In recent years, the term “cyber resilience” has become common in discussions about cybersecurity, risk management, and breach mitigation. Cyber resilience represents a different and useful way of thinking about protecting data and information systems.
Rather than focusing only on preventing attacks or intrusions, cyber resilience also attempts to mitigate the consequences of such incidents. As attacks on data and information systems increase – and become increasingly malicious – the concept of cyber resilience can help organizations of all types and sizes do a better job of minimizing the damage caused by these attacks.
Most security experts have come to recognize that cyberattackers have become more numerous, more persistent, and cunning enough to make prevention of an incident alone an inadequate strategy. Some organizations also are recognizing the near certainty that some of the attackers’ attempts will succeed.
In other words, it’s no longer a question of whether an attack will succeed, but when. So what steps can an organization take to minimize the effects of the attack?
That outlook is the underlying mindset that drives organizations to embrace cyber resilience – a concept that draws together practices related to security, disaster recovery, business continuity, and incident response. Many organizations view these disciplines as related but distinct from each other. However, cyber resilience integrates principles and practices from all these fields into a comprehensive readiness and response strategy aimed at minimizing the damage when an incident occurs.
Much of the thinking behind cyber resilience can be traced back to work done for and by the United States Computer Emergency Readiness Team (US-CERT), a division of the U.S. Department of Homeland Security. Working with Carnegie Mellon University’s Software Engineering Institute, the team created the CERT Resilience Management Model (CERT-RMM) in 2010, to converge various risk management activities – such as security, business continuity, and IT operations – into a single model. A year later, US-CERT produced the Cyber Resilience Review (CRR), a nontechnical assessment tool to help organizations evaluate operational resilience and cybersecurity practices.
The CERT-RMM and CRR align closely with the central tenets of the widely used National Institute of Standards and Technology (NIST) cybersecurity framework. The CRR enables an organization to relate its cyber resilience capabilities to the NIST framework using a document called a “crosswalk” to compare the two approaches and map the features they have in common.
As updated in 2016, the CERT-RMM organizes cyber resilience into 26 separate process areas. The CRR condenses these areas into 10 domains:
These 10 domains provide a helpful framework for understanding the concept of cyber resilience. They also provide organizations with a structure useful for organizing their cyber resilience efforts. When related to the NIST or a comparable framework, the 10 domains can help risk managers and other responsible parties plan how to deploy their assets – including people, information, technology, and facilities – in support of specific operational missions or critical services.
It is important to avoid the natural tendency to regard the CRR as a checklist or compliance standard. Rather than approaching cyber resilience with a compliance mindset, it’s more useful for an organization to use the assessments to advance its cyber resilience toward greater maturity. The difference is more than just a matter of semantics.
In general, a checklist focuses on whether a control objective is being met. It does not specify how the objective is being met, just that it is operating effectively at a given point in time. For example, an organization might have a requirement to patch its systems, and confirmation that those patches are deployed shows that the control objective is being met.
Maturity, on the other hand, encompasses not only effectiveness but also two additional important attributes: efficiency and responsiveness.
Efficiency describes how the control objectives are met. Processes that are standardized and automated minimize opportunities for manual error. For example, going back to the patching example, an organization that uses tools to identify and roll out patches to servers, workstations, and client-side applications is more mature than an organization that requires a user to interact with a workstation to install a patch.
Responsiveness represents the ability of the organization to react to external influences on its controls. Organizations that have the ability to quickly identify new threats and then develop and deploy mitigation strategies are better prepared in the ever-evolving risk landscape of today. To return to the patching example, most organizations can design a process for standard patch release schedules from their vendors. However, when a critical patch is released over a weekend to address a publicly exploitable vulnerability, responsiveness is defined by how quickly an organization can identify the fix, test it, and execute treatment actions to mitigate the risk appropriately. Responsiveness demonstrates a higher level of maturity.
As with all cyber-based programs, the risk and threat landscape is broad and constantly maturing, often more quickly than the internal responses to those threats. Managing such risks should start with a comprehensive risk assessment to identify which areas to address to provide the most value to the organization.
The risk assessment identifies the cyber resilience components most advantageous for the organization to address in the short term. It also provides a general road map for the organization as the program matures. For example, organizations with little reliance on third parties would see less value in focusing on external dependency management than would a company that has outsourced critical business systems.
In addition to approaching cyber resilience from the perspective of maturity, rather than just effectiveness, those involved can help make cyber resilience efforts more than just another compliance standard. By establishing a foundation for improved decision-making, they can even help cyber resilience develop beyond its primary function as an important risk management tool.
By helping an organization be ready for an incident, a strong cyber resilience program can improve organizational response and minimize the overall impact of an incident, ultimately adding value to any organization.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.