Harnessing existing capabilities
For many organisations, the starting point for defining a cyber resilience strategy was the organisation’s existing business continuity planning and disaster recovery frameworks, which were commonly developed to ensure continuity in the face of physical disasters such as fire and extreme weather events.
According to Abbas Kudrati, a former CISO at KPMG Australia and now a lecturer on cyber security at La Trobe University, the elements of cyber resilience went far beyond just technical controls.
“Cyber resilience is not about being 100 percent secure, it is about how quickly you are able to recover when you are being attacked or breached,” Kudrati said.
“It is about getting back to business in a faster manner with the least impact to your business environment. Your people, process, technology, and architecture must align in a balanced manner.”
For Sandeep Taileng, information security leader for technology and transformation at State Trustees, the key attributes of cyber resilience were constant vigilance, robust construction, rapid damage control, and the ability to learn from experiences.
“It emphasises the ability to withstand attacks, recover quickly, and learn from incidents to ensure business continuity,” Taileng said.
“Regulations like Australia’s CPS 230 and global standards are promoting this adaptable approach, which focuses on recovery and continued operation rather than just prevention.”
But despite this straightforward presentation, adoption of these attributes was far from universal.
“Several obstacles hinder the adoption of cyber resilience, including a lack of executive engagement and accountability, insufficient resources and funding, cultural resistance from employees, the complexity of managing resilience across third parties, and the rapidly evolving threat landscape,” Taileng said.
“Other challenges include the complexity of mapping business functions to IT, fragmented accountability, the cost of testing recovery capabilities, limited visibility into vendor resilience, and resistance to shifting from a purely preventative mindset.
“Overcoming these requires leadership commitment, continuous education, and a holistic approach.”
Taileng observed that the cybersecurity community was increasingly focused on cyber resilience over pure prevention, as demonstrated by discussion of concepts such as “shifting left”, zero trust, threat hunting, cybersecurity mesh architecture (CSMA), operational technology (TO) security, and supply chain security.
“When this shift is framed in business terms such as business continuity, financial impact, operational risk, reputational damage, and regulatory compliance, it becomes more accessible and impactful for non-technical executives compared to purely technical cybersecurity discussions,” he said.
“This helps leadership understand cyber resilience as a core business priority.”
Kudrati suggested that a good starting point for incorporating cyber resilience into business continuity was the ISO 31001 Risk Management framework which provided comprehensive principles and guidelines to help organisations with their risk assessments. Kudrati said this framework offered the additional benefit of translating cyber risk into language that other senior leaders and board directors would understand.
“If a CISO is not integrating their cyber security strategy and cyber risk management framework with an enterprise-wide framework, then that CISO is running solo,” Kudrati said.
“And the only way to create the visibility at the board level is to plug the cyber risk register into the enterprise risk register.”
Guidance on how to implement a resilience strategy could also be gleaned from version 2.0 of the NIST Cybersecurity Framework (NIST CSF 2.0), which identified six core functions – govern, identify, protect, detect, respond, and recover.
According to Kudrati, each of these could be implemented using existing processes and controls, many of which were enabled by adopting a zero-trust architecture framework, which itself was based on three principles.
“The first principle is having a least privileged model, which means not giving access to anyone who is not required,” Kudrati said.
Interest in cyber resilience is demonstrated through the rapid growth in sales of tools and processes that help bring it to life. According to research from Markets & Markets, the market for resilience solutions consists of various players offering specialised solutions in areas such as data backup, threat detection, and disaster recovery.
Source link
