How to Build True Cyber Resilience

Hackers will find a way in. The inevitability of a cyberattack can be a tough pill to swallow. But once leadership teams accept that not every attack can be thwarted, they can prepare their organizations to respond and recover effectively. The concept of cyber resilience is much discussed, but it takes time, resources, and organization-wide commitment to achieve. 

Defining Cyber Resilience

Cyber resilience is a business objective, according to Richard Seiersen, chief risk officer at IT services and consulting company Resilience. “Resilience comes down to the ability tocontinuously deliver value to your stakeholders, even when facing material losses,” he explains.

Organizations need a shift in mindset and security strategy to achieve this business objective. First, leadership teams need to acknowledge that cyberattacks are inevitable. From there, they can assess the risks specific to their business, build the strategies necessary to mitigate those risks, respond when an attack does happen, and continue operations while working through an incident.

Cyber Resilience Today

Where are organizations in their journeys to cyber resilience today? Cybersecurity awareness has grown in recent years. It is no longer just an IT and security executive concern. The rest of the C-suite and board members are getting onboard, but understanding the need to recognize and respond to cyber threats is just the first step to actually implementing cyber resilience. 

“I think most organizations understand that they will be attacked at some point, so in theory they understand the need for a focus on cyber resilience; but they are struggling to implement and measure it as a program,” says Tia Hopkins, chief cyber resilience officer and field CTO at managed detection and response company eSentire.

Seiersen considers risk mitigation, transfer, and acceptance as core elements of cyber resilience. “I believe most companies do some components of cyber resilience,” he shares. “They buy insurance (transfer), security controls (mitigation), and have capital reserves (acceptance). But the groups that do each of these activities work in isolation, each working towards their own objectives.”

Cyber resilience is a holistic concept, and a fragmented approach makes it difficult to achieve. It may be particularly challenging for smaller organizations to move away from that fragmented approach.

“Cyber resilience these days is the privilege of mainly larger organizations. Small and medium size enterprises opt-out to fragmented cyber defense and often don’t have access to cyber and business continuity experts that can formulate a meaningful path for better cyber resilience,” says David Chernitzky, CEO of cybersecurity company Armour Cybersecurity.

But there are signs of progress. For example, organizations are cutting down the time that it takes to respond to threats. The Cyber Workforce Benchmark report from of cybersecurity skills training company Immersive Labs found that organizations’ response time went down from 29 days in 2021 to 19 days in 2022.

James Hadley, CEO and founder of Immersive Labs, believes that faster response times are a positive sign; faster response times mean organizations are addressing vulnerabilities and reducing the risk of negative impact.

While there is no shortage of headlines and research that underscores the importance of cyber resilience, it may take a real-life incident to galvanize leadership teams to action.

“Only a small number of organizations are proactive in building their cyber resilience; the majority of organizations I’ve met throughout my career had to go through unpleasant experiences of cyber incidents to start their journey to a more cyber resilient future,” says Chernitzky.

Building a Strategy

Cyber resilience cannot be achieved by implementing one initiative or investing in one new technology. “CISOs should focus on the question, ‘How ready are we?’" says Hopkins.

Are organizations ready to detect threats, respond to them, recover, and adapt to an ever-changing threat landscape?

“The first step to building cyber resilience involves understanding which cyberattacks are most relevant to an organization based on its industry, location, IT ecosystem, data type, users, etc.,” says Tony Velleca, CISO at digital technology and IT service company UST and CEO of CyberProof, a UST security services company.

Once an organization understands its risks, the question becomes how to detect those threats, stop them, and contain them if and when they become cybersecurity incidents. The answer lies in a blend of technology and talent.

Combining the power of cybersecurity tools, such as zero trust and managed detection and response, can help organizations achieve cyber resilience, but they need to ensure the strategies they deploy make measurable progress toward that goal.

