Re: What Makes Some Organizations More Cyber Resilient Than Others
Lahoma Helmy
This global study tracks the ability of organizations to achieve a strong cyber resilience security posture. In the context of the research, a cyber resilient enterprise is one that can prevent, detect, contain and recover from a myriad of serious threats against data, applications and IT infrastructure.
New this year are a closer look at the impact of ransomware and the adoption of approaches such as zero trust and extended detection and response (XDR). Finally, we offer recommendations to help your organization become more cyber resilient.
Figure 12 shows how many tools respondents said their security teams use to investigate and respond to a typical security incident. Among respondents, 45% used more than 20 tools when specifically investigating and responding to a cybersecurity incident.
DLA Operations Mission Assurance Director Army Col. Kwame Boateng served as exercise facilitator for the Battle Creek control group and said that while some parts of the agency are naturally more resilient than others, the whole organization needs to be able to move together and respond in a crisis.
The world has shifted and cybersecurity is shifting with it. The desire to transform, faster and more frequently, is prompting some organizations to use cybersecurity as a differentiator to deliver better business outcomes. Our research revealed that organizations that closely align their cybersecurity programs to business objectives are 18% more likely to increase their ability to drive revenue growth, increase market share and improve customer satisfaction, trust and employee productivity.
We surveyed 3,000 executives from 15 industries and 14 countries. Our research revealed that more than one-half of organizations are beginning to recognize the importance of being secure from the start in any transformation effort.
Nevertheless, some companies have proven to be more resilient than others, rapidly adapting their strategies to address both the challenges and the opportunities created by the crisis. What did they do that others did not?
The critical importance of business-model innovation highlighted by the survey aligns with our earlier research. In a recent article, we demonstrated how the disruption caused by the COVID-19 pandemic has led to a rapid acceleration of trends that were present before the crisis. The study additionally found a widening gap between the best- and worst-performing companies as organizations with future-ready business models pull away from the pack. As companies start to prepare for a postpandemic world, those that have fallen behind more resilient players will need to take fast, bold action to make up for lost ground.
You have more people in your organization that can help you reach cyber resilience than you may think. Make sure to take the time to educate and empower the entire community on cybersecurity and your specific security goals.
In determining the priority assets to protect, organizations will confront external and internal challenges. Businesses, IT groups, and risk functions often have conflicting agendas and unclear working relationships. As a result, many organizations attempt to apply the same cyber-risk controls everywhere and equally, often wasting time and money but in some places not spending enough. Others apply sectional protections that leave some vital information assets vulnerable while focusing too closely on less critical ones. Cybersecurity budgets, meanwhile, compete for limited funds with technology investments intended to make the organization more competitive. The new tech investments, furthermore, can bring additional vulnerabilities.
One financial institution that used our approach was able to identify and remediate gaps in its control and security systems affecting critical assets. The change program began with a risk assessment that had highlighted several issues. Business and IT priorities on cybersecurity spending were found to be somewhat out of alignment, while communication on risks and risk appetite between risk management and businesses was less than optimal. The lack of agreement among stakeholder groups consequently stalled progress on a mitigation plan for cyber risk.
The ongoing COVID-19 pandemic and other recent events have proven that some organizations are more resilient than others. But what makes these organizations different, and what steps should you and other business leaders take as a result?
The acquisition builds on Splunk's heritage of helping organizations enhance their digital resilience and will accelerate Cisco's strategy to securely connect everything to make anything possible. The combination of these two established leaders in AI, security and observability will help make organizations more secure and resilient.
"We're excited to bring Cisco and Splunk together. Our combined capabilities will drive the next generation of AI-enabled security and observability," said Chuck Robbins, chair and CEO of Cisco. "From threat detection and response to threat prediction and prevention, we will help make organizations of all sizes more secure and resilient."
"Uniting with Cisco represents the next phase of Splunk's growth journey, accelerating our mission to help organizations worldwide become more resilient, while delivering immediate and compelling value to our shareholders," said Gary Steele, president and CEO of Splunk.
The combination of these two established leaders with complementary capabilities in AI, security and observability will unlock the true value of data and will help make organizations of all sizes more secure and digitally resilient.
However, we recognize that people from many different areas, more than we can possibly directly consult, may have valuable perspectives to contribute to this work. So, we are inviting submissions into our deliberation. These could take the form of new ideas, existing ideas, methods, or projects you think could advance our cyber-physical resilience. It could even take the form of removing or adjusting existing practices that are decreasing our natural resilience. We would appreciate the submissions to be concise and not proprietary or otherwise inappropriate for public disclosure.
The two main issues affecting resource availability were net revenues and talent availability. For most interviewees, net revenues were perceived to be declining, driven by flat revenues and increasing operating expenses. For organizations with declining net revenues, outsourcing IT to an organization with more expertise was an effort to increase resource availability to undertake more efforts to close cybersecurity gaps. Some of our interview subjects worked at organizations that were financially healthy enough to fund the development of purely internal solutions; however, the majority did not. Two subjects stated the following:
For those who worked at organizations healthy enough to fund internal development, subjects were split as to whether self-hosting and internal development increased resource availability. On one hand, some felt that owning IT policies themselves gave them finer control over how to allocate resources in their efforts to close cybersecurity gaps. On the other hand, some felt that outsourcing security operations to a firm such as Microsoft via purchases of their cloud products simultaneously allowed them to do more with fewer resources and also tacitly allowed them to pay less attention to cybersecurity, thereby introducing an entirely new set of risks.
There were also significant pressures to have stronger cybersecurity capabilities resulting from regulation. Typically, regulation was aimed at protecting privacy, not necessarily security; nonetheless, there was some overlap. Subjects at hospitals with more resources worked with both an internal and an external audit team to assess compliance; however, all hospitals worked with an external audit team as a regulatory requirement.
For the interview subjects who did not feel that their hospital was developing cybersecurity capabilities, it was mostly because of high turnover at the C-suite level. That high turnover, in turn, led to constant shifts in strategy that became difficult to navigate as an IS specialist, leaving the organizations more reactive than proactive in developing cybersecurity capabilities. One subject stated the following:
A second but related issue is that when a hacker obtains sensitive information about the organization it may find its reputation ruined. Few small organizations can survive the damage to its reputation that such lost data might cause. The damage to reputation and goodwill might be more crippling than the actual data loss itself. Loss of customer data may result in legal or regulatory action against the organization. A third party might file a suit against an organization as they have themselves incurred a loss. Organizations might also be subject to significant penalties and/or legal action arising from breaches of the privacy laws in many jurisdictions.
Over the past decade, system resilience (a.k.a., system resiliency) has been widely discussed as a critical concern, especially in terms of data centers and cloud computing. It is also vitally important to cyber-physical systems, although the term is less commonly used in that domain. Everyone wants their systems to be resilient, but what does that actually mean? And how does resilience relate to other quality attributes, such as availability, reliability, robustness, safety, security, and survivability? Is resilience a component of some or all of these quality attributes, a superset of them, or something else? If we are to ensure that systems are resilient, we must first know the answer to these questions and understand exactly what system resilience is.
However, system resilience is more complex than the preceding explanation implies. System resilience is not a simple Boolean function (i.e., a system is not merely resilient or not resilient). No system is 100 percent resilient to all adverse events or conditions. Resilience is always a matter of degree. System resilience is typically not measurable on a single ordinal scale. In other words, it might not make sense to say that system A is more resilient than system B.
aa06259810