In recent years, the term “cyber resilience” has become common in discussions about cybersecurity, risk management, and breach mitigation. Cyber resilience represents a different and useful way of thinking about protecting data and information systems.
Rather than focusing only on preventing attacks or intrusions, cyber resilience also attempts to mitigate the consequences of such incidents. As attacks on data and information systems increase – and become increasingly malicious – the concept of cyber resilience can help organizations of all types and sizes do a better job of minimizing the damage caused by these attacks.
Today’s threat environment
Most security experts have come to recognize that cyberattackers have become more numerous, more persistent, and cunning enough to make prevention of an incident alone an inadequate strategy. Some organizations also are recognizing the near certainty that some of the attackers’ attempts will succeed.
In other words, it’s no longer a question of whether an attack will succeed, but when. So what steps can an organization take to minimize the effects of the attack?
That outlook is the underlying mindset that drives organizations to embrace cyber resilience – a concept that draws together practices related to security, disaster recovery, business continuity, and incident response. Many organizations view these disciplines as related but distinct from each other. However, cyber resilience integrates principles and practices from all these fields into a comprehensive readiness and response strategy aimed at minimizing the damage when an incident occurs.
Cyber resilience models and related standards
Much of the thinking behind cyber resilience can be traced back to work done for and by the United States Computer Emergency Readiness Team (US-CERT), a division of the U.S. Department of Homeland Security. Working with Carnegie Mellon University’s Software Engineering Institute, the team created the CERT Resilience Management Model (CERT-RMM) in 2010, to converge various risk management activities – such as security, business continuity, and IT operations – into a single model. A year later, US-CERT produced the Cyber Resilience Review (CRR), a nontechnical assessment tool to help organizations evaluate operational resilience and cybersecurity practices.
The CERT-RMM and CRR align closely with the central tenets of the widely used National Institute of Standards and Technology (NIST) cybersecurity framework. The CRR enables an organization to relate its cyber resilience capabilities to the NIST framework using a document called a “crosswalk” to compare the two approaches and map the features they have in common.
Components of cyber resilience
As updated in 2016, the CERT-RMM organizes cyber resilience into 26 separate process areas. The CRR condenses these areas into 10 domains:
- Asset management – Establishment of an inventory of high-value assets grouped into four broad categories – people, information, technology, and facilities – and definition of how these assets are managed to support the organization’s critical services
- Controls management – Identification, implementation, and assessment of the administrative, technical, and physical controls used to maintain mission-critical services and assets
- Configuration and change management – Continuous process of controlling and approving changes to information or technology assets or changes to related infrastructure
- Vulnerability management – Processes used to identify, analyze, and address any physical or operational feature that could make the organization susceptible to risk from a natural event or human threat
- Incident management – Improvement of the processes used to detect, identify, evaluate, and respond to events that disrupt critical infrastructure or services
- Service continuity management – Identification of the services most important to carrying out the organization’s mission plus the design, development, validation, and testing of service continuity response plans
- Risk management – In the context of cyber resilience, the processes that identify and analyze operational risk to IT-dependent assets and services, and the determination of how to deal with those risks (avoiding, accepting, transferring, or mitigating) in ways that reflect the organization’s risk tolerance
- External dependency management – Management’s establishment of the appropriate controls to protect assets and sustain critical activities that depend on relationships with external organizations
- Training and awareness – Education of staff members to give them the knowledge and skills to perform their work in incident management, controls management, risk management, and other related domains
- Situational awareness – Provision of accurate and up-to-date information for stakeholders about the immediate operational condition of critical services so that they can make decisions effectively
These 10 domains provide a helpful framework for understanding the concept of cyber resilience. They also provide organizations with a structure useful for organizing their cyber resilience efforts. When related to the NIST or a comparable framework, the 10 domains can help risk managers and other responsible parties plan how to deploy their assets – including people, information, technology, and facilities – in support of specific operational missions or critical services.
Moving beyond effectiveness to maturity
It is important to avoid the natural tendency to regard the CRR as a checklist or compliance standard. Rather than approaching cyber resilience with a compliance mindset, it’s more useful for an organization to use the assessments to advance its cyber resilience toward greater maturity. The difference is more than just a matter of semantics.
In general, a checklist focuses on whether a control objective is being met. It does not specify how the objective is being met, just that it is operating effectively at a given point in time. For example, an organization might have a requirement to patch its systems, and confirmation that those patches are deployed shows that the control objective is being met.
Maturity, on the other hand, encompasses not only effectiveness but also two additional important attributes: efficiency and responsiveness.
Efficiency describes how the control objectives are met. Processes that are standardized and automated minimize opportunities for manual error. For example, going back to the patching example, an organization that uses tools to identify and roll out patches to servers, workstations, and client-side applications is more mature than an organization that requires a user to interact with a workstation to install a patch.
Responsiveness represents the ability of the organization to react to external influences on its controls. Organizations that have the ability to quickly identify new threats and then develop and deploy mitigation strategies are better prepared in the ever-evolving risk landscape of today. To return to the patching example, most organizations can design a process for standard patch release schedules from their vendors. However, when a critical patch is released over a weekend to address a publicly exploitable vulnerability, responsiveness is defined by how quickly an organization can identify the fix, test it, and execute treatment actions to mitigate the risk appropriately. Responsiveness demonstrates a higher level of maturity.
Implementation starts with the assessment
As with all cyber-based programs, the risk and threat landscape is broad and constantly maturing, often more quickly than the internal responses to those threats. Managing such risks should start with a comprehensive risk assessment to identify which areas to address to provide the most value to the organization.
The risk assessment identifies the cyber resilience components most advantageous for the organization to address in the short term. It also provides a general road map for the organization as the program matures. For example, organizations with little reliance on third parties would see less value in focusing on external dependency management than would a company that has outsourced critical business systems.
More than compliance
In addition to approaching cyber resilience from the perspective of maturity, rather than just effectiveness, those involved can help make cyber resilience efforts more than just another compliance standard. By establishing a foundation for improved decision-making, they can even help cyber resilience develop beyond its primary function as an important risk management tool.
By helping an organization be ready for an incident, a strong cyber resilience program can improve organizational response and minimize the overall impact of an incident, ultimately adding value to any organization.