the ability of people or things to recover quickly after something unpleasant, such as shock, injury, etc.
Cyber resilience has become an increasingly prominent concept in recent years. Despite this rise in popularity, the term cyber resilience continues to have many definitions.
Figure 1: Google Trends search result for "Cyber Resilience"
Last year Benoit Dupont defined cyber resilience as “… the capacity to withstand, recover from and adapt to the external shocks caused by cyber risks”.
And as far back as 2015 the manuscript A Review of Definitions and Measures of System Resilience in Reliability Engineering and System Safety stated that “Traditional definitions of resilience concentrate on the inherent ability of systems to absorb of [sic] the effects of a disruption to their performance [...] and more recent definitions also account for the recovery of their performance.”
Common themes are that cyber resilience is not just about withstanding an adverse event but about enduring that event with a combination of resistance, recovery and adaptation to ensure that overall performance is maintained.
So has anything changed for security professionals with the rise of the term “cyber resilience”? Well, yes and no.
We can argue that nothing has changed. A quick glance at prominent security frameworks such as the NIST CSF or ISO27001 shows that both of these have aspects dealing with the resistance, recovery and adaptation of an organisation after an event:
- NIST CSF: Identify – Protect – Detect – Respond – Recover
- ISO27001: Section 10 – Improvement; Section A17 – Information security aspects of business continuity management
Additionally, as the business world explores the complexities of identifying critical services and impact tolerances (see later in the article), the security community can hold up business continuity standards and concepts such as ISO22301, Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).
However we can also argue that the use of the term cyber resilience is creating a material change in the perception of cyber security by important stakeholders.
It is not possible to be completely secure, and cyber security practitioners struggle to answer the question “Are we secure?” directly. The complexity of the field of security does not lend itself to a closed question, and an answer of “no” is naturally not one that the person asking the question wants to hear.
There is therefore value in changing the shape of the conversation with business leaders from the axiom “Are we secure?” to “Are we resilient?”. While neither question is a comfortable conversation topic, the latter question pre-supposes that a cyber security event will occur, a mental position which cyber security professionals have been espousing for years.
So even if the cyber security industry do not have to adapt existing frameworks, the use of the term cyber resilience by security professionals and business leaders alike can have a positive effect on aligning our mental models.
If we handshake with the business on the topic of cyber resilience, then resilience will be used to frame future successes and failures.
So if cyber resilience is to be the primary objective, what should we do differently? Let us unpack this question and explore some factors critical to shifting towards resiliency:
- Cyber resilience is about performance, and impact tolerances
To maintain performance we must be clear what performance is important to the business. For example, for a utility it’s about maintaining the physical service to the end consumers, be that electricity, water or gas. For a bank, it’s about the ability for customers to securely transact.
But service isn’t black and white, on or off. We must also be clear about how much degradation of service can be accepted by the business.
The Bank of England (BoE) has described this exercise as defining the “Impact Tolerances” of the business, and define impact tolerances as “the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.” They note that impact tolerances could be captured as “specific metrics for the maximum tolerable level of disruption [which] identify harm to consumers or market participants […]”.
A statement such as “Company X can tolerate up to 10 minutes of outage per year and no more than a 50% degradation in end user performance at any other time” begins laying the foundations around which a cyber resilience programme can be built.
For more information on impact tolerances, my colleagues Salina and Ilkka have recently published a paper on Operational resilience: Impact tolerances for important business services.
- Cyber resilience should be a part of a wider objective of operational resilience
While cyber resilience can by improved in isolation, from a business perspective it’s important to invest for the greatest return on investment. On this basis, it is a good business decision to invest in improving the weakest parts of the business underpinning a critical service.
Cyber security will be a major part of that investment, but as evidenced by basic IT failures in companies around the world, more value can often be achieved by improving change management processes or addressing weaknesses in supply chain performance.
- Cyber resilience builds on top of cyber security fundamentals
It is not possible to have an organisation resilient to cyber attacks if good security fundamentals are not in place. A simple example is that good detection capabilities are required simply to invoke a response and recovery procedure. Additionally, there would be little to respond with, or to recover to, if basic cyber security controls are not in place.
Ultimately, cyber resilience cannot begin without first embedding those fundamentals. Once the fundamentals are in place then it is about maturing the capability to detect, respond and recover from adverse events with focus on critical services and maintaining those services within agreed tolerances.
- Commitment is required from the highest level
With cyber resilience best placed as part of a wider operational resilience exercise, and the path to cyber resilience requiring a mature set of cyber security fundamentals, the process of improving cyber resilience will clearly be a lengthy journey requiring commitment and funding to stay the course. Major improvements in organisations only happen with strong and visionary direction from all of the leaders in the business.
What does this mean for my organisation?
Ultimately cyber resilience is an evolving and immature domain but one which holds promise. It is also not a one-off exercise and should be seen, and entered into, as a journey. It is also a journey that must be undertaken in partnership with the business.
If you are a leader in the business, then demand more from those proposing a journey towards cyber resilience. Widen the scope and look beyond cyber security, look to embed resilience in your organisation.
And if you’re a cyber security leader in the business, a cyber resilience journey is not one to go alone. Get the foundations in place, and join forces with the business. You will be more resilient for it.
 The cyber-resilience of financial institutions: significance and applicability by Benoît Dupont, Professor of Criminology
 A Review of Definitions and Measures of System Resilience by Seyedmohsen Hosseini, Kash Barker, Jose E. Ramirez-Marquez
 ISO standard for Business Continuity
 An FCA Survey identified Cyber Attack as the 4th most likely root cause behind Software Issue, 3rd Party Failure and, yep, Change Management as the number 1