also means that people’s interest and awareness of technological issues is increasing as well, if for no other reason than their effects are glaringly obvious to those who are regularly plugged-in.
Identity theft, data exposure, and financial fraud are now household concepts. Data breaches make headlines precisely because the stakes of information are so high. Many businesses make a point of putting the customer first, but if they don’t take care with their data handling processes (or the vendors to whom they outsource such work) they will not only do their customers a great disservice, but will lose them entirely to products and services better able to provide trustworthy and reliable technology.
In short, cyber resilience is about taking a step back and reevaluating technology in the context of the work that makes it function. How do you build and maintain a digital environment that can not only provide the necessary functionality, but do so reliably and with minimal risk? This is the question cyber resilience seeks to answer, because it’s the one people care about. No matter how many silver bullet security solutions are stacked around the perimeter, a data center will not be resilient unless the processes that determine it are documented, visible, and validated. With the popularity of cloud technologies, the perimeter can hardly be said to even exist, so cyber risk solutions must look elsewhere to bolster resilience— namely in the work itself.