The way we think about securing our businesses data is fundamentally flawed. Business resources are often still allocated to defensive cyber security, which is focused on protecting the confidentiality of integral data. This is great, but recent events have shown that it is clearly not enough.
These defenses are proving insufficient against attacks that grow more complex by the minute. We need to put more focus on cyber resilience in addition to maintaining a good cyber security posture.
True cyber resilience always starts with nailing down the basics. This includes patching vulnerabilities, detecting and mitigating threats, and educating employees on good cyber awareness. However we need to be doing these things continuously and consciously, not just once a year for a quota.
Furthermore businesses need to be building resilience into every part of the company, from business process mapping to engineering service availability. While these areas typically receive limited attention, resources, or any real executive focus they are significant elements in the case of a real cyber threat.
The aim of cyber resilience is to ensure operational and business continuity with minimal impact. But the reality can be harder to get down in practice, because there’s currently no good way to measure cyber resilience. We need to have a certain level of confidence in our ability to respond to an attack and to absorb the possible financial, legal, and brand impact with little repercussions to get back to business ASAP. But there is no widely-accepted cyber resilience framework, which should change.
After all, there are countless other maturity models which allow businesses to measure their capabilities such as digital transformation, supply chain, cyber security, and data management just to name a handful. What might cyber resilience maturity look like? It's not just about the ability to respond and recover; it's how quickly we recover and what we prioritize.