Jul 18, 2020
0 0


Written by


By IMBA-Exchange on The Capital

Photo from the source

To function successfully in the face of constant exposure to cyber threats, an organization must promptly anticipate, resist, and recover from incidents.

A few years ago, the use of a number of innovative technologies might seem impossible, but today virtual reality is available to the end consumer, IoT devices are used to control the temperature in homes, and neural networks are used to process photographs.

The landscape of modern cybersecurity threats

According to the Gartner Top Trends in the Gartner Hype Cycle for Emerging Technologies report, the main technology trends are:

  • artificial intelligence — everywhere (Deep learning, machine learning, smart robots);
  • augmented reality 4D printing, AR, VR);
  • digital platforms (5G, digital twins, blockchain, IoT, quantum computing).
The document is available here

Each of these areas generates its own set of threats. For example, when using IoT devices, there can be threats of creating botnets, threats to harm to health. The use of big data also creates new cybersecurity challenges such as:

  • the inadequacy of existing means of protection to ensure the security of data of this volume;
  • the laboriousness of checking the authenticity of data sources and control of data integrity;
  • an increase in the criticality of access control processes to Big Data environments — having received illegitimate access, an intruder gains access to a huge amount of information;
  • increasing risks of unavailability and data loss.

The vector of technology development can speak of the following changes in the field of cybersecurity:

  • the speed of emergence of new technologies is increasing, the landscape of threats is expanding at an increasing rate, and threats, like the technologies themselves, are becoming more complex;
  • the number of attacks (as well as their complexity) increases exponentially;
  • the number of vulnerabilities does not decrease, but, on the contrary, grows due to the complication of technologies and development tools;
  • there is a trend on the part of vendors to detect and respond instead of preventing and neutralizing, as it was before.

The concept of “cyber resilience” arose in response to the increasing rate of emergence of new technologies and cyber threats as a result of the evolutionary development of information security systems from “IT continuity” to “information security” and further to “cybersecurity.” The nature of the threats is such that no one can guarantee 100% security anymore — if you have not yet been hacked, then you simply do not know about it. Whereas earlier the goal of information security was to provide protection mainly with preventive measures, now the goal is to detect attacks or their consequences as early as possible. Organizations today need to be able to operate in an environment where businesses need to be prepared to be harmed in the face of constant cyber threats. There are tasks to minimize the consequences for the business in the event of an incident, to ensure the specified level of functioning and to minimize the recovery time of critical automated systems and business processes.

Formation of a methodology for building cyber resilience

One of the earliest references to the term “Resilience” is the Australian Government’s 2010 Critical Infrastructure Resilience Strategy. Later, other organizations joined this issue: Big4 companies (PWC, EY), analytical agencies (Gartner), vendors (IBM, Symantec) and NIST, the Central Bank of the Russian Federation, and the European Central Bank. Some organizations (EY, Gartner, NIST) focus on creating a cyber resilience cycle, while others propose to achieve it by building and improving a cybersecurity risk management (PWC) system.

The document is available here

When analyzing the existing methodology, one should pay attention to the Guidance on cyber resilience for financial market infrastructures, developed by IOSCO (International Organization of Securities Commissions) in June 2016. IOSCO defines cyber resilience in its document as the ability to predict, resist, deter, and recover from cyber-attacks. This guide is of interest because of the most mature cyber resilience cycle. It consists of a core (identification, protection, detection, recovery) and support (testing, situational awareness, training, and development) processes.

The document is available here

To assess the level of cyber resilience maturity in organizations, there are methods from the US Department of Homeland Security (Cyber Resilience Self-Assessment), US-CERT (Assessments: Cyber Resilience Review), MITER Corporation (Cyber Resiliency Metrics), AXELOS (RESILIA).

Taking into account the number of the above approaches, it can be concluded that a unified well-established methodology for building cyber resilience has not been formed. There is no methodology for measuring and assessing cyber resilience recognized as a benchmark.

The proposed approach to building cyber resilience

Many organizations have separate IT quality management systems, cybersecurity management, and business continuity management systems — all of which have common processes, such as risk, problem, incident management, training, and awareness-raising. Often these processes are either in the area of ​​responsibility of different units or exist in parallel and duplicate each other. Moreover, the outputs of one process are not always input data for the operation of another (for example, statistics of cybersecurity incidents should be fed into the cybersecurity risk management process), and the processes exist in isolation from each other. Due to the lack of well-coordinated interaction between these areas, timely response to cross-block incidents affecting both confidentiality, integrity, and availability of information is difficult.

The problems described above should be solved by a single methodology at the level of the entire organization, which is proposed to be built on the basis of:

This approach involves the creation of a cross-block group, tentatively named “Cyber ​​Resilience Center.” This group should include representatives from the business continuity, cybersecurity and IT quality units, plus a team leader. This will allow achieving a synergistic effect and uniting efforts in the interaction of various directions and the operation of related processes by creating a single interconnected process model, including metrics and KPIs, as well as automated tools for monitoring, analyzing the effectiveness and maturity of processes.

The Cyber ​​Resilience Center should address the following tasks:

  • integration of business continuity, IT reliability and cybersecurity processes into a single process of ensuring cyber resilience (including identification of communication gaps) and its documentation;
  • development of cross-block incident response scenarios;
  • conducting exercises, practicing incident response scenarios;
  • coordination of response to incidents, decision-making on escalation to the management;
  • maintenance of automated systems for collecting and managing knowledge (unified incident management system);
  • development of plans for the development of the cyber resilience system and monitoring of their implementation.

How can organizations become cyber resilient?

An organization’s cyber resilience can only be ensured with a high level of cybersecurity maturity. The work to achieve cyber resilience should start:

  • with the support of the concept of cyber resilience on the part of top management — consolidation at the level of organizational and administrative documentation of the organization (orders or orders);
  • with the creation of a structural unit for cyber resilience;
  • with the introduction of a risk management system in relation to cybersecurity, business continuity and IT risks;
  • with the development of measures for comprehensive monitoring and detection of threats, timely response, and recovery in case of their implementation;
  • from the development of a system for assessing the level of maturity and an independent audit of the state of cyber resilience;
  • with continuous improvement of the cyber resilience management system.

The most universal methodology for assessing the level of cyber resilience is offered by AXELOS — it contains 145 questions from 5 domains. In this case, the organization can use the questions proposed by AXELOS and developed independently. Domains under evaluation:

  • Cyber ​​Resilience Design model;
  • transition to cyber resilience (Cyber ​​Resilience Transition);
  • operational activity (Cyber ​​Resilience Operation);
  • continuous improvement (Cyber ​​Resilience Continual Improvement);
  • strategy (Cyber ​​Resilience Strategy).

Based on the results of the assessment, one of five final levels of cyber resilience can be obtained: from Initial to Optimized.

Summing up, it should be noted that in order to successfully operate in conditions of constant exposure to cyber threats, an organization must promptly anticipate, resist and recover when incidents occur that affect the interests of all departments and all business processes of the organization. The implementation of a management system in the field of cyber resilience will allow solving these problems and at the same time maintaining a balance of risk and profitability from the use of new digital technologies and leveling the consequences of the associated cyber risks.

Material developed by IMBA-Exchange

CYBER RESILIENCE — WHAT IS IT AND HOW TO ACHIEVE IT? was originally published in The Capital on Medium, where people are continuing the conversation by highlighting and responding to this story.


Comments are closed.