Ciso Playbook: Cyber Resilience Strategy

In this era of advanced technology, cyber threats are on the rise, and they’re evolving with cutting-edge finesse. As we continue to witness a rise in the frequency and sophistication of cyber-attacks, recent hacker incursions into high-profile enterprises like Equifax, Uber, Facebook, and Capital One have underscored the need for robust cyber resilience strategies. The potential impact of a security incident or data breach on a company’s growth, profitability, brand, and customer loyalty has caused executives to realize the need for a robust cyber resilience strategy.

However, with tightening regulations and limited budgets, chief information security officers (CISOs) are under immense pressure, resulting in an average tenure of only 18 to 24 months. In contrast, CFOs and CEOs last 6.2 and 8.4 years, respectively. Despite the justified frustration within boardrooms, cyber resilience is achievable, and that’s where this playbook comes in. 

This playbook provides key principles and foundations for building a highly focused and adaptive cyber resilience strategy, including in-depth risk assessment, stakeholder buy-in and support, team building, target state agreement, and delivering on promises. This end-to-end guide covers various aspects, including in-depth risk assessment, stakeholder buy-in, building a team, agreeing on a target state, and delivering on promises to help build and sustain cyber resilience effectively.

What is Cyber Resilience? 

This is an organization’s ability to withstand, react to, and recover from cyber-attacks or incidents while running its most important business services and processes. It is a comprehensive and proactive approach to cybersecurity that focuses on identifying, assessing, and managing cyber risks, preparing for cyber incidents, and quickly responding to and recovering from them.

Cyber resilience involves a combination of people, processes, and technology. It is not just about implementing the latest security tools and technologies but also about having a strong cybersecurity culture, effective policies, and procedures. Cyber resilience requires a comprehensive and integrated approach to cybersecurity that includes everyone in the organization, from the board of directors to the people who work on the front lines.

In today’s digital world, cyber threats are becoming more sophisticated and pervasive, and organizations are increasingly becoming targets of cyber attacks. Cyber resilience strategy is essential for organizations to protect their assets, including data, systems, and networks, and maintain their reputation and customer trust. Without cyber resilience, organizations are vulnerable to cyber attacks, which can result in financial losses, damage to reputation, and legal and regulatory consequences.

The Role Of A CISO In Ensuring Cyber Resilience

As a CISO, you’re responsible for ensuring your organization’s cybersecurity, which requires a comprehensive understanding of the organization’s strategy, culture, priorities, and risk profile. Collaboration with other executives is essential, and four key executives play a vital role in implementing an effective cyber resilience strategy. 

The first is the Chief Executive Officer (CEO), who is the driver of tone at the top and conduit to the board, and their insight is necessary to understand the organization’s business strategy and culture. The second is the Chief Information Officer (CIO) is instrumental in helping you develop and implement a robust cyber resilience strategy, as they can provide valuable information on the digital transformation roadmap, technical landscape, and outsourced activities. 

The third is the Chief Financial Officer (CFO) is essential to ensure adequate budgetary resources are available to support cybersecurity initiatives. Lastly, the Chief Risk Officer plays a crucial role in managing the organization’s risks, including cyber risks, and can provide insights into the organization’s cyber risk profile, risk tolerances, and governance forums. Collaborating with these executives will help develop a strong cyber resilience strategy.

The Old Approach: Risk-Based Cyber Resilience Strategy

Organizations have traditionally adopted a risk-based approach to managing cyber risk, with the CISO responsible for reducing excessive risks through additional controls. A comprehensive organization-wide risk assessment is conducted, and transformation projects are prioritized to shift high-rated risks to “At Appetite” or “Within Appetite” over a specified period.

However, this approach has significant flaws, including treating risk mitigation activities in isolation, overlooking the complexity and cost required to mitigate certain risks, and failing to answer the question of whether the organization has the necessary skills to drive complex change. Moreover, it posits cyber resilience as a necessary evil rather than a powerful business enabler.

