As a vice president at Symantec from 2000 to 2009, Rob Clyde witnessed repeated attacks on the cybersecurity company’s system that processed client requests for software updates. Constantly bombarded with illegitimate queries, the system could nevertheless handle the fraudulent volume and still process and respond to legitimate traffic.
The company built the system in a way that enabled it to withstand the onslaught: engineers designed the system to handle any and all spikes in requests for updates such as those that happen when clients all seek a critical update at the same time.
“We had architected the system to just keep scaling,” says Clyde. “As attacks occurred, it kept scaling so [legitimate] customers could get their updates without any delays,” says Clyde, who is now a spokesperson for the IT governance organization ISACA, a managing partner of Clyde Consulting, and a board member for several companies.
Symantec’s intention was to build a system that could meet customer needs without any glitches, regardless of the level of demand. But company leaders also recognized the need for such a design to ensure the system could perform well even when under siege: that it could, in a nutshell, be resilient.
Resilient systems pay off over the long run
Clyde acknowledges that the design added costs, with the bills rising as the system scaled; engineers eventually brought costs down by implementing cyber defenses that could detect fraudulent requests further upstream and deflect them earlier, thereby reducing the number making their way to the application itself.
Although this approach dates back 15 years, Clyde says Symantec’s strategy for addressing the cybersecurity threats in a way that both defended the system and ensured its usual availability demonstrates the notion of cyber resiliency.
“We should build systems to withstand changing conditions, to recover and just keep going,” says Clyde,
The definition of cyber resiliency
The National Institute of Standards and Technology (NIST) defines cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.”
MITRE, which developed the Cyber Resiliency Engineering Framework in 2011, describes cyber resiliency as the need “for information and communications systems and those who depend on them to be resilient in the face of persistent, stealthy, and sophisticated attacks focused on cyber resources.”
It’s a concept that has been gaining traction over the past decade and is becoming a topic of board-level interest as the volume, variety, and intensity of strikes by bad actors spikes year after year.
Boards fail companies by not focusing on resilience
A May 2023 article in the Harvard Business Review titled “Boards Are Having the Wrong Conversations about Cybersecurity,” calls on boards to “focus on resilience,” saying that “even though boards say cybersecurity is a priority, they have a long way to go to help their organizations become resilient to cyberattacks. And by not focusing on resilience, boards fail their companies.”
The concept of cyber resiliency includes several longstanding cybersecurity and organizational elements — namely the principles and practices of business continuity and disaster recovery as well as cyber detection and response.
However, according to multiple cybersecurity leaders, cyber resiliency is not synonymous with any of those elements and, in fact, pushes the enterprise to go beyond each of those four practices.
“Resiliency is about keeping the lights on with no downtime,” says Sue Bergamo, executive advisor, CIO and CISO with the advisory services firm BTE Partners. “It’s normal to defend against a lot of attacks; that’s what we do every day. But with that one attack that gets through, that’s when we have to be resilient, that’s when we have to stomp it out while keeping the lights on.”
In other words, cyber resiliency is about maintaining business as usual during a cyber event, while the response to that event happens in the background.
Resiliency is like a generator that keeps things running
One expert compares the benefits of enabling cyber resiliency to that of an electric generator: that generator, like a cyber-resilient environment, keeps everything running when there’s a problem with the electricity supply. On the other hand, if there’s no generator, workers are scrambling for flashlights.
Cyber resiliency means the organization can keep working regardless of what cyber attackers “can throw at me,” says Rosalie McQuaid, cyber resiliency department manager at MITRE, a not-for-profit entity, which operates federally funded R&D centers and public-private partnerships.
“It’s not about going down and recovering, where you might have slower or degraded operations. That’s really reactive,” McQuaid says. It’s akin to the catchphrase of the decades-old Timex watch ads, which feature watches surviving all manner of attacks where they “take a licking and keep on ticking.”
Clyde agrees, saying organizations who must pay a ransom to restore functions following a successful ransomware attack or revert to analog processes while IT restores compromised systems may have implemented “reasonable short-term solutions but they’re not cyber resilient.”
Saugat Sindhu, senior partner and general manager at IT consulting and services firm Wipro, makes similar observations, pointing to Colonial Pipeline’s performance in the aftermath of the ransomware attack it suffered in May 2021. The company recovered after paying a ransom, and it continued as a business. However, its decision to shut down its main business function — moving fuel through its pipelines — to help contain the damage did not demonstrate resiliency.
“In the case of cyber resiliency, if systems get compromised, there are other systems that can pick up and maintain BAU — business as usual,” adds Sindhu, leader of the Wipro’s strategy and risk practice.
High-level actions around cyber resiliency
That focus on BAU may explain increasing interest in and discussion around cyber resiliency. In the US, for example, the President’s Council of Advisors on Science and Technology (PCAST) in March 2023 initiated a working group on cyber-physical resilience, saying in an announcement that “the tightly coupled inter-dependencies among physical and digital components in systems can lead to high levels of ‘brittleness,’ when even minor disruptions lead to wide-scale and unpredictable effects.”
