Amongst business leaders, the term operational resilience shouldn’t be new, yet for many security leaders it is. It was Dwight D. Eisenhower who said, “In preparing for battle, I have always found that plans are useless, but planning is indispensable...” ie: it's hard to plan when you don’t know what the opponent’s plans are, but you can prepare for different scenarios.
This is the challenge for organizations today in both the public and private sector: they face the possibility of becoming collateral damage of war. Back in 2016, NATO recognized that cyber was the 4th domain of warfare after land, air, sea and space
Typically, cybersecurity leaders plan; they look at the environment they need to secure, and then they examine the potential threats that could impact against these assets like human error, ransomware, digital espionage, etc.
For each one they will consider the likelihood and potential impact, from which decisions are made on whether specific incremental investments beyond basic cyber hygiene should be made to prevent, detect and respond to these known threats.
However, we have seen two key shifts in recent years: first, tolerance by businesses for IT outages is diminished because the amount of time key processes can be down is significantly reduced given dependence on digital processes has grown.
Secondly, the level of interdependencies between processes is growing. SolarWinds was a great example of degrees of embedded capabilities. In this instance, supply chain software was being overlooked due to the challenges of complexity in all the integrated digital processes.
Now, coming back to Eisenhower and the notion of operational resilience, which is that we have done all we can do to manage the known risks, what do we do about the unknown risks?
For example, your online presence is being leveraged as part of a nation-state campaign, or your business is being taken offline as you happened to use the same software as the intended target–there are limitless scenarios we simply can not plan for or predict. Operational resilience adds in a different lens on recovery after preventing, detecting and responding strategies are in place.
What would the business do if they are caught in the crossfire of a targeted attack, and key digital processes are taken offline? This starts by recognising what the key digital processes are that the business requires to function, and what dependencies exist behind these processes. If these processes are taken offline, is there a completely isolated backup that can step in? If not, how long would it take to recover and would that be acceptable to the business?
Sadly, we can look at ransomware attacks against healthcare organisatons as an example where we have seen evidence that patient care was impacted when access to data was blocked by an attack and surgical procedures or other treatments were delayed.
The question becomes what was the backup process? Is it going back to paper? Is there a secondary IT system that can come online? How do we ensure there is a seamless data handover between them, as much as possible, without making one a compromise risk to the other?
Effectively, this is disaster recovery and business continuity planning, which is hard for many security leaders to engage in as their remit is to prevent cyber impact. So what should you be challenging your security leader to do?
- Have a clear agreement with the business on what the mission-critical digital processes are, what the key dependencies behind these are, and how long could the business function if these were taken offline.
- What is the disaster recovery plan, both in terms of keeping the business running but also recovering from a significant outage?
- TEST, TEST, TEST with the business working through these scenarios on a regular basis. It both helps the business understand the risks and more critically prepares them for the hard decisions they may need to make.
- Be prepared in advance, as any companies won’t have the specialist skills required during a cyber incident. As such, have you pre-selected your Incident Response partner? Have you completed pre-contracts? Sadly, I have seen legal negotiations dramatically slow response processes at critical moments that could and should have been completed before the incident occurred.
- Recognise that all of our digital worlds are becoming ever more interconnected. This means, firstly, that this is not a one-time project but an ongoing process. Secondly, it also means there will be others involved in your incident and you need to consider how you communicate with them through the response process.
But the great news is that there are organizations out there that can help you, be they national agencies, CERTs, industry groups or other. Make sure you know and are ready to leverage these when needed.
Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.