Cyber resilience must not be used to legitimise window-dressing practices around cybersecurity
Although the theme is gaining momentum, there is a certain amount of confusion around what cyber resilience really means for organisations.
For many, it is just another piece of consultant jargon: An abstract managerial concept with little real-life substance or meaning.
As a matter of fact, it is very real and rooted in the “When-Not-If” paradigm around cyber-attacks which is changing completely the dynamics around cybersecurity in many firms.
At the heart of cyber resilience lies a real application of “defence in depth” principles which have been well established for decades: Acting at preventative, detective, mitigative AND reactive levels, AND across the real breadth of the enterprise – functionally and geographically. It is about the enterprise being enabled by the use of data and technology, whilst remaining protected from active threats.
It requires managerial and governance practices to be active across corporate silos and the supply chain (once again, functionally and geographically), and it cannot be dissociated from a broader approach to operational and corporate resilience.
It is hard to deliver at scale and presents many large organisations with significant cultural challenges. So the temptation is high for many to oversimplify it and to focus only on alleged quick wins.
Of course, the “When-Not-If” paradigm implies that security breaches are unavoidable. But it does not represent a licence to ignore all protective, detective and mitigative measures to focus only on the reactive ones. This is the type of simplistic approach to “resilience” which may put a few ticks in audit or compliance boxes, but in the long term, can only aggravate security postures and lead to regulatory issues, in particular in the face of a worldwide tightening of regulations around the protection of personal data.
“Cyber resilience” cannot be limited to an annual desktop exercise with board members and corporate functions during which they simulate how to react to a cyber-attack, in order to minimise the impact on the share price, media coverage or the reactions of customers.
All those factors are important, but “cyber resilience” must not turn into an excuse to legitimise a top-down window-dressing culture around cybersecurity practices.
Corporate resilience is the ability of an organisation to continue operating in the face of disruptive events, and to return to normal operations over time. It implies a deep knowledge of operational processes, their integration and their inter-dependencies. It also implies a deep knowledge of the supply chain and its actors.
To operate efficiently in disrupted situations, it also requires a collaborative and positive culture, which needs to be created and fostered from the top down.
All this is even more acute in cyber resilience scenarios, due to their relative novelty, the speed at which the organisation often needs to react and the technical complexity which may be involved.
Instead of being treated as another box checking exercise and a quick win, cyber resilience must be embedded into the right corporate structures and used to channel a different culture from the top down around cybersecurity:
- A culture where cybersecurity (the need to protect the business from cyber threats) and the protection of individuals’ privacy are not just matters of risk management or necessary evils imposed by compliance and regulations, but key business concepts and – increasingly –matters of competitive advantage and of corporate social responsibility.
- A culture which fosters the transversal nature of many security problems in large firms (looking across corporate silos, and certainly much beyond the mere technology horizon), because the security measures needed to protect the firm are transversal in nature: Their execution is the only factor that will protect the business and it requires transversal capabilities
- Finally, a culture rooted in transparency around security breaches because trust is the cornerstone of the digital economy and transparency is its foundation
The Business Transformation Network has posted this article in partnership with Corix Partners.
Jean-Christophe Gaillard is Founder and Managing Director of Corix Partners
He is a senior executive and a team builder with over 25 years of experience developed in several global financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.
A French national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris Tech and has been co-president of the Cyber Security group of the Telecom Paris Tech alumni association since May 2016.
He runs the Corix Partners blog and contributes regularly on the CIO Water Cooler, and has previously published articles on, InfoSecurity Magazine, Computing, the C-Suite.co.uk, Info Sec Buzz and the IoD Director websites. He was listed in the top 10 of UK 30 most influential thought leaders on Risk, RegTech and Compliance by Thomson Reuters in April 2017.