It continued: “We need a different approach, not just to defend ourselves from cyber-attacks and failures, but to presume that attacks will always get through and that failures of components are unavoidable. We need to be resilient in the face of attacks and failures so we can withstand or recover quickly. This needs a fundamental re-imagining based on taking a holistic, systems-thinking approach.”
The Information Systems Security Association (ISSA), a nonprofit professional organization for information security professionals, has its Cyber Resilience Special Interest Group.
And the European Union has its Cyber Resilience Act, a proposed legal framework governing the cybersecurity requirements for hardware and software products placed in the EU market.
Demonstrating cyber resiliency
Enterprise executives are also thinking about cyber resilience, according to an October 2023 report, The Cyber-Resilient CEO, from professional services firm Accenture. For the report, Accenture studied the cybersecurity practices of 1,000 CEOs of large organizations and found that 96% agreed that cybersecurity “is a key enabler for organization growth and stability.”
However, it found that 74% were concerned about their organization’s ability to avert or minimize damage to the business from a cyberattack.
“It is a disconnect that highlights that a majority of CEOs lack confidence that their organizations are truly cyber resilient, and their uncertainty is reflected in how they prioritize their cybersecurity investments,” the report’s authors concluded.
Furthermore, Accenture used its own index to benchmark 25 leading practices that measure cybersecurity resilience and found only 5% of CEOs lead on cybersecurity resilience.
Measuring resilience
An actual cyber event would certainly test whether those CEOs are as resilient as they appear and whether the remaining 95% are better or worse than they think.
However, security leaders point to other (safer) methods for measuring enterprise cyber resiliency — methods that allow CISOs to assess where they are, track improvement over time and articulate findings to their executive colleagues, their CEOs and the board itself.
Such analysis may seem like an esoteric exercise, says Sergio Tenreiro de Magalhaes, chief learning officer at Champlain College Online and an associate professor of cybersecurity and digital forensics.
“But it’s actually a concrete action you can take,” he says, adding that he believes cyber resiliency measures the organization’s ability “to provide a level of service that they’re comfortable with when under attack.”
Tenreiro de Magalhaes and others point to specific frameworks and assessment tools.
MITRE’s Cyber Resiliency Engineering Framework (CREF) is the oldest. In February 2023 MITRE released its Cyber Resiliency Engineering Framework (CREF) Navigator, a free, visualization tool that enables organizations to customize their cyber resiliency goals, objectives and techniques.
Meanwhile, NIST has its publication of 800-160 v2, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach.” According to NIST, the publication “helps organizations anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and compromises on systems — including hostile and increasingly destructive cyber-attacks from nation-states, criminal gangs, and disgruntled individuals.” (MITRE’s Navigator is aligned with the NIST SP 800-160 v2.)
Another tool that some cite is the CMMI Cybersecurity Platform from ISACA, which ISACA promotes as a tool to help organizations build cyber resiliency.
Commercial products to assess and measure an organization’s state of cyber resiliency are also available.
Cyber resiliency means practicing due care and diligence
As is the best practice when using other cybersecurity frameworks and assessments, these frameworks and assessments are not one-size-fits-all nor are they meant to be used as merely a check-the-box exercise, says Erik Avakian, technical counsellor at Info-Tech Research Group and former state CISO for the Commonwealth of Pennsylvania.
Rather, Avakian says they prompt CISOs to ask whether their organization “can anticipate attacks and can withstand them with the right controls and capabilities.”
“It’s about practicing due care and due diligence from a cybersecurity standpoint and having a layered defense with a layered people-process-and-technology-driven program with the right governance and services and tools to enable the mission of the organization so that if there’s an event, you can recover and adapt to keep business running,” he adds.
To do that, CISOs and their executive colleagues must have their cybersecurity basics well established — basics such as knowing their tolerance for risk, understanding their IT environment, their security controls, their vulnerabilities, and how those all could impact the organization’s operations.
CISOs aren’t limited to these frameworks or the assessment tools created specifically to measure cyber resiliency, says Tenreiro de Magalhaes and others.
CISOs can also run tabletop drills and red-team exercises to test, measure and report on resiliency. Repeating such drills and exercises can then track whether the organization’s cybersecurity program as well as specific additions to it help improve resiliency over time, experts say.
In fact, some say even anecdotal markers can help CISOs and executives get insights into their level of cyber resiliency.
Bergamo, for one, says she can get a sense of whether an organization has any degree of resiliency by looking at the security department’s everyday state.
“If they’re not running around dazed and crazed, they’re doing something right,” she says. “But those teams who are running around with hair on fire don’t have resiliency,” They’re just in defense mode.”
CSO and CISO, Risk Management, Security, Security Practices