The Cyber Resilience Challenge
Executives of the world's largest companies have a daunting challenge: make their IT infrastructure more resilient while becoming more extensive, dispersed, and complicated.
Over the coming decade, we anticipate cybersecurity strategies driven by advanced internal data collection and AI approaches instead of today's industry-defined standards and cyber hygiene best practices. This transition will not only help organizations keep pace but shift the role of security from being a drag on the agility and bottom line of the company to being a contributor to IT and business effectiveness.
But what will this transition look like? And how can we be ahead of the curve and ensure our businesses are competitive? Let's first explore where we are on this journey.
Over the last few years, sophisticated organizations have recognized the need to improve their cyber risk management. Beyond sustaining an industry-standard lineup of cybersecurity tools, programs, and professionals, organizations are attempting to bolster their operational resilience. This evolution makes sense in much the same way it makes sense to avoid viruses while also strengthening the immune system.
Cyber Resilience Planning
This bolstering often involves interview-driven approaches to identifying critical business functions, understanding the probable cost of breaches and outages of these functions and tying individual IT assets to these functions. Effectively, this quantifies risk as monetary cost and identifies owners and stakeholders responsible for avoiding them. The CISA Cyber Resilience Review (“CRR”) is an effective interview-based assessment tool for organizations maturing their operational resilience.
But, at the end of the day, when the ransom screen appears, or when the tornado knocks out power to the data center, you won't need a pile of reference documents based on interviews from nine months ago.
You'll need one thing: for a plan to be in place that ensures the sustained operations of your most critical business functions and all their communication pathways and dependencies at the moment of the incident. You need to have identified every asset that requires urgent attention, not just the "big picture."
For many of our customers, this involves disaster recovery or mitigation efforts on the manageable scale of tens of thousands of assets from among millions of others, in an exact order, in just a few minutes.
Why Cyber Resilience Planning Is Difficult
So what makes this so difficult? Here are our findings after years of working with customers to evolve their resilience:
Organizations don't know what their assets are. They usually don't even know how many there are within a 20% guess. Their new asset inventory tools aren't improving that much, as they compile existing lists instead of deploying better approaches for discovering them.
Most organizations, even mature ones, haven't performed a CRR or CRR-like analysis and haven't done the valuable introspection work this entails. If they have even a decent asset inventory (usually only true if the organization is small), they don't know which ones do what or which assets are most valuable.
Organizations have little to no centralized understanding of their external third-party dependencies, where most of an organization's risk comes from.
Even if organizations know their most important assets, internal or external, they don't have a real-time understanding of what they depend on or what depends on them.
If this is tough to follow, try this:
Walk to the office of, or start a virtual meeting with, your IT rockstar (every organization has one). Ask her for a list of your most important IT assets ordered by the mission or financial impact to the company if they fail.
Ask her for a list of those assets' dependencies, both internal to the company and external.
Ask for a list of the assets those assets need, and so on, for as many iterations as are necessary to be comprehensive.
Add that you need those in the chronological order they would need to be brought back online in the case of a total failure of business IT. (We ask that you do this meeting in person or virtually so you can see her face when you ask for this.)
Have her quantify, using evidence, how long it should take to recover from a total failure and what it will cost each minute until the recovery is complete.
A Better Approach
We can all guess how this conversation would go, which is why if we hope to address the true resilience problem with an approach as comprehensive as this, we will need an AI engine that can see all of your IT business transactions.
You can also see why, if such a solution existed, how powerful it would be and why we predict it would make cyber resilience a contributor to IT and business effectiveness. Really, it could and should change the way the business leverages technology!
The remarkable news is that such a system has been running in the world's largest companies and government agencies for over five years. Contact us to learn how Redjack is helping these organizations achieve true cyber resilience.