Cyber Posture Management and the Evolution of Cyber Resilience
In this blog
Posture: a particular way of dealing with or considering something; an approach or attitude.
Resilience: the capacity to withstand or to recover quickly from difficulties; toughness.
Cyber: of, relating to, or involving computers or computer networks (such as the Internet, Virtual Reality and Artificial Intelligence)
The rapid transformation of cyber risk
A few years ago, during the dawn of Generative Artificial Intelligence (Gen AI), the term cyber resilience crept into the consciousness of the cyber community and spread like wildfire. When considering the definition of resilience, it is clear it has always been a part of cybersecurity programs. Still, when bridging the gap between the operator and the practitioner, the idea of resilience proved common ground: a robust resilience ecosystem, including different facets of a lifecycle, and even subcategories like operational, business, reputational, etc. basically anything + resilience was born.
Today, though, just a few short years later, given the acceleration of AI technology, the Resilience principles no longer fit to encompass the holistic journey organizations must consider when addressing and mitigating cyber risk.
Consider the definition of cyber. Cyber: of, relating to, or involving computers or computer networks.
Through this lens, it is easy to understand that cyber risk, in its purest form, is no longer addressed purely by resilience. In today's world, it encompasses traditional technology, security, and AI, and it becomes necessary to transform the mitigation discussion when considering the different facets of risk posed by the modern version of cyber incident.
The two, soon to be three, sides of cyber incidents
There is no argument left that the digital revolution is here, and this year, we have had a front-row seat to the impact cyber incidents can have on single organizations, supply chains, and entire platform ecosystems, both from malicious and mistake-driven incidents. The hard truth is organizations rely on technology in almost every facet of their businesses, and all technology has a traditional cyber component and, with more increasing frequency, an Artificial Intelligence (A)I-cyber component. A cyber incident, whether malicious (IE, a hack or attack) or a mistake (IE, code issue, outage, etc.), can be catastrophic. The reliance on technology makes it virtually impossible for an organization to contemplate survival without attempting to keep up with the rapid pace of cyber innovation and change happening in the world today. As we have learned this past year, this need to keep pace has caused even the best cyber resilience plans to not only fall short but put a spotlight on gaps not being addressed adequately, resulting in the sometimes catastrophic consequences of today's cyber incidents.
Cyber incidents have the potential to quite literally kill an organization. Through the operational, reputational or financial impacts stemming from an incident, companies may not survive the damage inflicted. The analysis though on how to address cyber incident varies widely when dealing with malicious intent vs. mistake. With the new cyber risks AI is quickly introducing, there may quickly be a third side to cyber incident, malfunction. The result of this is while the necessity for cyber resilience planning, stemming from this now foundational reliance on cyber, is crucial, current cyber resilience planning is no longer enough. As an industry, we must now admit cyber resilience has become only one portion of a larger cyber posture management story.
A re-introduction to cyber posture management
Cyber posture management is not new to cybersecurity professionals. What is cyber posture management? Fundamentally, it is a systematic approach involving the continuous measurement, management, and mitigation of cyber risk. The concept of security posture management is over twenty years old, when the concept was first introduced by the first targeted solutions, like Skybox, to address it.
In today's adaptation of cyber posture management thought, the key here is the definition of cyber risk, and how practitioners and also boards must start addressing it. We are no longer just addressing risk from a security / threat perspective, but again having to consider an organizations holistic cyber posture from an incident perspective that addresses all three types of incidents that can be impactful. Malicious, Mistake, and Malfunction.
To adopt a cyber posture management approach there are three components:
- Business Continuity & Sustainability
- Operational Resilience
- Cyber Incident Response & Recovery
Each facet of cyber posture management is crucial for an organization to evolve from a reactive cyber risk recovery methodology to a proactive cyber risk control approach. Each also has both a technical and business lens that must be taken into consideration. This dual sided aspect to cyber posture management means a much closer alignment in the translation from business risk to technical application.
To get started on this evolution, there are many factors both sides must to consider, but a few best to start with are:
- Do the teams who have a role to play in full cyber risk understand the key business objectives (current and future) of the organization?
- Has an impact analysis been executed for failing to meet these objectives?
- What new cyber is being adopted in the organization and why? Is it for brand differentiation purposes or cost mitigation strategies?
- How well do you know your supply chain, and do you have redundancy plans (think network planning from the early 2000s) for critical systems that impact core operations?
- How often to you test fail over plans and are all facets of cyber included?
- Do you have communication plans executed for all three types of cyber incidents?
- How often do you have an outside cyber risk perspective being considered by your C-suite and Board, or evaluating the current Cyber Risk Program for enhanced posture management opportunities? (hint... it should be more often than you think)
- Can you quantify the time to recover per critical system, both traditional and AI enhanced?
- Do your employees (all those who touch technology as a part of their roles) understand their part to play in cyber risk?
- How often are you doing an outside in holistic (people, process & tech) corporate threat analysis?
While many of these recommendations may seem simplistic or redundant, the reality is the idea of posture adoption vs. resilience planning can be a major shift culturally for organizations. The relationship between risk executives and boards is not always founded in trust, and many times is met with friction and skepticism. Creating checklists of steps to take/ things to consider can be a critical component in early days of adopting this strategy, and can go a long way to building the necessary trust to adopt a successful posture that is proactive in nature.
Near term / longer term / future
In the near term, resilience will be the 3rd place buzz word of buzz words, following closely behind AI and Zero Trust. The hard truth though is like the concepts of observability and segmentation before it, given the pace of change we are all facing from a cyber risk perspective, traditional resilience is no longer THE answer, but now only part of it, and we must accept that quickly.
Creating long-term cyber governance/posture management that can flex and adapt to the rapid change cyber-AI is causing may be the only way for organizations to achieve any measure of proactiveness when considering cyber incident planning. The good news? We are all in this together and can lean on each other for best practices and collaboration. The bad news? We must quickly admit that there is more to the cyber risk journey than resilience and start changing both business and practitioner mindsets from reactive to proactive.
It truly is a brave new world, but if we all adopt a new posture regarding cyber, we can address all types of incidents in a more meaningful way.