Cyber resilience acts as a bridge that connects information security, business continuity and organization resilience: Sumit Dhar, EdgeVerve
Cyber resilience is term is no more an unheard term these days. Organizations now a day are not just talking about it but doing a lot for digital transformation and hence Cyber resilience is placed importantly on their agenda. But, the digital transformation only matters if it increases the benefits and curtails the harms in this digital landscape. And, that is why it important for leaders to consider Cyber resilience as their main objective. Sumit Dhar, Senior Director & Head of Information Security, EdgeVerve, in a conversation with EC’s Rachana Jha, explains what exactly Cyber resilience is and how organizations can adapt to changing threat.
Edited Excerpts…
What is cyber resilience?
A: In this day and age, information technology plays a big role in normal operations of companies. Be it health-care, manufacturing, telecom or any other industry sector, it is hard to imagine them functioning normally without IT.
Over the past few years, cyber incidents (e.g. Ransomware, Distributed Denial of Service attacks etc.) impacting the confidentiality, integrity and availability of IT system have come to the fore. Such events have caused millions of dollars worth of financial losses to the impacted organizations.
Given this scenario, cyber resilience is a concept that is rapidly gaining traction at board levels and is critical to the success of organization in this VUCA world. As a concept, cyber resilience acts as a bridge that connects information security, business continuity and organization resilience. It helps ensure organization’s IT systems withstand, recover and deliver at an acceptable level even if they are impacted by a cyber incident.
How is cyber resilience different from cyber security?
A: Well, the key focus of cyber security is to prevent and detect cyber attacks. While response is also a part of the cyber security posture of a few organizations, the focus is predominantly on prevention and detection.
On the other hand, cyber resilience starts from a slightly different perspective. Like traditional resilience, cyber resilience understands that outages (due to cyber attacks) will occur. It assumes that infrastructure, systems and data of a company can and will be compromised. It understands that hackers today are extremely knowledgeable, have access to sophisticated tools and are capable of penetrating well secured networks.
Therefore, cyber resilience focuses on ensuring organizations are ready to respond and recover from such attacks. Cyber resilience places greater focus on managing incidents and handling cyber attacks while minimizing the impact to organizations.
How should an organization’s leadership go about building cyber resilience?
A: Cyber resilience, in my opinion, requires a multi-layered approach that addresses various requirements around people, process and technology. It requires the sponsorship, support and buy-in from the leadership. A simple framework that organizations can start with includes three key components: Protect, Respond and Recover.
Can you elaborate a bit on these components?
A: Sure, let me share some additional details on these three components.
Protect: You cannot protect till you know what is precious. So the first step is to identify your organization’s crown jewels: critical processes, infra and data. Once you have identified what is critical, it is important to assess these crown jewels for weakness and remediate those vulnerabilities. Remediation would typically include controls like system hardening, patching, tight access control, log monitoring, proper backup, disaster recovery etc.
Respond: Resilience professionals live by the mantra “Prepare for the worst, hope for the best.” An important part of preparing for the worst is to have strategies, processes and playbooks to respond to cyber incidents.
When it comes to cyber incidents, time is of essence. Therefore, response has to be timely and swift. Organizations need to have a clearly defined plan that lays out what needs to be done. They need to form a Computer Security Incident Response Team (CSIRT) with strong leadership, capable team members and clearly defined roles and responsibilities. Response should also include protocols for communication and coordination with law enforcement.
Recover: This component involves restoring systems, data and services that have been impacted by a cyber incident. For example: as a part of their recovery plan, the organization may failover to a redundant data center. Or, recover data from a previous successful backup.
Often, organizations overestimate their recovery capabilities. For instance, an organization may assume that it will be up and running in 24 hrs after a major incident. Now, if a ransomware were to infect a majority of its endpoints, is it realistic to assume that the company can re-image systems of thousands of employees and recover the data from backup to reach an operational stage in 24 hrs? In addition, organizations sometimes fail to periodically test their recovery strategies. As a result, something that looks good on paper fails spectacularly during a real crisis.
Thus, for Recovery to be successful, it requires a clear, well defined and a thoroughly tested plan.
Apart from domain related issues, any other pitfalls that organizations need to watch out for during a major crisis?
A: As an answer to this question, I would like to focus on some psychological factors related to crisis management.
- The first thing that happens when a catastrophic incident strikes is disbelief. Therefore, testing various catastrophic scenarios prior to an incident exposes senior leadership to such possibilities and reduces the probability of time being lost due to shock and disbelief in the ranks.
- Second, there is a possibility that organizations may get stuck trying to wait for complete information. During a crisis, complete information is a luxury that organizations may not have. Leaders may have to assume to worst and take decisions based on that. At any rate, getting stuck in analsis-paralysis while waiting for complete data does not bode well for the organization.
- Third, tempers run high during a crisis and there is always a temptation to indulge in blame game. During a crisis, organizations need to avoid that at all costs. The focus should be on recovery and a root cause analysis. Lessons from the crisis should feed into the organizations resilience program. They should not be used for a witch hunt or a blame game.
Any closing thoughts for Board Members, CEOs / CFOs and senior leaders on this topic?
A: Well, yes!
Research from Rory Knight and Deborah Pretty shows that in the long run, organization which have effective resilience do 22% better on the stock exchange than companies with ineffective response. Companies that invest in recovery strategies, leaders who do not panic during a crisis and teams that prepare in advance for such incidents result in better Cyber Resilience. Such organizations always perform better than their competitors and their resilience becomes a strategic competitive advantage in the marketplace. Make sure your organization invests the right resources, time and effort in this extremely critical but often neglected activity.