Author: Mark Chaplin, Principal, ISF
28 Nov 2019

Cyber resilience is considered by many security professionals as a key component of a cyber risk management strategy. And they’re right. Often involving significant investment, meticulous planning and frequent testing, the costs of creating a cyber-resilient organisation might appear excessive. That is until a cyber crisis occurs and the effort pays off.

British Airways currently face a GDPR-related fine of more than £180m, while Marriott’s costs of their 2018 breach have topped $100m. Ransomware attacks, such as WannaCry and NotPetya, have left deep scars for many organisations, relating to business interruption, financial loss and long-term reputational damage. Business leaders are sitting up and taking notice of events in their respective sectors.

Driven by increased scrutiny of regulators, customers and the public, Boards are asking difficult questions of their CRO and CISO about levels of cyber protection, exposure to cyber risk and what will happen in the event of a cyber crisis.

From a business perspective, there are two sides to the cyber risk management coin. On one side there is cyber protection, which involves measures to reduce the frequency of successful cyber threat events. On the other side is cyber resilience, which involves measures to reduce financial loss when cyber loss events occur.

Cyber resilience complements cyber protection to help ensure the organisation can withstand a major cyber event and continue to operate with minimum disruption. This is achieved through a range of capabilities, including business continuity practices, incident management, legal support, public relations management and cyber insurance.

Five steps you can take to start building a cyber-resilient organisation

Chief Risk Officers, CISOs and other risk management leaders need to provide business leaders with assurance of cyber resilience by:

  1. Understanding the complete cyber threat landscape, including targeted and untargeted attacks (i.e. those causing collateral damage to infrastructure)
  2. Building robust digital outposts to detect common to rare cyber threat events when they occur
  3. Maintaining a combined business and cyber threat view (e.g. through the use of threat intelligence, threat profiling and threat hunting)
  4. Establishing a cyber response capability that demonstrates readiness through repeated testing and continuous assurance
  5. Reporting on the status of cyber resilience, using meaningful information, which is presented in a business context to highlight both successes and challenges in managing cyber risk.

The Information Security Forum provides a range of guidance and best practice for effective risk management, managing cyber incidents and planning for future threat scenarios. Examples include:

For our full library of research and tools, click here. In addition, find podcasts on the latest cybersecurity hot topics in our Digital Media Centre.

If you are interested in learning more, the ISF is hosting an executive roundtable in New York City on December 5th, on the key actions you should consider now to make your organization more cyber resilient in 2020. You can learn more about it here.

Mark Chaplin is an experienced information risk management professional with approximately 30 years of experience in the technology and information security industry. He specialises information security governance and strategy for blue-chip organisations.