Cyber resiliency can be defined as the capacity of an organization to maintain essential functions and quickly recover from cyber incidents, minimizing operational and service disruptions.
Cyber resiliency starts with prevention. However, in the constant back-and-forth arms race between criminals and cybersecurity practitioners, it’s almost inevitable that the bad guys will seize a temporary advantage and penetrate corporate defenses at some point.
Given this risk, corporate management teams and boards of directors should be pushing their companies to beef up strategies to limit the impact of successful attacks if and when they do occur. That means including more focus on controls that define how an organization will react when an attack is identified, including containing the incident and notifying external parties.
Read now: The Changing Face of Corporate Governance in Cybersecurity
Beyond Prevention (Resiliency)
Preventive measures are not perfect. There is always a chance that threat actors will identify a gap in the defenses. Resiliency in those scenarios will depend on how well the organization has planned. When a successful attack occurs, companies must be able to spot it and respond immediately.
Attacks don’t just happen during business hours. They happen on weekends. Or when the head of IT is skiing in Vail. Or while the CEO is on a plane above the Atlantic. For that reason, when it comes to responding to a cyber-attack, a comprehensive response plan for human assets is key.
Companies need a plan that allows them to make timely decisions when an attack occurs; knowing that circumstances likely won’t be ideal. It must assign personnel for crisis monitoring and response on a 24/7 basis and include a crystal-clear escalation policy.
The person or team on duty must have the contact information (and, in a best case, calendar and schedule information), not only for their direct superiors, but for leaders at least two steps up the org chart.
Everyone in the organization should know the next step if the person directly above them is not available. That includes timelines for decision-making. For example, if an individual cannot contact anyone at a higher level within a preset period of time, he or she is authorized to make a decision and act. It also includes instructions on when the board should be notified in the event of an attack and how to contact the right board member.
Test, Simulate and Practice
Once plans are in place, the next step is to test, test, and test again. Simulations are an essential way for companies to test their response plans and give employees practice “reps” that build organizational muscle memory in responding to a crisis.
Simulations can range in sophistication from simple “table-top” exercises to sophisticated “cyber range” platforms that detonate safe payloads in the system, immersing employees in a highly realistic attack scenario. Regardless of what type of simulation a company uses, the process must include a feedback loop that identifies and addresses problems from the execution level to high-level governance policies and follow up prevention changes.
The simulations should include scenarios where key decision-makers are unavailable and different levels of the organization have to make judgement calls on how to respond to a particular situation.
If there is indication of ransomware moving through servers, can segments of the network be isolated or shut down? Who has the ability to execute a kill switch and what approvals are needed? How long would it take for a decision to be made while the attack expanding the impact? These are the type of scenarios that should be practiced so different members of the organization are comfortable with the uncertainty and have a good idea of how much leeway they have.
Simulations should also include some mechanism that captures and reports results that can be used to demonstrate security capabilities and progress to both board oversight groups and to other external parties such as regulators or clients.
Throughout this process, the cybersecurity team should document everything, including the details of every scenario and “runbooks” that capture organizational responses.
Analyzing these response steps will help create a better level of understanding of the options available, stakeholders and required actions. These insights will accelerate the response times and ensure staff is aware of all potential courses of action.
This analysis can benefit from a large language model solution in which several runbooks are fed into the AI application and the incident response team can scan results for new information and tactics.
Resiliency is Rooted in Governance
Given the stakes, boards of directors should be intimately familiar with organizational “response controls.” Board members should be comfortable with how the response process works, levels of escalation and their expected involvement.
To achieve that level of comfort, board members should be actively questioning both executive management and the CISO. The board should ask about frequency of tests, type of assessments for the plan, how many scenarios have been covered by runbooks and any gaps identified during testing. The board should also ask for a roadmap for incident response with gradual increments on scope and depth.
Finally, the board, management and the security team should be constantly watching the industry for new reported breaches. Not only will those events alert the organization to new threats, they will provide fresh scenarios that the security team can use to test the response plans that will protect the company if and when threat actors overcome prevention controls.