“Organizations can no longer rationalize investing in costly traditional cybersecurity training, nor can they dump all their money into tech stacks alone,” Hadley cautions.

Instead of taking a check-the-box approach to cybersecurity, Hadley encourages regular cybersecurity exercises and hands-on labs that give actual metrics that reflect a team’s abilities to respond to incidents.

“Take an always-on approach that consists of regular exercising and obtaining measurable improvements, which will ultimately lead to stronger cyber postures for the organization and instill the needed confidence to know teams are actually ready when a crisis hits,” he says.

Leadership also needs to consider where their data lives and the kind of talent necessary to keep up with an evolving threat landscape. Many organizations have migrated from data centers to the public cloud or are in the process of doing so.

“A key problem for enterprises undergoing cloud migration is human resources, i.e., your existing cybersecurity team may not have prior experience with this. An enterprise needs to retrain or upskill its talent or to start finding new talent,” says Velleca.

Remember that cyber resilience is not achieved and then forgotten. It requires regular updates to its strategic pillars to remain effective. Organizations can schedule regular annual, semi-annual, or quarterly reviews of cybersecurity processes, like detection and incident response. But agility is essential. Any change in an organization’s environment introduces gaps and opportunities for threat actors to exploit.

“There are events such as security incidents, infrastructure changes, cloud adoption, mergers and acquisitions, office relocation, major industry breaches -- the list goes on and on -- that should be considered triggers for review outside the regular cadence,” says Hopkins.

Budgeting for Cyber Resilience

Recovery is essential to cyber resilience, but spending in many organizations is skewed toward defense. InformationWeek surveyed 180 IT and cybersecurity professionals in the Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023 and found that company spending, on average, is 70% on defense and 30% on recovery.

Leadership teams likely need to reevaluate cybersecurity spending to determine how to fund a resilient strategy effectively. The answer isn’t abandoning defense and pouring money solely into response. It is about finding a balance that works for an organization.

“Cyber resilience is a much more holistic concept, balancing investments in mitigation, transfer, and acceptance to ensure the business is able to fulfill its mission -- particularly when facing material losses,” says Seiersen.

Hopkins cautions against using fear, uncertainty, and doubt as a means to persuade board members and senior leaders of the importance of cyber resilience. “Decision-makers may not respond well because they might struggle to connect the dots between what’s going on in the threat landscape and the financial impact to the business,” she says.

Instead, CISOs and other cybersecurity leaders can use the art of storytelling to effectively communicate with other leaders and board members.

“Education and storytelling about how cyber can cause much pain to an organization enable CISOs and CIOs to be successful in getting buy-in from stakeholders and appropriate budgets for cyber resilience,” says Chernitzky.

The Future of Cyber Resilience

As companies grapple with the realities of the threat landscape, cyber resilience will likely be adopted out of necessity. Additionally, new regulations could have a hand in driving this trend. Seiersen offers the new Securities and Exchange Commission (SEC) rules on cybersecurity as an example. In July, the SEC announced new rules that will require public companies to report material cybersecurity incidents.

“I think the new SEC cyber rules will be a forcing function for businesses to focus on material losses over generalized cybersecurity, and it will soon become the de facto approach,” says Seiersen.

The changes cyber resilience drives in cybersecurity culture could be reflected in the C-suite. “We’ll continue to see the cyber resilience function, whether as a standalone C-level position or as part of the CISO or CSO role, officially take shape within organizations,” Hopkins expects.

Organizations that want to want to achieve cyber resilience will need to commit to implementing a holistic strategy and continuous skill improvement for all team members.

“Hopefully, in three to five years, we will see many more organizations that can withstand cyber-attacks that would destroy them today,” says Chernitzky.

What to Read Next:

Adapting to the Cloud Era of Cybersecurity: How CISO’s Priorities Are Evolving

Are Public Companies Ready for the New SEC Cybersecurity Rules?

Bad Data: Is Cybersecurity Data Any Good at All?