In classical information security practice [It is interesting to note that the need for information security is barely 30 years old and conventional practice is already considered “classical.”] an organization is expected to identify and categorize its critical assets; evaluate security threats and vulnerabilities; categorize the impact of those threats on the Confidentiality, Integrity and Availability (CIA) of the assets.
Organizations are also supposed to evaluate the likelihood that those threats might actually occur; and identify, implement and monitor “controls” which would mitigate the threats with the greatest likelihood and impact and thus reduce the risk to the organization.
The most committed organizations create a “culture of security” wherein everyone is encouraged to protect confidential information, is provided with policies to follow and training to recognize and report suspicious activity, and tools which monitor user and network behavior.
Yet, despite having the most advanced and innovative tools, providing continued warnings not to share credentials or click on adverse links, and making significant investment in monitoring, security breaches continue to occur on an alarming and regular basis.
The fact is that cyber security is no longer sufficient. Organizations must put measures in place to respond and recover from cyber attacks and they will need to improve their business continuity management to ensure that if (when?) they are breached they can recover quickly and, importantly, avoid devastating financial losses.
The focus of Cyber Resilience is Recovery. So let’s examine Cyber Resilience through the lens of CIA.
Confidentiality – How will the organization respond to a breach of confidentiality? What incident reporting mechanisms are in place to notify appropriate authorities, end users or customers? What will the impact be on the business for improper or delayed reporting? In the recent eBay breach the greatest criticism was not that the breach happened but that eBay did not report the breach in a timely fashion to it users.
Integrity – How will the organization respond if key data or control systems are manipulated? How are monitoring systems configured to highlight malicious activity within the millions of events that are typically captured?
Availability – What alternate communication pathways and computer systems can be deployed if the core systems become unavailable due to failure or attack? How long will it take to activate the alternate systems? How much data loss might occur during the fail-over process?
In summary, the key to a good Cyber Resilience program is to establish appropriate notification processes, enhance vigilance on network activity and plan for contingent systems if primary ones become unavailable. The program must be tested on a regular basis and updated as regulations, personnel and systems change.
The good news is that the Ponemon Institute says, in their 2014 Data Breach Report, that companies who have implemented good business continuity management programs have 5-10% lower data breach costs than those firms who have not.
About the Author: Ken Leeser’s background blends technical, financial management, business risk, and operations expertise. He has built companies which help organizations and their staffs better understand and implement technology. Most recently, Ken founded Kaliber Data Security and developed the concept of Security Resource Management to better equip organizations to achieve, maintain, and demonstrate security compliance while significantly improving their security posture. He helps businesses improve their Information Risk Management programs with the conviction that IT Security is not merely a technical issue, but rather a process that involves employees at all levels of an organization and is integral to business success. Prior to Kaliber Data Security, Ken led firms which helped organizations automate critical business processes through the selection, implementation and customization of enterprise management software. Ken holds Bachelor and Masters Degrees in Engineering from The Johns Hopkins University. He graduated from the Graduate School of Business Administration at Harvard University with an MBA. For further information please visit www.kaliberdatasecurity.com, follow him @KALDataSecurity – www.linkedin.com/kenleeser or contact Ken directly: firstname.lastname@example.org.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Effectively Communicating Attack Surface Analytics
- Dejan Kosutic on Business Continuity and Disaster Preparedness
- Interrupting a Cyber Attack in Progress
- How to Perform Early Detection of a Distributed Attack
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock