THANK YOU FOR SUBSCRIBING
It is increasingly common to hear about cyber-resilience in the field of cybersecurity. The idea of resilience is by far not an innovative idea. We can identify nature's ability to resist, in the simplest examples, such as the flexibility of a tree in the face of the force of the wind. Entities that operate critical infrastructure and provide essential services to society, for long understands the need to maintain their field systems operational in face of adverse events, such the occurrence of bad weather conditions.
Cyber-resilience is, therefore, about bringing this concept of resilience to the digital world. One particularly interesting cyber-resilience definition, combining the main capabilities attributed to cyber-resilience with the idea of building systems in engineering, is: “The ability to build systems that are able to anticipate and circumvent accidents, survive disruptions through appropriate learning and adaptation, and recover from disruptions by restoring the pre-disruption state as closely as possible.” In practice, cyber-resilience is the ability to be prepared for Everything that may occur in the digital space, through the design, construction and operation of systems, according to engineering principles, with resilience being one of the properties of systems!
Current reality shows us, on the one hand, that cyberattacks are increasing in number and sophistication, with consequences that are also more serious, while, on the other hand, as result of progress, our technological dependence is growing and systems are evolving, opening space for the emergence of more vulnerabilities, as well as the motivations for their exploitation by malicious agents.
We must have the courage to assume that modern systems are complex and highly interconnected and, as such, the operating environments in which they operate, as well as supply chains, will always have flaws and weaknesses that adversaries can exploit, because there is no absolute security capable of protecting from all threats. We must, therefore, Assume Breach!
“Cyber-resilience complements the objectives of cybersecurity, ensuring operational continuity of the organization's critical functions in face of adverse events.”
Assume Breach, is also one of the principles of the Zero Trust cybersecurity philosophy (the one really new because the other two, “verify always” and “least privilege”, underpins cybersecurity since the beginning). Sharing a principle doesn’t mean replacing cybersecurity by cyber-resilience as, sometimes, is dangerously implied in some articles on the subject. Cyber-resilience complements the objectives of cybersecurity, enhancing some measures implemented by it, to achieve its own primary objective, which is to ensure operational continuity of the organization's critical functions in face of adverse events.
How to build cyber-resilience
Cyber-resilience is not acquired in a product, a service, or a one-time project. Cyber-resilience is a mindset, a philosophy, a change in the organization’s DNA. Following one of the most complete guidance to build cyber-resilient systems (NIST Special Publication to Develop Cyber-Resilient Systems) we must pursue, as objectives, the ability to anticipate, resist, recover and adapt. To achieve those objectives, we have at our disposal various techniques, such as segmentation or adaptive response, and principles to assume, being the most relevant the focus on critical assets, which consist in knowing which mission or business functions, tasks, capabilities, and assets are critical for business operation.
Cyber-resilience approach should be adopted across all the organization, from the layers of business services to the processes that support them, up to the different logical and physics levels of building and operating systems. We should consider having a cyber-resilience champion whenever we are designing a service, a process, or a technology solution, with established key indicators and always exercising organization ability to resist and recover.
Technology underpins society’s modern progress but also creates a dangerous dependence, exposing essential services to cyber threats. In an increasing dynamic world, where uncertainty becomes a new certainty, is fundamental, to achieve the needed digital trust that will sustain development, to move towards a cyber-resilience paradigm because … we must be prepared for anything!