The Quest for Cyber Resilience—Not Merely Security

Business leaders, lawyers, IT specialists, and the larger public have repeatedly heard entreaties for adopting improved cybersecurity measures. Occasionally they now are hearing the term “cyber resilience, ” which public officials (including the President) and security experts espouse as the primary objective. Why the change? What’s different, other than the term?

The movement to “resilience” began well over a decade ago, borne of a series of intertwined recognitions about the capacity and need to achieve secure systems, networks, and data. These insights included:

  • Organizations possess varying information assets, and face differing threats. The core assets of a bank and a nonprofit retail thrift center may overlap in some degree (e.g., customer information) but their operations and vectors for intrusion will differ, requiring individualized analysis for security measures.
  • Information assets (such as customer lists, employee HR data, strategic business plans, R & D on a new product, email archives) do not possess the same ranked value across organizations. A manufacturer may classify product development and strategic business plans as its top priorities for protection, and a nonprofit hospital chain may classify its patient health care records as preeminent.
  • Few organizations, if any, can justify spending resources to protect all information assets at the same level of intensity. Thus, no one checklist of “good security measures” will suffice.
  • Determining the ranked priority of an organization’s information assets that should be protected cannot properly be allocated to IT management. These determinations are executive functions, and a core part of business continuity planning.
  • The dynamic “arm’s race” between cybercriminals and other hostile actors on one side, and legitimate organizations (business, government, education, etc.) on the other can be expected to continue. In light of the financial and other value that the perps can acquire and the ease with which they can access and exfiltrate data or corrupt the systems, implementing a universal checklist of security controls will not provide the level of protection organizations seek– even if sufficient resources were available.

In the mid-2000s, after joint discussions among academic, industry, and government participants at CERT, “cyber resilience” emerged as the primary goal.  Instead of an elusive security target, the new term was designed to draw attention to the need for business strategic planning and processes for information assets. One key difference in the move to resilience: affirming the importance of not only withstanding cyber intrusions and attacks, but also the ability to recover swiftly from any such disruptions. As the Presidential Directive relates, “Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.” As such, resilience techniques include:

  • Conducting a cyber risk assessment using a respected tool or consultant;
  • Developing and testing a cyber incident business continuity plan; and
  • Assuring redundancy for essential informational assets.

By utilizing a cyber resilience decisional model, such as the RMM or the NIST framework, security investments will be dedicated to protecting the organization’s key assets and assuring a quick return to business operations when a cyber attack or intrusion — or even an employee error– occurs.   It’s a planning and process model for achieving cybersecurity, one that involves a broad range of organizational actors and expertise rather than focused on IT.

Among its activities, the new Center for Cybersecurity and Privacy Protection at Cleveland-Marshall College of Law will identify techniques and resources for undertaking cyber resilience business planning, and stands ready to assist those who are beginning the process.

 

By | 2016-03-18T03:54:15+00:00 October 4th, 2015|0 Comments

About the Author:

Candice Hoke
Candice Hoke is a Professor of Law at Cleveland-Marshall College of Law, Cleveland State University. She has been involved in cybersecurity and cyber-risk management issues for over a decade. Professor Hoke first developed expertise in voting technology security and founded and directed the federally funded Center for Election Integrity at CSU. Working on election security led Professor Hoke to seek systematic advanced training at Carnegie Mellon University, where she earned a Master’s degree in information security. She was a Cyber Security Engineer with the Cyber Risk and Resilience Team at CERT before returning to Cleveland-Marshall. Professor Hoke’s primary focus is cyber risk management, including assessment tools and resilience planning, but she also is certified by the International Association of Privacy Professionals (CIPP/US) as a privacy specialist. She has co-authored research on the usability of privacy policies and on alternative regulatory approaches for achieving data protection and privacy goals. She has recently presented on these issues at national conferences.

Leave A Comment