Good Bye Cyber Security, Hello Cyber Resilience?
In this months article from April 2023, committee member Peter Lescop raises the important difference between Cyber Security and Cyber Resilience. In addition discusses the reasons why you need both for a successful Cyber Strategy.
An interesting evolution of the way we talk about Cyber Security has been happening over the past couple of years. The evolution I’m referring to is the predominance of the term ‘Cyber Resilience’ over ‘Cyber Security’. For the average person outside of the industry it may seem that these terms to describe the domain are interchangeable, however the reality is there is a distinct difference between each. This difference isn’t just within the definition but also the evolved approach to Cyber itself.
So, what do these terms mean? What are the differences? And what does this mean for us as we approach this within our working lives?
What is Cyber Security?
A quick internet search will provide us with many differently worded definitions of the term cyber security. My personal preference in describing the concept is simply ‘the use of people, processes and technology for the purpose of reducing the risk of cyber-attack’. This of course can be fleshed out to describe details but ultimately the concept is to reduce or stop cyber-attack.
What is Cyber Resilience?
An often repeated statement within the industry is that it’s not ‘If’ but ‘When’ you will be the victim of a cyber-attack. This doesn’t mean that the application of good cyber-security is futile, it is still important to ensure the reduction as much as possible of the chance of a successful cyber-attack.
This is where the concept of Cyber Resilience comes into play, which approaches the risk of cyber-attack by ensuring that appropriate measures are in place to ensure that if successful you can be prepared to respond and recover. Being cyber-resilient ensures that the path to green post a cyber incident is as smooth and painless as possible.
How does Cyber Security & Resilience fit together?
Cyber Security & Cyber Resilience are not mutually exclusive, in fact for a robust approach is to utilize both to improve your overall cyber strategy. Both concepts go hand in hand and also feed into an overall process of continual improvement.
Cyber Security includes controls for the protection of assets whether they fit within people, process or technology. It’s important we ensure appropriate controls are in place and often we choose these controls based upon suitable risk management.
Your approach to Cyber Resilience can then take the same risk management processes and applied controls, then assume the event of compromise. By doing so we can ensure that in the event of a successful cyber attack we have thought of and planned to respond and recover.
In practical terms, let’s consider the risk of a DDoS attack on a public internet facing firewall. We can assume in this scenario your business risk assessment has shown the risk of a DDoS attack is likely and the potential impact concerning. From a pure Cyber Security perspective, we can apply controls such as NGFW (Next Generation Firewalls), automated rulesets of the blocking of IPs and even minimizing the exposure of the device on the internet.
Then looking at this from a cyber resilience angle and assuming compromise. We can use concepts such as testing, whether it be penetration testing or table top exercises to attempt to simulate the results of a successful cyber-attack. Using the results of such tests, we can ensure additional controls are in place.
As an example a penetration test may prove that your NGFW may not be suitable for certain volumes of attacks, then for the improvement of cyber resilience – you may ensure appropriate sizing for said firewall, or outsourcing the protection to a third party cloud provider. Or another example may be that through a table top exercise, it may prove that you do not have an appropriate business continuity or disaster recovery plan to effectively response. Again for the purpose of improve cyber resilience, you can use these lessons learned to improve your overall cyber resilience.
In addition for this example in the unfortunate event of an actual real life DDoS, we can utilise the processes within Business Continuity or Disaster Recovery to feed lessons learned to improve our cyber security controls.
Summary
Cyber Security & Cyber Resilience are not new terms, nor do they include any new concepts. The evolution of these terms are a natural response to the overall approach to the risk of cyber-attack, of which the number and sophistication continues to scale up year by year.
What traditional cyber security teams will likely encounter as the industry evolves is the change in the make up of responsibilities within your areas. This is already happening for many and may not be unfamiliar, however responsibility for such things as Backups, Business Continuity and others may find their way into your security teams in the near future.
Whatever happens we’re likely to hear more and more reference to Cyber Resilience as we mature as an industry and it’s important we take it seriously within each of our own spheres of influence.