The 3 Interlocking Elements that Build Cyber Resilience
By E. Doug Grindstaff II, CMMI Institute Sr. VP of Cybersecurity Solutions
As I’ve discussed in
previous posts, there’s a growing recognition by boards and senior executives that cybersecurity is not just an IT challenge but a much broader strategic issue of enterprise risk management. Because no organization is immune from compromise, each company needs to focus its cybersecurity strategy on mitigating its most important threats. The goal is to build cyber resilience: the ability not only to detect and block the threats that matter, but also to survive the attacks that prove unavoidable.
So what is required to achieve cyber resilience? A successful cybersecurity strategy is not just about deploying the best technology. It must start by identifying the most important cybersecurity risks facing that particular organization, and then optimizing available resources to mitigate those risks. I believe an effective cyber resilience strategy has three synergistic, interlocking elements:
- Mature security capabilities. This element includes all capabilities for managing cybersecurity risk, from cybersecurity planning and governance through incident detection and recovery. As with the other elements of cyber resilience strategy, it is essential to focus on capabilities that mitigate the organization’s most important risks. These are different for each organization, depending on its industry sector, objectives, and business model.
- Workforce readiness. The workforce is our greatest point of vulnerability—and that means it’s also our greatest opportunity for improving cyber-resilience. Inadvertent or intentional insider threat remains a top cause of breaches; any employee can unwittingly invite an attacker into the enterprise by clicking on a phishing email. Building the right security-aware culture among all employees can make a huge difference. Furthermore, a strong cybersecurity culture achieves more than just a reduction in the risk of compromise: It also delivers concrete business benefits such as improved profitability and customer retention, according to a recent landmark survey from CMMI and ISACA.
- SecOps. This encompasses the effective integration of security and IT operations in areas such as mission priorities, secure and available technology, and threat information.
Synergy among these three elements is crucial. No single element is sufficient on its own to achieve cyber resilience. I think of cyber resilience as a three-legged stool: All three legs are necessary to provide a firm foundation.
Why Fragmented Security Strategies Fail
Today, nearly all organizations have at least one of these elements in place. However, even organizations that have all three often treat them as disparate activities, not integrated elements of an overall strategy focused on enterprise risk management. Furthermore, one element may be prioritized at the expense of others, without analyzing the overall impact on cyber resilience.
For example, many organizations prioritize secure technology over other aspects of cybersecurity strategy. When threat intelligence feeds alert them to a dangerous new exploit, they invest in upgrading their technology specifically to deal with the problem. But there’s no corresponding investment in enhancing workforce readiness to meet the threat, because employee awareness is managed as a separate activity. Similarly, the organization doesn’t update its incident recovery processes, so if a problem does occur the impact could be catastrophic. The technology investment is driven by news headlines, not by an analysis of enterprise risk.
It’s easy to fall into the trap of prioritizing one leg of the three-legged stool—which then tends to drive the organization’s overall cybersecurity strategy. That’s especially the case with technology. Network-scanning tools can be used to provide impressive-looking performance statistics to executives and the board, such as exactly how many attempted intrusions have been blocked. But they don’t tell you how those blocked attempts relate to the company’s biggest risks. They don’t tell you how well your employees understand phishing threats, or whether they follow company policies when using their own laptops for business purposes. They don’t analyze whether your incident recovery processes will really enable the company to continue functioning if an attack succeeds.
Managing Enterprise Risk to Achieve Cyber Resilience
We designed
the CMMI Cybermaturity Platform to help organizations avoid traps like this. Instead of approaching security strategy through one of the three legs of the stool, it starts by examining the organization’s biggest risks. Based on those risks, the platform generates pragmatic insights that enable the organization to align investment to its strategic priorities, across all three legs of the stool.
The process starts by defining the organization’s unique risk profile. The profile varies depending on factors such as industry sector, corporate objectives and operating model. A retailer’s biggest cybersecurity risks may lie in protecting consumer information; for a manufacturer, securing the supply chain might be a top priority. The risk profile then determines the required level of maturity in specific capabilities, workforce readiness and SecOps. By highlighting the gaps between the organization’s current abilities and the maturity level required to mitigate the risks, the platform generates a roadmap for driving investment into the most critical areas within each of the three interlocking elements.
This is a dynamic process. In a continuously shifting cybersecurity environment, the organization should be continuously assessing whether its capabilities, workforce readiness and SecOps are adequate to mitigate risk. That means more than checking a box; it means examining each process in enough detail to know whether it includes all necessary steps and is up to date. One company assured me that it had an incident response program in place — but on further probing, it emerged that the plan was not updated for many years and that key steps relied on people who no longer worked at the company. Your organization may have developed an incident response program, but do people know about it? When was the last training? Have you executed tabletop exercises or other simulations? How frequently is the plan updated?
Focusing Investment is Key
When it comes to cybersecurity, the stakes are high: A successful cybersecurity attack can threaten the organization’s ability to operate. That’s why it is so vital to allocate resources in the most effective way. Because all organizations have limited resources, over-investment in one area can actually increase the company’s risk overall, because it means fewer resources are available for higher-priority areas. An enterprise risk management approach is therefore critical. It enables organizations to strategically direct investment into the three interlocking elements of cyber resilience: secure capabilities, workforce readiness and SecOps.