In part one of this cyber resilience blog series, we discussed what it means to be a resilient organization. For part two, let’s discuss why organizations need to consider these challenges and who’s responsible for addressing them. Whilst asking why an organization may need to be resilient sounds a bit silly, I can say from experience that just because something seems obvious doesn’t mean it’s not quite a bit of work. As a result of this, organizations require processes for prioritizing action that needs to be taken, in order to effectively spend their budgets.
Why Your Organization Needs to Consider Resilience
An organization needs to consider resilience because an improperly handled incident has the potential to go so far over budget that an organization is unable to return to business as usual (BAU) or simply because they don’t have a response plan to said incident and direction is unknown. As discussed previously, resilience is all about maintaining a minimum level of capabilities during an incident and then returning to BAU.
When I discussed this with Matt Torrens, the COO at Sprout IT, he created a brilliant bullet point list of why resilience is vital to his company:
- Because it helps us respect our client data and legal obligations as well as enables us to produce evidence of how we do this.
- Because it allows us to maintain and enhance the global reputation of the UK legal services sector.
- Because only the most tech-savvy law firms will survive in a digitally hyper-connected world.
- Because it is inconceivable that the delivery of legal services can remain exempt from IT and data security concerns.
- Because the legal sector is one of the least defended paths to the most sensitive information.
- Because the threats won’t stop coming.
All of the above are important points on the value of resilience, especially regarding the sensitive information that Matt works with. But of this list, my favorite is “to respect our client data.” For a resilient organization, you must respect the information to which consumers give you temporary access.
Oftentimes, I speak on the role of developers and technical persons within my industry along with their moral and ethical requirements of their job. During a previous talk I gave at a developer conference, I said: “Developers are given temporary access to consumers’ intimate life details, and it is their responsibility to honor and protect this.” However, I don’t restrict this understanding to developers. I view this responsibility as a necessity for each person, organization, and even society. Resilience is about respecting the value of your consumers and their information. Failure to do so can have devastating consequences.
Responsibility and Resilience
When it comes to responsibility for ensuring resilience, I believe that whilst ultimately the legal obligations lay with the organization and senior leadership, it truly is a company-wide issue. It stretches from the cleaning staff finding confidential papers and placing them in shredding bins instead of the rubbish, to the network architects building solutions that follow security best practices and maintaining their skills for finding and solving vulnerabilities, to each department identifying ways to embed privacy and security by design and by default within their daily responsibilities.
Matt shared the following with me when I asked him about the responsibilities surrounding resilience within an organization:
Beliefs guide emotion…emotion drives behavior…and behavior, over time, forms habit. The challenge of creating great cyber behaviors and habits begins at the top of any organization. The most senior staff must lead by example, not least because they are often the most laser-targeted employees but also because cyber behavior is intrinsically linked with the values of the organization. To be as effective as possible, cyber resilience should be a specific and strategic Board-level objective with its outcomes measured objectively and regularly. All departments and staff hold a level of accountability that is shared equally, particularly at the point of the human firewall. Organizations must implement processes that promote habitual security through best practice, sensible behaviors and centralized controls.
For organizations that want to understand this particular aspect of resilience in greater detail, they can refer to the National Cyber Security Centre in the United Kingdom has produced a Board Toolkit to support. Board members don’t need to be technical experts, but they need to know enough about cybersecurity to have a fluent conversation with their experts and understand the right questions to ask.
Understanding the Human Element of Resilience
In a previous role, I worked for a law firm. It was well interesting work, and part of this was having the privilege to join colleagues in sharing one of my favorite presentations on dealing with data breaches. We discussed costs and processes like others, but what stood out in our presentation that I’ve not yet seen elsewhere was the angle of bringing in lawyers and public relations from the start. See, this organization worked with incident handling quite a bit, and they were quite familiar with how to orchestrate this process for the media.
My colleague, Magnus Boyd, shares the following point that often is forgotten:
…[V]ery often, the journalists and editors that report on data breaches have a deep technical understanding of hacking that enables them to ask some very penetrating questions early in the process. Those that are in the middle of managing the data breach can find it very challenging to be confronted at such an early stage with the depth and scope of the media’s investigation and assessment of their management.
Simply put, the journalists reporting breaches, even the ones that aren’t technical, know what to ask due to previous experiences. When not properly prepared, those public announcements can go embarrassingly wrong. I bring this up here because whilst the technical side of cyber resilience is vital, I always wish to highlight the human side. People, reputation, communication, and notifications are massively important pieces, as well.
When building your response team, it’s surprisingly not always the case that the most senior person in charge is notifying affected individuals or the media. Instead, look at the incident and try to find persons prepared who are comfortable to speak under pressure. Transparency, or the perceived transparency from the public eye, has a massive impact on recovery. After the year has come to a close and you’re looking back at your financial impact, it will play out in the loss of trust from consumers.
Ultimately, yes, the senior leadership is responsible for prioritizing resilience within the organization. However, each and every team member and department can also contribute to this resilience from within their role. Preparing for incidents isn’t the only side of resilience; it’s also responding to and appearing to the public with knowledge and confidence.
For 2020, my challenge to organizations is to identify the gaps within their program, remove “we take security seriously” from their notification scripts, and recognize the value of resilience across the organization.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.