Posted on: September 7, 2022
Alex Toews, Ryan Shea
Compass Customer Summit Series
High profile ransomware attacks and nation state intrusions have kept cybersecurity a top C-suite concern for the past several years. In fact, according to Gartner’s Top Security and Risk Management Trends , 48% of executives believe that cybersecurity is the top source of risk to their organizations.
These increasingly severe and frequent attacks have led to significant business disruptions and reputational damage for multiple organizations – and global businesses have taken note. Organizations must take proactive steps and respond to cyber disruptions with agility, ensuring they can continue to deliver on their brand promise. Organizations need to also understand the role of business processes in delivering products and services to customers. This knowledge helps to recognize the business impact and respond promptly to minimize downtime. Without adequate technology resilience, a worse-case scenario is that the business can fall behind competitors and lose market share from damaging its reputational or financial status.
Defining Cyber Resilience
According to the National Institute of Standards and Technology, cyber resilience is defined as “the ability to anticipate, withstand, and recover from and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.”
Cyber risk, cyber resilience, cybersecurity, and IT risk are terms that are often used interchangeably. But what do they really mean to a business? The truth is that they may mean different things to different companies (and even to different teams within companies). As cyber threats continue to evolve, organizations must work to create a common language, mentality, and approach across the enterprise so they will have the proper plans, procedures, and systems in place to maintain normal business operations when a disruption occurs. You must communicate across the organization to ensure that all staff – regardless of team or business function – understand what cyber resilience looks like for your organization and what role each of your staff plays.
The heightened use of third-party vendors makes organizations more susceptible to cyber risk. With a large vendor landscape, there are more potential entry points for threat actors to attack that can cause a domino effect down the supply chain and negatively affect the business. Businesses must have a third-party risk management system that helps them to identify and reduce risks caused by third-party service providers.
Fusion focuses on providing information, meeting data requirements, and mapping dependencies. No organization operates in a vacuum. Every organization relies on external vendors to deliver on its customer promise. Network providers, online video conferencing software, or other vendors who provide services that are critical to your daily operations could experience an outage at a moment’s notice. Recognizing the role of every vendor within your organization and what business processes they interact with is critical. With this understanding, dependency maps can help organizations realize potential business impacts.
Mapping Cyber Risks
While cyber resilience has become a top priority in the boardroom and C-suite, these executives still struggle to fully understand the nuances and critical nature of cyber resilience. This can lead to a problem in securing adequate resources and talent. Stakeholders’ support is vital to the success of any cyber resilience program. A business must have full enterprise knowledge of business processes, third-party dependencies, and up-to-date cyber knowledge. Therefore, creating a framework to address cyber threats is critical.
Many businesses do not know where to start and what kind of an approach they need to take to build up their cyber resilience. Fusion provides a pragmatic framework that can help businesses anticipate, withstand, recover from, and adapt to adverse attacks on their company or products/services. A common pragmatic cyber risk program consists of five steps: identity, protect, detect, respond, and recover. However, cyber resilience is not “one size fits all”. Businesses need to personalize the framework to work best for their organization’s objectives, mission, and values.
Kicking off Your Cyber and Technology Resilience Journey
First, identify your company’s risks, threats, and vulnerabilities. Then, determine practical mitigation strategies by assessing which people, processes, and technologies are required to ensure minimum business disruption.
There are no guarantees with cyber resilience. Threats can still impact your business, but proactive measures can help minimize the impact. Identifying prevention strategies and the level of controls based on criticality is vital. Taking these steps will prepare your business to remain agile.
Planning for Disruption
Even with the necessary proactive measures, disruptions can still impact your business. Business leaders must also prepare for detection, response, and recovery. Prompt disruption impact identification ensures that an organization can respond in a timely manner that restricts the bleed. Proactive data collection and planning will enable your organization to recover quickly and thrive, not just survive. It is also important to remember that disruption is not always a negative – it can present a lesson to ensure your organization, product(s), people, processes, and technologies are future-proof.
Stakeholders may request further explanation or a change in cyber resilience approach. Teams must prepare to answer or even adopt a different approach. Fusion always supports its clients by framing the approach using available objects, records, and frameworks.
We are grateful to continue working with our customers to help them achieve robust cyber resilience. To learn more about Fusion’s approach to cyber resilience, watch our webinar replay on “Cyber Resilience: What We Learned in 2021″.