Why Is Cyber Resilience Essential and Who's Responsible for It?

Image

In the first installment of our series on cyber resilience, we discussed what being a resilient organization means. In this installment, we'll explore why organizations need to consider how to become resilient, who's responsible for achieving this, and the processes organizations must have to prioritize actions and effectively spend their budgets.

Why Your Organization Needs to Consider Cyber Resilience

An organization needs to consider resilience because an improperly handled incident can go so far over budget that it cannot return to business as usual (BAU) or simply because they don't have a response plan to said incident and the direction is unknown. As discussed previously, resilience is about maintaining a minimum level of capabilities during an incident and returning to BAU. Here's why Matt Torrens, a business coach and cybersecurity expert, thinks resilience is essential to a legal IT service provider:

• It helps the organization respect client data and legal obligations and enables them to produce evidence of this.
• It allows them to maintain and enhance the global reputation of the UK legal services sector.
• Only the most tech-savvy law firms will survive in a digitally hyper-connected world.
• It is inconceivable that the delivery of legal services can remain exempt from IT and data security concerns.
• The legal sector is one of the least defended paths to sensitive information.
• The threats won't stop coming.  

While all the above points have value, arguably the most important is "to respect our client data." To achieve cyber resilience, you must respect the information consumers give you temporary access to.

Often, I speak on the role of developers and technical persons within my industry, along with their job's moral and ethical requirements. During a previous talk at a developer conference, I said: "Developers are given temporary access to consumers' intimate life details, and it is their responsibility to honor and protect this." However, I don't restrict this understanding to developers. This responsibility is necessary for each person, organization, and even society. Cyber resilience is about respecting the value of your consumers and their information. Failure to do so can have devastating consequences.

Responsibility and Cyber Resilience

Regarding responsibility for ensuring resilience, while the legal obligations lie with the organization and senior leadership, it is a company-wide issue. It stretches from the cleaning staff finding confidential papers and placing them in shredding bins instead of the rubbish to the network architects building solutions that follow security best practices and maintaining their skills for finding and solving vulnerabilities. Each department identifies ways to embed privacy and security by design and default within its daily responsibilities. Matt shared the following with me when I asked him about the responsibilities surrounding cyber resilience within an organization:

"Beliefs guide emotion...emotion drives behavior...and behavior, over time, forms habit. The challenge of creating great cyber behaviors and habits begins at the top of any organization. The most senior staff must lead by example, not only because they are often the most laser-targeted employees but also because cyber behavior is intrinsically linked with the organization's values. To be as effective as possible, cyber resilience should be a specific and strategic Board-level objective with its outcomes measured objectively and regularly. All departments and staff hold an equal level of accountability, particularly at the point of the human firewall. Organizations must implement processes that promote habitual security through best practice, sensible behaviors, and centralized controls."

Organizations that want to understand this particular aspect of cyber resilience in greater detail can refer to the National Cyber Security Centre in the United Kingdom, which has produced a Board Toolkit for support. Board members don't need to be technical experts, but they need to know enough about cybersecurity to have a fluent conversation with their experts and understand the right questions to ask.

Understanding the Human Element of Cyber Resilience

In a previous role, I worked for a law firm. It was well interesting work, and part of this was having the privilege to join colleagues in sharing one of my favorite presentations on dealing with data breaches. We discussed costs and processes like others, but what stood out in our presentation, which I've yet to see elsewhere, was the angle of bringing in lawyers and public relations from the start. This organization worked with incident handling quite a bit, and they were quite familiar with how to orchestrate this process for the media.

My colleague, Magnus Boyd, shares the following point that often is forgotten:

"...[V]ery often, the journalists and editors that report on data breaches have a deep technical understanding of hacking that enables them to ask some very penetrating questions early in the process. Those in the middle of managing the data breach can find it very challenging to be confronted at such an early stage with the depth and scope of the media's investigation and assessment of their management."

Simply put, the journalists reporting breaches, even the ones that aren't technical, know what to ask due to previous experiences. When not properly prepared, those public announcements can go embarrassingly wrong. 

I bring this up here because while the technical side of cyber resilience is vital, I always wish to highlight the human side. People, reputation, communication, and notifications are also massively important. When building your response team, the most senior person in an organization should not necessarily be the one notifying affected individuals or the media. Instead, look at the incident and try to find people who are prepared and comfortable to speak under pressure. Transparency, or the perceived transparency from the public eye, has a massive impact on recovery. 

After the year ends and you're looking back at your financial impact, it will play out in losing consumer trust. Ultimately, the senior leadership is responsible for prioritizing resilience within the organization. However, every team member and department can also contribute to cyber resilience from within their role. Preparing for incidents isn't the only side of resilience; it's also responding to and appearing to the public with knowledge and confidence. For 2024, my challenge to organizations is to identify the gaps within their program and recognize the value of resilience across the organization.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.