Forget cyber security: Cyber resilience is what really matters today
As much as we’d like to pretend otherwise, many of us across the technology industry are obsessed with semantics. And although it’s easy to be squeamish about something as slippery as language, the fact that definitions and words can lead to such significant debate is a sign that the words we use to talk about what and how we do things in the industry actually do matter.
It’s with this in mind that I’d like to draw your attention to a new term that has been cropping up in recent months: cyber resilience.
An evolution of cyber security, cyber resilience is a phrase that might initially make us wince. However, it’s actually instructive and could be extremely helpful.
Put simply, cyber resilience is useful because it reminds us that security isn’t a single set of tools and protocols erected like a wall or dug like a moat. Instead, it underlines that when it comes to software security, we need to think about things in terms of a process — something that requires ongoing attention, care, and effort.
Even more importantly, the concept of cyber resilience also serves as a reminder that security is something that’s inextricably linked to other critical aspects of a modern digital business such as data availability, operational agility, and even accessibility.
So, while it’s easy to be cynical about another word thrown into the mix of industry terms (sure, blame the marketers if you really want), maybe the turn to resilience could be helpful: on the one hand it might make businesses more effective, providing them with a more robust foundation to innovate and grow, while also protecting them from new risks and incidents that are impossible to predict.
Backup is a critical part of cyber resilience. Find out how Macrium can help you to protect what matters.
What’s the difference between cyber resilience and cyber security?
There are many ways of explaining the differences between cyber resilience and cyber security, but perhaps the best is to see them as contrasting in two key areas:
- Difference in terms of their starting point
- Difference in terms of scope
Cyber resilience starts from an assumption that every organization — indeed, just about every single person that’s ever had an internet connection — can relate to: you’re guaranteed to run into problems at some point. Yes, that might be a cyber attack, but it could also be a hardware or network failure, lost files or folders, out of date software — anything. Essentially, when you plan and build with cyber resilience in mind, you’re planning for the unpredictable.
The word unpredictable is particularly important. It’s useful for emphasising how cyber resilience contrasts with cyber security — to adopt a cyber resilience framework for planning and acting is to tacitly admit that there are things out there beyond our control and knowledge . Cyber criminals are invariably one step ahead, third party software providers are never 100% reliable etc — when you talk about cyber security, meanwhile, you’re operating in the sphere of the threats and issues that you know exist.
Firewalls, passwords, encryption — these are all important aspects of cyber security. Indeed, they will likely be components within a conversation around cyber resilience, but they might only occupy a small corner of the overall scope of cyber resilience.
Why cyber resilience now?
Cyber resilience matters now for a number of reasons. From a security perspective, the threat landscape is now changing at a rapid pace; it’s impossible to simply put in place a cyber security strategy and expect things to work out. But extending beyond security concerns, increased digitization — yes, more sites depending on eCommerce, but also IoT and embedded systems — means that it’s becoming more and more urgent for engineers, administrators and others to pay closer attention to the interdependence of various aspects of our system infrastructures.
A post on the UK’s National Cyber Security Centre’s blog explains this point nicely: “a protective approach to security, like the castle, is static — it either works or it doesn’t. If we want our cyber systems to effectively defend against an adaptive threat, we need to design for persistence and the ability to evolve through periods of change.”
To put it another way, the approach to security and stability challenges need to mirror the nature of the threats that are out there: adaptable, flexible, and prepared to change when necessary.
Because of the increasing complexity of systems — both from a technical perspective and to the extent in which they’re now embedded in human life — we have to respond with a more flexible and sensitive mindset.
Where does the concept of cyber resilience come from?
The blog post on the UK’s National Cyber Security Centre connects the concept of resilience to ecology. “Resilience is a measure of how readily a system can persist in a changing environment. And, if we think about it, this is what we want from our cyber systems in the face of an adaptive threat.”
This is a neat metaphor, but it’s probably worth locating the concept among other technology trends.
Cloud and open source software
In the first instance, the growth of cloud over the last decade means we are today in a world where software is significantly more distributed and ‘loosely coupled’ than it was in the past. In effect, this means there are more ‘moving pieces’ or points of failure within a given system (on the one hand this is good because it means we’ve done away with a single point of failure — on the other hand, it introduces the complexity I mentioned above). You could say that one of the strategies designed to mitigate some of the risks of distributed networks, zero trust networks, are, in fact, a direct example of cyber resilience in action.
