Cyber resilience: A business imperative CISOs must get right

In May 2021, when Colonial Pipeline was targeted by the DarkSide hackers, CEO Joseph Blount made the highly controversial decision to pay the $4.4 million ransom. The attack put critical US infrastructure in jeopardy, resulting in daily briefings to President Joe Biden, and Blount justified the ransomware payment as necessary for the country, describing this decision as one of the most challenging in his career. 

“We were in a harrowing situation and had to make difficult choices that no company ever wants to face,” Blount told the US Senate Homeland Security and Governmental Affairs Committee.

With ransomware payments hitting a record $1.1 billion in 2023, such difficult choices have become frequent for corporate leaders. More CSOs and CEOs understand that it’s not a question of if an attack will occur, but when. 

“The biggest change for me is that I now totally accept it can happen,” the CEO of a $4 billion European company said, according to a report published by ISTARI and Oxford University. “Trust me, there is a fundamental difference in approach between organizations that accept it could happen and those that think they can repel it.”

That mindset — accepting the inevitability of breach — could help companies become more cyber resilient than they are today. All too often, organizations view resilience as a box-ticking exercise for regulators, failing to equip their CISOs with everything they need to truly bounce back after an attack.

As RapidFort CEO Mehran Farimani says, the ability to withstand and recover from a cybersecurity incident requires a shift in thinking that goes beyond compliance.

“Yes, you’ve always ticked that box off indicating that you’ve backed up all of your critical software and data, but can you recover quickly in response to an adverse event, or will it take you two weeks? Do you consistently make sure that all such systems are in check?” Farimani tells CSO.

When asked to rate their confidence in handling cyber risks on a scale from 1 to 10, most IT security leaders express pessimism, according to a Barracuda report on resilience published in April. Financial services organizations appear to be the most prepared, with 55% rating their security posture as highly effective. By comparison, only 32% of companies operating in the industrial and manufacturing sectors expressed optimism, while for retail, that number was 39%. Generally, smaller companies felt less confident in coping with cyber threats.

And with geopolitical instability, AI, and wealth inequality on the rise, CISOs must not only further strengthen their organization’s cyber defenses but also help them prepare for worst-case scenarios to ensure they can bounce back quickly in the event that a cyber event strikes.

Cyber resilience takes center stage

The concept of cyber resilience has evolved to be a crucial element of overall business strategy today. In fact, as Trustwave CISO Kory Daniels tells CSO, “Boards have begun asking the question: Is it important to have a formally titled chief resilience officer?”

In light of recent high-profile cyber attacks, such as the one Colonial Pipeline experienced, the emphasis on the availability component of the classic CIA (confidentiality, integrity, and availability) triad has increased. This is because disruptions not only affect operational continuity but also impact customer trust and the overall market perception of a company.

Daniels says that adopting “a holistic approach” to cyber resilience is essential, considering all aspects of the business and all teams, from employees and partners to the board of directors.

Often, organizations have more capabilities than they realize, but these resources can be scattered throughout different departments. And each group responsible for establishing cyber resilience might lack full visibility into the existing capabilities within the organization.

“Network and security operations have an incredible wealth of intelligence that others would benefit from,” Daniels says.

Many companies are integrating cyber resilience into their enterprise risk management processes. They have started taking proactive measures to identify vulnerabilities, assess risks, and implement appropriate controls.

“This includes exposure assessment, regular validation such as penetration testing, and continuous monitoring to detect and respond to threats in real-time,” says Angela Zhao, director analyst at Gartner. 

These proactive measures often expand beyond the immediate boundaries of the organization to vendors and partners, says Cameron Dicker, FS-ISAC’s director of global business resilience.

“Firms should conduct an in-depth analysis of their service providers and software supply chains, identify where security risks lie, and develop incident response plans in accordance,” he says.

Software supply chain: A critical part of the resilience equation

Unfortunately, as Trustwave’s Daniels points out, analyzing the software supply chain remains an underdiscussed aspect of cyber resilience.

“Organizations should conduct thorough penetration tests and risk assessments of their supply chains, implement cybersecurity requirements for suppliers, and establish contingency plans to mitigate the impact of supply chain disruptions on their operations,” he says.

When looking at a potential vendor, especially one that will be connecting to a company’s private network, security leaders must ensure that contracts or master service agreements (MSAs) are very specific about overall resilience, both cyber and business, says Bobby Williams, business continuity team lead at GuidePoint Security.

“A vendor should be contractually responsible for defined business continuity, disaster recovery, and information security programs,” Williams adds. “A defined testing program to demonstrate the vendor’s resilience should be in the contract, and the test results should be available for the company to review.”

If the vendor is supplying software services or applications, there should be a defined recovery time objective (RTO) and a defined recovery point objective (RPO) in the contract. 

“The vendor should be able to demonstrate the RTO and RPO by the required tests,” Williams says. “The vendor should also be contractually required to demonstrate how they back up the customer’s data and provide a data retention schedule.” Williams adds that data mirroring should not be accepted as a substitute for backing up a customer’s data.

Risks associated with the software supply chain should not be taken lightly.

“There have been several recent cases of cyber attacks against these,” says Aaron Shaha, CISO at CyberMaxx. “It’s an area that continues to need critical oversight.”

AI adds complexity

The rise of generative AI as a tool for hackers further complicates organization’s resilience strategies. That’s because generative AI equips even low-skilled individuals with the means to execute complex cyber attacks. As a result, the frequency and severity of attacks might increase, forcing businesses to up their game. 

On the flipside, though, generative AI tools are not that effective for defensive purposes. Organizations mostly use them in an assistant role. Some of the areas in which AI has proved effective are threat detection and analysis, anomaly detection, behavior monitoring, and automated response systems. Artificial intelligence is also used in risk management and code review.

