Demystifying Cyber Resilience: From Best Practice to Execution

Written by

Everyone talks about cyber resilience, it’s a term frequently thrown around.

From regulators across all continents to vendors, who don’t refrain from showcasing the awesomeness of their ‘resilient’ products in many ways and forms.

I delved deep into the realm of cyber resilience, or in other words, the art of building trustworthy systems, in November 2019 when my boss gave me a call to inform me about an exciting new publication from the US National Institute of Standards and Technology (NIST) titled “Developing Cyber Resilient Systems: A Systems Security Engineering Approach.”

From then on, I realized that there exists a significant level of ambiguity concerning a fundamental aspect that extends beyond mere semantics.

The Difference Between Operational Resilience, Cybersecurity and Cyber Resilience

The starting point lies in the ability to clearly define and differentiate between operational resilience, cybersecurity and, obviously, cyber resilience.

These terms are often used interchangeably, but they represent distinct facets of an organization's risk strategy in what are the different risks they address, the different asset types they safeguard or aim to protect, the different defensive controls they require to meet the organization’s objectives and the different types of threats they want to prioritize and therefore address.

Here are commonly accepted definitions of these three concepts:

  • Operational resilience, or as I call it, the ‘traditional’ IT resilience, encompasses the broader ability to adapt and recover from various disruptions including non-adversarial threats. Examples of capabilities in this space are business continuity, disaster recovery and crisis management.
  • Cybersecurity encompasses an extensive array of defensive measures, as delineated in NIST 800-53, constituting nearly 1200 distinct control requirements.
  • Cyber resilience, instead, seeks to augment the profundity of a concise selection of these, provided by both NIST 800-160 and 800-172, amounting to approximately 260 control requirements.

To bridge the gap from theory to practice, clarity is on what are the right requirements that we need to apply to the right assets to address the threats that mitigate the risks that will bring us outside of risk appetite when adversity appears.

In a few words: shifting the focus from merely trying to reduce the likelihood of some malicious event occurring, i.e. keeping adversary from doing harm, towards being able to continuously visualize our cyber resilience posture, reducing the likelihood of impact (from events that have materialized) and the magnitude of impact that can cause our organization to fall like a domino once few highly interconnected assets have been compromised.

Defining What Compromise Means

Another crucial aspect is establishing a firm definition of ‘compromise.’

In operational resilience terms, it means a loss of IT system availability (regardless of the cause that is behind that event).

In modern terms, instead, we should speak about a compromise of either confidentiality, integrity or availability – commonly referred to as the CIA triad.

The methodology that we should all use to identify the assets that matter most, based on inherent impact loss of confidentiality, integrity or availability, sits in the very first step of the Risk Management Framework: categorize the system and information processed, stored, and transmitted based on an impact analysis.

Not many know that getting this first step wrong (understanding inherent impacts) will surely skew all the efforts done at later steps of any risk management activity, from quantifying inherent risk to architecting and engineering the controls to achieve residual impact.

It’s a vital aspect of cyber resilience to ensure we don’t look at C, I and A in silos but instead adopt new business impact analysis methodologies that are threat-centric, i.e. start from a deep understanding of what are the cyber threat actors that represent a bigger concern to our organization and as well focus on the convergence of IT, OT and safety.

If we want to endure, recover, and maintain functionality despite complex and pervasive cyber threats we cannot focus on protecting all assets, with a special focus on high value assets or crown jewels (anything of business value) but, above all, we should be protecting the high value targets (adopting an adversarial view) that can cause the biggest harm to the organization’s mission delivery due to their transversal, horizontal widespread presence.

Those systems are highly targeted by threat actors because they perform functions critical to trust and are thus stepping-stones into everything else.

Adopting an ‘Assume Breach’ Posture

A robust cyber resilience strategy acknowledges the inevitability of breaches and focuses on removing the adversary's tactical advantage.

It involves constant analysis, planning, and execution of cyber resilience techniques to improve architectural resiliency against advanced cyber threats.

But who is behind such a strategy?

Someone who masters cyber resilience as a competency: a set of abilities related to architecting, designing, developing, implementing, maintaining, and sustaining the trustworthiness of systems that use or are enabled by cyber resources to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks.

Putting it in plain words, the Cyber Resilience Officer – a figure currently missing in most organizations – is the one who needs to ensure that high-value targets are identified and continuously protected against disruptive cyberattacks.

This can be achieved in many ways and the art which I referenced at the beginning of this text is to find out what’s the right cyber resilience strategy to adopt and sustainably stay ahead of the cyber threat. Trivial, isn’t it?

Conclusion

In conclusion, cyber resilience is not just a theoretical concept showcased in social media profiles taglines or into shiny presentations. It’s a specific subset of advanced practices which should be streamlined from processes to assets via a risk management framework, applied via a very practical architectural and system engineering approaches.

Organizations that manage to master cyber resilience not only will meet regulatory compliance in this area but will confidently navigate the complex and ever-evolving cybersecurity landscape.

Focusing defenses where they matter most should be a top priority for leaders, enabling their organizations to emerge stronger in the face of sophisticated cyber threats.

Read more: EU Council and Parliament Reach Agreement on Cyber Resilience Act

What’s hot on Infosecurity Magazine?