Similarly, the dominance of open source software has increased the pace of change across the technology industry. It presents us with a wealth of solutions to problems, but in doing so it also introduces new dependencies — literally and figuratively. Indeed, in terms of security, open source software could also be said to give malicious actors an advantage that wasn’t there some 15–20 years ago. It not only offers new points of vulnerability, it has also made the tools of attack incredibly accessible.
DevOps and cyber resilience
Against the backdrop of open source and cloud, it’s also possible to tie the concept of cyber resilience to DevOps. Although the concept of DevOps — removing the silos and friction between development and operations — has been around for the better part of a decade now, with trends like cloud and agile now firmly in the mainstream it is properly embedded as an important facet of the modern software engineering world.
And as DevOps becomes normalized, it’s natural that the industry starts to think about the consequences of DevOps on other aspects of software — security being one of them. From this perspective, then, you could see the notion of cyber resilience as being intimately linked to trends like DevSecOps, where security is pulled into DevOps processes and techniques.
I don’t want to get hung up on a conversation around DevOps — but what really matters is that cultural changes in how teams collaborate and deliver software means that cyber resilience is not only something that is more urgent, but also something that can actually be implemented.
Okay, but what’s the problem with cyber security?
You’d be forgiven for thinking that I’m arguing that cyber security is old hat and that it needs to be discarded.
This isn’t true: it’s more the case that the nature of modern software demands a more collaborative mindset that takes in not just defense and protection in the short term, but is also geared towards ongoing adaptation and risk management. Most importantly, cyber security alone can’t address recovery and business continuity needs. It might help you to defend against an attack, but what happens when an attack happens? How do you protect your systems in a way that manages, say, the need for uptime and data security?
Moving from cyber security to cyber resilience allows us to shift our mindset and approach so we can manage all these issues more effectively.
Get to know the bigger picture. Find out what the differences are between backup, disaster recovery, and business continuity.
How can I put cyber resilience into practice?
Like the problems it is trying to address, implementing cyber resilience is complex. In the first instance you need to think beyond silos, and, indeed, beyond discrete toolchains and products.
Moreover, it’s also true that because of the multi-faceted nature of cyber resilience, it will look very different in every organization.
However, this is a useful basic framework, based on this article by Zoe Rose on Tripwire:
Preparation — Here you would pay close attention to all the points of vulnerability and weakness. A critical aspect of this is sensitivity to the relationship between people and technology, both internally and externally. But tooling can also be useful here — having instrumentation in place that monitors risks and performance can ensure you have visibility on what could be coming.
Response — Tooling and instrumentation are important here, but so are processes and policies. Having clarity on what needs to be done in the event of a security or reliability issue ensures that everyone understands what part they need to play. Indeed, although process is important, it needs to be created in a way that acknowledges the importance of adaptation to changing circumstances and priorities.
Recovery — This requires two key elements: on the one hand, getting things up and running again, and on the other ensuring that you learn from incidents that occur, and that you make changes as necessary. That sounds obvious, but integrating new patterns, processes, and bits of knowledge into your existing ‘way of doing things’ can be incredibly challenging. It requires individuals to be accountable and motivated, but it also needs to be something that is embedded in culture.
Outside of that framework, a good starting point is to determine what resilience looks like to your organization — and what risks exist. What’s the potential cost of downtime? How much data do you have at your disposal? How many back doors exist across your infrastructure that could be exploited?
Cyber resilience is for everyone
If you’ve got this far you might well be thinking okay, this concept makes sense, but is it really relevant to me? Is it really going to work in my organization?
The truth is cyber resilience is relevant to everyone. And although it’s true that risks vary across industries and types and sizes of organizations, the fact remains that risk is there — failure is inevitable, attacks will almost certainly strike.
The need to take cyber resilience seriously is obvious. The question is how long can you afford to wait to put it into practice?
Make Macrium part of your strategy for cyber resilience. Explore Macrium’s products here.