Cyber Resilience

Boards are seeking more reliable, data-driven, prompt and accurate determination of, and reporting on, emerging vulnerabilities as a consequence of their more volatile and complex operating environments. Bottom-up data on threat exposures need to be regularly collected, analysed and reported at scale.

Many of the vulnerabilities that operational and cyber resilience efforts aim to address can occur unexpectedly and at a rate that even the best security teams are ill-equipped to respond to. Managing the cyber risks and overall resilience of an organisation is not an occasional activity. Problems could arise at any time and operational governance demands rapid and in the best case, an automated, response to support the ongoing resilience of the enterprise. There are many factors that can quickly impact resilience and make attacks more likely and less survivable:

• System failures.
• Incorrect user provisioning.
• Flawed patching processes.
• Missing functionality updates.
• Uncontrolled technology adoptions.
• Backup failures.

And these can quickly become almost ongoing causes of disruption. Security teams cannot rely on ad hoc, intermittent assessments and response; they require current evidence- based information.

In dynamic environments, like the finance sector, healthcare and critical infrastructure, where operational factors are constantly changing, annual audits and even scenario-based operational resilience strategies are clearly no longer adequate.

Cyber resilience, as a key part of operational resilience, is confirmed by the importance of organisations having effective controls in place. So too are the associated monitoring and oversight processes and systems that ensure their efficacy.

Effective and robust controls deliver significant benefits, including:

• Improve the readiness of organisations to withstand and recover from cyber-attacks.
• Minimise the impact of security incidents on business operations and reputation.
• Promote a proactive approach to cyber security risk management, focusing on prevention, detection, and response.
• Systematically enhance the ability of organisations to adapt to changing threat landscapes and emerging cyber risks.

These in turn enable the identification of vulnerabilities and mitigation of weaknesses, without which:

• More frequent and damaging cyber-attacks could materially affect the bottom lines of organisations and their customers.
• The perceived trustworthiness, reliability and reputation of organisations could be brought into question.
• Organisations would be unable to systematically respond to changes in the threat landscape, and protect their technology system as new vulnerabilities emerge.
• Organisations would be forever on the back foot, continually having to defend their own systems, and those of their suppliers, every time a cyber outage threatened.

The ability to continuously manage threat exposures is a key element of operational and cyber resilience. Automation of this vital process ensures more timely and accurate information about the risks faced than is available from sample based or manual audits. It also means technical teams are able to respond to senior managers with their demands for more frequent and reliable, evidence-based resilience information.

Automated solutions for control monitoring and threat exposure management enable:

• Better threat prevention by implementing robust security controls, best practices, appropriate system configurations and security awareness to limit the risk of cyber disruption.
• More timely incident detection and response through continuous monitoring, threat intelligence, and incident response.
• More robust business continuity and less disruption to operations with resilient architectures, data backup and recovery strategies.
• Easier adaption to changing and evolving cyber threats and risks with more agile security strategies, threat hunting capabilities, and the automation of key security processes to free up scarce analyst time.
• Improved governance to help achieve and maintain compliance with regulatory requirements, industry standards, and contractual obligations through continuous compliance monitoring, risk assessment, and audit capabilities.

Anticipating increasingly complex scenarios that might disrupt business operations is one thing but establishing an operational resilience process that is able to address as-yet unknown risks is quite another.

Known risks can be anticipated as part of a wide range of “severe, but plausible, scenarios” but unknown risks, by definition, cannot.

This is where CTEM and TDIR solutions come in.

• Continuous Threat Exposure Management (CTEM) means having an accurate, and up to date view of the exposures the business has in its systems, configurations, user accounts and permissions and security controls. The ability to automatically map exposures to risk, and then prioritise their mitigation provides a solid foundation for not only sound controls management, but also the ability to reliably report on cyber security posture.
• Threat Detection, Investigation and Response (TDIR) includes technologies such as SIEM platforms, that allow the rapid detection of known and unknown threats based on known attack patterns, misuse and anomalous behaviours.

These solutions and processes link to threat intelligence and enrich organisational context with the exposure and vulnerability data it holds.

Security teams have the ability to enhance their TDIR processes with enriched CTEM information. By integrating that CTEM situational awareness into the TDIR process the SOC team can leverage the information to streamline its investigation and response workflows. In larger organisations, proactive CTEM information can be continuously collected and ingested directly into the TDIR telemetry process to instantly inform and guide analyst investigation and response workflows to fundamentally streamline SOC detection, analysis and response processes.

Directors now hold responsibility for setting business and risk strategies as well as for the overall oversight of operational resilience standards and governance. In today’s uncertain and complex operating environment, it is not surprising that a disruption to any key operational resource can quickly affect the delivery of business goods and services.

The goal, for both the business leadership and the security team then, is to improve cyber resilience and protect the IT systems, assets and data that contribute to the ongoing operations of the organisation and its ability to deliver its goods and services. Increasingly legislators are demanding it.

For some Critical Infrastructure sectors, cyber resilience is the cornerstone of the wider regulatory requirement for Operational Resilience (sometimes called Operational Risk Management) that is being mandated in various jurisdictions like:

• The Digital Operational Resilience Act (DORA) in the EU;
• The U.S. Securities and Exchange Commission (SEC);
• The Financial Conduct Authority’s (FCA) PS21/3 regulations in the UK;
• The Security of Critical Infrastructure Act 2018 (SOCI) in Australia.

Organisational resilience more broadly is becoming a fundamental tenet of corporate governance and continuous disclosure. In essence, the ability of an organisation to continue to conduct operations, even in the event of disruption to key components of the product or services value chain, is a ’team’ responsibility. Cyber security leaders are now expected to contribute to the ongoing resilience of the organisation. The resilience of systems, processes, people and 3rd party inputs into the delivery of a product or service are all part of that responsibility.

While delegation of some of these specialist tasks is acceptable, oversight, evidence of the effectiveness of controls and lessons learned, together with an objective assessment of the success of operational resilience efforts, are a Board’s responsibility and must be available and demonstrable.