Business leaders, lawyers, IT specialists, and the larger public have repeatedly heard entreaties for adopting improved cybersecurity measures. Occasionally they now are hearing the term “cyber resilience, ” which public officials (including the President) and security experts espouse as the primary objective. Why the change? What’s different, other than the term?
The movement to “resilience” began well over a decade ago, borne of a series of intertwined recognitions about the capacity and need to achieve secure systems, networks, and data. These insights included:
- Organizations possess varying information assets, and face differing threats. The core assets of a bank and a nonprofit retail thrift center may overlap in some degree (e.g., customer information) but their operations and vectors for intrusion will differ, requiring individualized analysis for security measures.
- Information assets (such as customer lists, employee HR data, strategic business plans, R & D on a new product, email archives) do not possess the same ranked value across organizations. A manufacturer may classify product development and strategic business plans as its top priorities for protection, and a nonprofit hospital chain may classify its patient health care records as preeminent.
- Few organizations, if any, can justify spending resources to protect all information assets at the same level of intensity. Thus, no one checklist of “good security measures” will suffice.
- Determining the ranked priority of an organization’s information assets that should be protected cannot properly be allocated to IT management. These determinations are executive functions, and a core part of business continuity planning.
- The dynamic “arm’s race” between cybercriminals and other hostile actors on one side, and legitimate organizations (business, government, education, etc.) on the other can be expected to continue. In light of the financial and other value that the perps can acquire and the ease with which they can access and exfiltrate data or corrupt the systems, implementing a universal checklist of security controls will not provide the level of protection organizations seek– even if sufficient resources were available.
In the mid-2000s, after joint discussions among academic, industry, and government participants at CERT, “cyber resilience” emerged as the primary goal. Instead of an elusive security target, the new term was designed to draw attention to the need for business strategic planning and processes for information assets. One key difference in the move to resilience: affirming the importance of not only withstanding cyber intrusions and attacks, but also the ability to recover swiftly from any such disruptions. As the Presidential Directive relates, “Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.” As such, resilience techniques include:
- Conducting a cyber risk assessment using a respected tool or consultant;
- Developing and testing a cyber incident business continuity plan; and
- Assuring redundancy for essential informational assets.
By utilizing a cyber resilience decisional model, such as the RMM or the NIST framework, security investments will be dedicated to protecting the organization’s key assets and assuring a quick return to business operations when a cyber attack or intrusion — or even an employee error– occurs. It’s a planning and process model for achieving cybersecurity, one that involves a broad range of organizational actors and expertise rather than focused on IT.
Among its activities, the new Center for Cybersecurity and Privacy Protection at Cleveland-Marshall College of Law will identify techniques and resources for undertaking cyber resilience business planning, and stands ready to assist those who are beginning the process.