IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Is Your Government Organization Cyber Resilient?

What does it mean to be prepared for technology and business disruptions in the 2020s? How can your organization recover fast?

Tiny toy figures of security officers standing on a laptop keyboard.
Shutterstock.com/kirill_makarov
Starting a few years ago, a shift occurred in the preferred descriptions of best practices in cybersecurity. While terms such as “cyber defense” and “cyber protections” continued to be commonly used when guarding against “cyber threats,” one new term has grown dramatically in popularity and use: “cyber resilient,” meaning “resilience against cyber threats.”

For example, when the Cybersecurity and Infrastructure Security Agency (CISA) recently signed a cybersecurity cooperation agreement with Ukraine, Jen Easterly, director of CISA, reportedly said, “Cyber threats cross borders and oceans, and so we look forward to building on our existing relationship with SSSCIP to share information and collectively build global resilience against cyber threats.”

But you may be thinking: Is this really an important shift worth recognizing? If so, why is resilience so vital? Just as important, what does it mean to be cyber resilient?

But before we answer these questions, allow me to provide a few definitions and examples to show you that I am not just cherry-picking quotes to create a trend.

First, what is cyber resilience?

Back in 2018, the Department of Homeland Security released this resilience framework: “Providing a Roadmap for the Department in Operational Resilience and Readiness.” How did they define resilience? “Simply stated, resilience is the ability to adapt to changing conditions and withstand and rapidly recover from disruption. Hazards and threats that can cause disruptions can take many forms, including natural, technological, and human-caused. These could entail, for example, severe weather, power outages, roadway failures, acts of terror, and cyberattacks.”

Back in mid-July, the World Economic Forum (WEF) published this article: “How organisations can use vulnerability to create cyber resilience.” Here are some summary points:

  • Organizations that will emerge as market leaders in the digital economy will have leaders that prioritize and cultivate a culture of cyber resilience
  • Ecosystem-wide collaboration among organizations will be key to building this resilience
  • This requires a willingness to share organizational experiences about cyber risks and challenges

Also, the World Economic Forum’s (WEF) Global Cybersecurity Outlook 2022 report, developed in collaboration with Accenture, found that:

  • Only 19 percent of cyber leaders feel confident that their organization is cyber resilient
  • Fifty eight percent of respondents feel their partners and suppliers are less resilient than their own organization
  • Eighty eight percent of respondents are concerned about the cyber resilience of small and medium-sized enterprises (SMEs) in their ecosystem

And the WEF has several other reports on cyber resilience. Last November they published “3 principles to help build a cyber resilient organization.” Their three main points (with details listed in the article) included:

  1. Cyber resilience must be governed from the top
  2. Cyber resilience must be inherent to the business operating model
  3. Cyber resilience is an enabler of business outcomes

BECOMING CYBER RESILIENT CALLS FOR GREATER COLLABORATION BETWEEN PUBLIC AND PRIVATE SECTORS


There have been many calls for more government and business collaboration to strengthen cyber defenses over the years, and a recent article in The Hill caught my attention: “To make US more cyber-resilient, government and business need far greater collaboration.”

Here’s an excerpt:

“Cybercrime is now so ubiquitous that the question is not when an attack will occur on a business, individual, or government — It’s whether the victim is resilient enough to deal with the consequences.

“Recent events have only intensified the cyber threats. Since Russia invaded Ukraine in February, the world has monitored global digital networks’ security with heightened awareness. To date, the most disruptive Russian attacks, centered on Ukrainian communications networks, have had spillover effects only into Europe. But the war continues to escalate, and the threat of malicious Russian cyber activity toward Ukraine, Europe, and the rest of the world remains high. With election security top of mind as the U.S. midterms approach, government officials are acutely aware of the threats that exist from cyber actors, including Russia.”

One idea they share near the end of the article is a new national virtual cyber academy: “The virtual academy would be based on partnerships with colleges and universities. Similar to the U.S. military academies, cybersecurity cadets would receive a free college education in return for government service upon graduation. Graduates would be placed in federal, state, or local government cybersecurity roles to fulfill their obligations.”

Another article in CSO Online offers “... 5 Steps to Strengthening Cyber Resilience”:

  1. Embrace the vulnerability of hybrid work and build resilience
  2. Limit the impact of ransomware attacks
  3. Elevate cybersecurity into a strategic business function
  4. Maximize your existing resources
  5. Implement security fundamentals

This excellent blog from Avast offers a small business guide to cyber resilience. It starts with a section describing “Cyber resilience vs. cybersecurity: What’s the difference ⁠— and why does it matter?”

“Achieving cyber resilience means a company strives to implement all necessary cybersecurity measures and:
  • Instills in team members the importance of their roles in combating cyberattacks
  • Commits to investment and the realignment of company values to include a core component of cybersecurity
  • Automates repetitive cybersecurity tasks, such as data backups
  • Continuously improves internal cybersecurity processes and systems
  • Engages with the cybersecurity community-at-large to learn and share attack trends and strategies
  • Explores outsourcing opportunities with MSPs or the IT professional community to relieve small business owners and staff of the stress of managing a cybersecurity program.”  

FINAL THOUGHTS


There are many other great articles on cyber resilience, but I want to leave you with another free resource. This CISA Cyber Resilience Review (CRR) can help you take your organization to the next step in this analysis.

At the heart of cyber resilience is the recognition that you will be attacked, and you will lose some battles, allowing some adversaries access to sensitive data or perhaps even a ransomware attack will be successful via some means.

What will you do next? How can you recover?

You can also learn much more about this topic in my podcast interview with GovTech on my book Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering from Inevitable Business Disruptions. That interview is here:
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.