Owning cyber resilience — whose job is it anyway?

EXECUTIVE SUMMARY:

The frequency and severity of cyber disruptions highlight the need for robust cyber resilience planning. Recent statistics reveal some alarming trends:

In 2022, nearly 90% of security professionals detected weaknesses in their supply chains. As many as 90% of organizations suffered a ransomware attack and 86% of organizations lost business or revenue on account of an incident. In sum, today’s cyber hazards mean that cyber resilience is critical.

By prioritizing cyber resilience, organizations not only safeguard their core assets, but also proactively address an evolving threat landscape and develop a trustworthy business ecosystem that’s conducive to sustained enterprise success.

Yet, who bears the responsibility of ensuring cyber resilience? In this article, we’ll explore a range of perspectives that can assist you in expanding your capacities to cultivate resilience within your organization.

What is cyber resilience?

The National Institute of Standards and Technology (NIST) defines cyber resilience as the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that are used or enabled by cyber security resources.

The purpose of cyber resiliency is to ensure that business processes can continue to function smoothly in a contested cyber environment.

Resilience accountability

Organizations have begun to establish clear lines of business ownership around cyber resilience, helping to ensure that resilience becomes a key part of culture, processes, and decision-making.

In the past, the Chief Information Security Officer (CISO) or an equivalent role has been tasked with leading the charge in terms of cyber resilience. This person possesses the expertise and authority to streamline efforts, allocate resources effectively and to maintain accountability.

However, in recent years, the Chief Resilience Officer (CRO) role has emerged, as organizations recognize the need for a dedicated position when it comes to addressing the challenges associated with resilience.

The CRO role

The Chief Resilience Officer is a senior-level executive. This person develops and implements strategies that enable an organization to proactively address future potential business continuity challenges, including those posed by natural disasters, economic crises, cyber security incidents, and other unforeseen events.

As Chief Cyber Resilience Officer for eSentire, Tia Hopkins explains, this role assists with limiting the scope of incidents and issues. “Then it’s just ‘clean up on aisle six’ versus the building burning down.”

By ensuring that effective response and recovery mechanisms are ready for near-instant activation, the CRO oversees the long-term viability and sustainability of an organization.

Who else?

Some contend that responsibilities related to cyber resilience can be wrapped up into the Chief Information Officer (CIO) role or other technology-based roles. At the end of the day, arguably, who has which title and which responsibilities is a question of semantics.

It’s crucial for organizations to simply ensure that someone is responsible for looking through all lenses to see how threats could impact the distribution of human, technical, third-party and data resources, the impact to the firm and its services, and what contingency capabilities look like.

“You need people who can talk the talk and walk the walk of tech operations, security, risk and compliance to some extent,” says James Hardy, Chief Resilience Officer for State Street Bank.

The future

Some predict that the Cyber Resilience Officer role will become a fairly standard role within the next decade. It’s likely to take shape within more mature, forward-thinking enterprises that are most at risk of compromise, reputational damage, and financial damage.

Cyber resilience planning is especially important in operational technology (OT) environments, where hardware and software interact with the physical world and support public services. These systems need to be resilient to cyber security failures and failures of other types as well.

Resilience resources

Embarking on new resilience initiatives may seem daunting, but a series of resources can assist. Examples include the World Economic Forum’s Cyber Resilience Index, NIST’s 800-160v2, MITRE’s Cyber Resilience Engineering Framework, and Cyber Talk’s operational resilience recommendations.

For more insights into cyber resilience, please see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security news, insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.

The post Owning cyber resilience — whose job is it anyway? appeared first on CyberTalk.