Imagine your company is undergoing a cyberattack. You discover that temporarily shutting down System X will stop the attack immediately, but it will also cause your company to lose out on millions in revenue. You then discover that if you shut down System Y instead, it won’t adversely affect your revenue stream, but it will take much longer (a few days) to stop the attack.
Your decision about what to do in this situation requires more than just knowing the technical nuts and bolts of cybersecurity. It demands that you think through the human and business outcomes.
This is where cyber resilience comes in.
What Is Cyber Resilience?
Cyber resilience is a concept that describes an enterprise’s ability to use cybersecurity know-how and foresight to adapt to a variety of security threats, attacks, and incidents.
At the recent MIT Sloan CIO Symposium, a panel discussion, “How Cyber Resilience Has Become a Key Competitive Advantage,” brought together leading experts to discuss how cyber resilience best practices can help companies face all types of threats.
Here are three of the cyber resilience best practices that experts shared.
1. Create Trust
In a world where cyber threats seem to loom around every corner, cybersecurity providers receive a lot more questions from their end customers. “[Customers are] getting more sophisticated,” explained Fred Cohn, digital risk leader at Schneider Electric.
Cohn said that customers can sometimes ask hundreds of sophisticated questions about a provider’s cybersecurity capabilities. That’s why having the ability to explain your security program is more critical than ever.
Esmond Kane, CISO at Steward Health Care, echoed Cohn’s sentiments. Kane emphasized the importance of illustrating cybersecurity concepts with customers through stories and easy-to-understand analogies. For example, he pointed to how the metaphor of a door can help explain security basics -- e.g., putting a lock in the door, having an unsecured backdoor. This kind of nontechnical communication helps to build trust with customers who aren’t versed in the nitty-gritty of cybersecurity, he said.
2. Educate Your Employees
By now, phishing exercises have become routine at companies, but more cybersecurity education is needed for non-IT employees.
Kane noted that IT risk will never be eliminated -- but it can be mitigated. The best way to mitigate risk is to have an informed and empowered workforce.
Security awareness is a balancing act, however. “You want enough friction to stop the bad guys but not so much that it inconveniences the good guys,” Kane said. In other words, you want your employees educated, but you don’t want to overburden them with information and responsibility to the point where it hinders their normal job duties. “People are the weakest link in cybersecurity,” he said. “But they’re also the strongest asset.”
David Masson, director of enterprise security at Darktrace, an AI-based security firm, urged companies not to shy away from uncomfortable results of phishing exercises and other security tests. If several employees fail a certain exercise, don’t sweep it under the rug. Instead, acknowledge the weakness and use it to grow.
In a similar vein, Masson offered another cyber resilience best practice: Tell your employees to report breaches early. A cyber resilient enterprise puts everything on the table and doesn’t hide anything, he said.
3. Know Your Board, Inform Your Board
A corporate board might be comprised of people who are extremely knowledgeable of cybersecurity, or it might be made up of people whose areas of expertise lay elsewhere.
Keri Pearlson, executive director of cybersecurity at MIT Sloan, said IT professionals should speak to the board about security on a level that matches the board’s understanding. For example, that could mean moving away from simply providing the board with results of phishing exercises to interpreting those results in terms they would appreciate.
Explaining how cybersecurity fits into a larger business context is key to informing the board about the state of the company’s cybersecurity program, Pearlson said. That’s the only way executive decision makers can ensure the company is cyber resilient.
What are cyber resilience best practices you would recommend? Tell us in the comments below!