Cyber Resilience – A Skills Assessment

Michelle Erickson
| 3/9/2017
Help Wanted -3

Cyber resilience describes a growing focus on an organization’s ability to respond to and recover from a cybersecurity incident. The thinking about information security has changed over the years. The saying “it’s not if we suffer an incident, but when” has evolved into “it’s not when, but how many times.” Maintaining business operations while also maintaining the confidentiality, integrity, and availability of critical information is the key to achieving cyber resilience.

Who Has the Skills to Contribute to a Cyber Resilience Program?

Many organizational leaders realize that their employees lack the skills necessary to achieve strong cyber resilience. Further complicating matters is the shortage of job candidates who have the skills and experience necessary.

In a survey of 633 cybersecurity professionals by ISACA, 37 percent of respondents said that fewer than 25 percent of job candidates are qualified for open cybersecurity positions.

In addition, it is not uncommon for personnel to be unaware of where responsibility for a breach lies within the organization.

A survey of 221 C-suite executives and 984 IT decision-makers by cybersecurity firm BAE Systems found 35 percent of the C-suite respondents said IT is responsible for handling a breach, while 50 percent of IT decision-makers said it is the responsibility of senior management.

Without clearly defined responsibilities and a common understanding of those responsibilities (documentation alone is not sufficient), even skilled individuals are not able to react and respond effectively. Not being able to make decisions quickly in an incident response scenario can delay efforts and exacerbate the breach exposure.

What Skills Are Needed?

In order to have the internal resources required for a strong cyber-resilience program, it is important for an organization to employ individuals with relevant skills and experience in the following crucial areas.

  • Business continuity management (incident response management). Organizations need to employ individuals with the skills necessary to respond to a cybersecurity incident. These employees should be knowledgeable about the organization's business processes, incident response program, and common attack vectors to be able to direct personnel, gather and analyze evidence, contain and eradicate the threat, and help return the business to normal operations.
  • Threat and vulnerability management. Organizations must employ individuals who can identify, prioritize, track, and remediate vulnerabilities within the environment. To be successful, these employees should have an understanding of mitigating controls, such as frequent patching, secure configuration management, and change control procedures.
  • Employee management. Because end users often are the targets of cyber adversaries, organizations should employ individuals who provide effective training and awareness programs. These employees should be knowledgeable about current threats to end users and understand how end users should detect and respond to these threats.
  • Cybersecurity risk management (controls management). Controls management is a broad topic, and organizations can begin to address it by examining what controls exist in the current environment. As gaps are identified, a plan should be developed to implement controls that reduce the risk from threats and protect the most important servers and information. Common gaps that may need to be addressed include knowledge and experience implementing anti-virus software, firewalls, logging and monitoring, and intrusion detection and prevention solutions.
  • Third-party risk management. Most organizations rely on a variety of external entities for meeting their business needs. The management of external dependencies focuses on establishing appropriate controls to protect assets and sustain critical activities that depend on these relationships. Organizations should employ individuals who have the skills to understand the risks associated with third parties, data exchanges, and transfers and to implement procedures and controls to maintain security throughout the relationship.

How Can an Organization Be Cyber Resilient When It Lacks Internal Resources?

The world of cybersecurity is vast, and not every organization possesses the resources to address every area. So what steps can an organization take to address areas in which it lacks the necessary resources?

  1. Prioritize efforts. Organizations should identify their most critical business processes and information as well as likely threats and attack vectors. They should focus efforts on these items first. Furthermore, organizations should determine which competencies they want to develop, train, and maintain internally.
  2. Identify gaps. Organizations should work to identify gaps in skills or resources. Gaps can exist in the number of employees as well as in the levels of knowledge, experience, or technology.
  3. Take advantage of on-demand external expertise. Organizations should recognize and understand that they do not have to do everything internally and should become comfortable accepting help from cybersecurity professionals. Some skills are just too expensive to maintain properly in-house because they divert too many resources from the core mission or require infrequently used skills with a lower return on investment. Services that external parties can provide include penetration testing, incident management, various cybersecurity assessments and advisory services, and vulnerability management. Third parties and consulting firms with expertise in these areas can provide guidance about strengthening cyber resilience programs and allow organizations to focus on improving the work that they do internally.
  4. Be aware of vulnerabilities, and line up responses ahead of time. Time is of the essence in the midst of a cybersecurity incident. During an incident, the last thing an organization wants to discover is that there are gaps in the necessary procedures, resources, or skills needed to respond. Responsible parties should think through common incident scenarios organizations might face and should analyze best- and worst-case scenarios and how they could play out. This information should be used to determine which skills or technology might be needed. Procedures should be documented in a “playbook” for common scenarios, including roles and responsibilities for internal and external resources. Organizations that plan to use third parties and consulting firms as part of the incident response should build these relationships ahead of time so they are ready when needed.

Let us know if your organization has had to deal with a shortage of qualified job candidates for cybersecurity positions or a lack of internal cybersecurity resources and what you did to address the problem.