{"id":1836,"date":"2019-07-20T03:41:42","date_gmt":"2019-07-20T03:41:42","guid":{"rendered":"http:\/\/kusuaks7\/?p=1441"},"modified":"2023-08-09T10:27:46","modified_gmt":"2023-08-09T10:27:46","slug":"what-cyber-resilience-is-not-about","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/what-cyber-resilience-is-not-about\/","title":{"rendered":"What Cyber Resilience is Not About \u2026"},"content":{"rendered":"

Cyber resilience must not be used to legitimise window-dressing practices around cyber security<\/h3>\n

Although the theme is gaining momentum, there is a certain amount of confusion around what cyber resilience really means for organisations.<\/p>\n

For many, it is just another piece of consultant jargon: An abstract managerial concept with little real-life substance or meaning.<\/p>\n

As a matter of fact, it is very real and rooted in the \u201cWhen-Not-If<\/a>\u201d paradigm around cyber attacks which is changing completely the dynamics around cyber security in many firms.<\/p>\n

At the heart of cyber resilience lies a real application of \u201cdefence in depth\u201d principles which have been well established for decades: Acting at preventative, detective, mitigative AND reactive levels, AND across the real breadth of the enterprise \u2013 functionally and geographically. It is about the enterprise being enabled by the use of data and technology, whilst remaining protected from active threats.<\/p>\n

It requires managerial and governance practices to be active across corporate silos and the supply chain (once again, functionally and geographically), and it cannot be dissociated from a broader approach to operational and corporate resilience.<\/p>\n

It is hard to deliver at scale and presents many large organisations with significant cultural challenges. So the temptation is high for many to over simplify it and to focus only on alleged quick wins.<\/p>\n

Of course, the \u201cWhen-Not-If\u201d paradigm implies that security breaches are unavoidable. But it does not represent a licence to ignore all protective, detective and mitigative measures to focus only on the reactive ones. This is the type of simplistic approach to \u201cresilience\u201d which may put a few ticks in audit or compliance boxes, but in the long term, can only aggravate security postures and lead to regulatory issues, in particular in the face of a worldwide tightening of regulations around the protection of personal data.<\/p>\n

\u201cCyber resilience\u201d cannot be limited to an annual desktop exercise with board members and corporate functions during which they simulate how to react to a cyber-attack, in order to minimise the impact on the share price, media coverage or the reactions of customers.<\/p>\n

All those factors are important, but \u201ccyber resilience\u201d must not turn into an excuse to legitimise a top-down window-dressing culture around cyber security practices.<\/p>\n

Corporate resilience is the ability of an organisation to continue operating in the face of disruptive events, and to return to normal operations over time. It implies a deep knowledge of operational processes, their integration and their inter-dependencies. It also implies a deep knowledge of the supply chain and its actors.<\/p>\n

To operate efficiently in disrupted situations, it also requires a collaborative and positive culture, which needs to be created and fostered from the top down.<\/p>\n

All this is even more acute in cyber resilience scenarios, due to their relative novelty, the speed at which the organisation often needs to react and the technical complexity which may be involved.<\/p>\n

Instead of being treated as another box checking exercise and a quick win, cyber resilience must be embedded into the right corporate structures and used to channel a different culture<\/a> from the top down around cyber security:<\/p>\n