“AI algorithms can quickly analyze vast amounts of data, identify patterns, and detect potential threats or vulnerabilities that may go unnoticed by human operators,” Valerie Abend, global strategy lead at Accenture Security, tells CSO.

There are also benefits to using AI in building and maintaining cyber resilience programs. “From developing tailored AI security policies to deploying advanced AI technologies and providing continuous operations support, organizations’ solutions should ensure reliability, transparency, and compliance throughout your AI journey,” says Tamara Nolan, cyber and operational resilience lead at MorganFranklin Consulting.

For now, however, AI in cybersecurity remains an aid rather than a substitute for human oversight. “While AI can assist with certain instrumental aspects, its contribution to risk management remains limited at this stage of AI evolution,” says Anastasiia Voitova, head of security engineering at Cossack Labs. “It’s a tool for security professionals, not a security professional itself.”

RapidFort’s Farimani agrees, adding that AI tools can certainly help with formulating and communicating resilience plans but are far from being reliable enough to be put on autopilot and assume they’re protecting a system.

The role of AI in cybersecurity resilience will likely expand in the coming years because AI-powered tools will become better at detecting and responding to threats in real-time. Additionally, AI will likely be leveraged to enhance user authentication and access control mechanisms and improve the overall resilience of critical infrastructure systems, according to Abend.

How regulations complicate cyber resilience

The evolving regulatory landscape across the globe can make it challenging for security leaders to remain up to date with everything they must comply with. But adhering to these legal requirements can help mitigate risks and maintain the organization’s reputation.

“Regulations can and do help organizations increase their focus on enterprise risk management efforts and do a great job of making organizations more accountable for their resilience strategies, among other benefits,” says Trevin Edgeworth, red team practice director at Bishop Fox. Following these rules will help increase transparency around breaches and security practices, he says.

Regulations related to the Digital Operational Resilience Act (DORA) in the European Union and those issued by the Security and Exchange Commission (SEC) in the United States are changing how companies approach cyber resilience.

DORA will take effect on January 17, 2025, and is designed to bolster the security of financial entities such as banks, insurance companies, and investment firms. Financial entities and information and communication technology service providers outside the EU must also comply with DORA if they deliver critical tech services to EU-based financial institutions.

“Given this new regulation and general concerns about ongoing cyberattacks, advisory firms are spending less time on all-hazards resilience planning, and more time on IT resilience — specifically the connection between business processes and supporting applications and infrastructure,” MorganFranklin’s Nolan tells CSO.

She advises companies to go beyond merely ticking the boxes required by regulations such as DORA and instead make efforts to cover all aspects of resilience because “the regulation assumes that foundational operational resilience elements are already in place before trying to meet DORA requirements.”

Companies operating in the US market also need to be vigilant and ensure compliance with evolving regulations. In July 2023, the Securities and Exchange Commission (SEC) introduced new reporting requirements for publicly traded companies. These rules mandate an 8-K disclosure of material cybersecurity incidents and require companies to annually provide material information regarding their cybersecurity risk management, strategy, and governance.

To meet the requirements, most public companies take proactive measures to ensure they have systems in place to assess, evaluate, and respond to incidents.

“Unfortunately, in many cases, these processes are established outside of the operational resilience framework, and as a result, they are not integrated with the company’s crisis management program,” says Nolan, who recommends that organizations proactively engage with legal and regulatory frameworks and integrate them into their cyber resilience strategies. This approach can help minimize penalties and strengthen their overall cyber resilience posture.

DORA and the regulations issued by the SEC tend to create ripples across the world, according to Gartner’s Zhao.

“Regulatory changes in one jurisdiction often have cross-border implications, as multinational companies operating globally need to comply with multiple regulatory frameworks,” she says. “This has led to the need for organizations to harmonize their cyber resilience strategies across different markets, ensuring consistent security practices and compliance with various regulations.”

Regulations have also played a key role in raising awareness of the importance of cyber resilience. They encourage companies to assess their security posture as well as their board’s oversight and governance, according to Accenture Security’s Abend.

“However, we are witnessing a growing awareness among CEOs, the C-suite, and boards regarding these risks, driven not solely because of regulations but by genuine business concern,” she says.

But while regulations help, compliance alone does not necessarily mean resilience.

Organizations could “run the risk of falling into a false sense of security that their strong compliance posture equates to a strong security posture,” Bishop Fox’s Edgeworth says.

The importance of people

While many organizations invest in technical solutions for cyber resilience, they often overlook the importance of having the right people on board and fostering a culture of security awareness among them.

“The ability to rapidly find cyber talent at an affordable rate is creating vulnerabilities within the industry,” says CyberMaxx’s Shaha.

As such, security leaders must develop robust, diverse sourcing strategies to ensure evolving talent needs are met.

Moreover, they should also invest in training programs that go beyond basic awareness of phishing emails and password security, Trustwave’s Daniels says. Training should instead “encompass a deeper understanding of cyber threats, the importance of data protection, and the role of everyone in maintaining cyber resilience,” he adds.

Exercises and crisis simulations help, too. “Companies should ensure that their exercises use a variety of scenarios to guarantee that response plans can handle unexpected events,” says GuidePoint’s Williams. “These black swan events can be handled with confidence if the planning process is kept relevant and up to date.”

Such exercises should be conducted regularly and should be difficult. “Only by conducting challenging exercises that push the limits of teams, policies, and procedures will an organization know where its limits are and where it needs to improve,” FS-ISAC’s Dicker says. “An incident should never be the first time you test your response plan.”