Cyber Resilience Diagnostic

To achieve maximum impact, CISOs must understand the problem and existing capabilities before creating a strategy. This involves reviewing various documents, conducting workshops, and asking key questions to gain visibility on the current state. These questions include the organization’s digital assets, major vulnerabilities, assurance reviews, open findings, upper management’s concerns, regulatory obligations, cyber incidents, internet-exposed footprint, business partners and suppliers, active risk profile, and cyber governance framework.

A detailed diagnostic provides a clear picture of the current state, allowing the CISO to measure ongoing maturity and demonstrate value to the business. Creating a strategy without understanding the current state often leads to duplication of efforts, spending money on wrong priorities, and changing course frequently, undermining the CISO’s credibility with the board.

1. Always Start With The Basics

Many CISOs fail to meet expectations due to internal audit issues, unpreparedness for cyber attacks, or material breaches found by regulators. To avoid this, start with basic controls while refining or implementing strategy. Examples include deploying multi-factor authentication, conducting a password-cracking exercise, addressing high-rated findings, purchasing an incident response retainer, running vulnerability scans, and tightening patching regimes. Blind spots and quick wins can be identified by determining internet footprint visibility, regular penetration tests on internet-facing applications, and comprehensive vulnerability management scanning and patching programs. Starting with the basics first can prevent costly mistakes and establish trust and credibility with stakeholders.

2. Focus On What Really Matters

Effective strategy design requires prioritization and focus on initiatives that yield the highest business impact per dollar invested. Attempting to mitigate every possible cyber threat across all digital assets leads to noise and fatigue and leaves high-value assets unprotected. Prioritization increases the success rates of strategic projects and builds an execution mindset and culture.

Cyber resilience is a strategic business enabler that can define survival, drive growth, and improve brand perception. A model that focuses on risk reduction alone has fundamental flaws. Cyber transformation activities must be selected based on their effectiveness in reducing risk, ability to improve business value and cost to implement and maintain control. The result is a set of high-impact, cost-effective initiatives that deliver business value the fastest way.

3. Consider Key Dependencies

When designing cyber resilience initiatives, it’s crucial to consider dependencies and explore synergies to bundle projects up and minimize business disruption. Rather than assessing initiatives in isolation, CISOs and their teams should identify opportunities to roll out multiple initiatives simultaneously, such as deploying privileged access management and other related initiatives to minimize business impacts due to change. By considering key dependencies, cyber resilience strategy can be more effective, efficient, and impactful, delivering value in the quickest way possible while minimizing disruptions to the business.

4. Prioritize The Protection Of Crown Jewels

Prioritize the protection of your most critical information assets, or crown jewels, over other ancillary systems. These assets, including board deliberations, confidential documents, software code, and proprietary formulas, could severely impact the organization’s survival if compromised. Avoid conventional cybersecurity investment models and focus on safeguarding these high-value digital assets. For a comprehensive guide on identifying and protecting crown jewels, refer to CISO Playbook. Avoid a one-size-fits-all approach and focus on securing the most critical assets.

5. Consider Regulatory Requirements

Consider mandatory regulatory projects and external obligations when designing your cyber resilience strategy. Compliance may be a key factor in your industry’s license to operate, so ensure that these initiatives are adequately resourced, dependencies are clearly mapped out, and they are delivered in a timely manner.

This is especially important in businesses with a lot of rules, like aviation or finance. While exercising discretion is important, some projects must be prioritized to ensure compliance. Ensure that regulatory requirements are considered and factored into the short to medium-term roadmap for your cyber resilience strategy.

6. Define Target State

Defining a target state for your cyber resilience strategy is crucial to success. In phase 1, prioritize fixing critical risks, developing a comprehensive set of your crown jewels, tightening supply chain security, and reducing the cyber-attack surface. Phase 2 should focus on high-impact projects that reduce business risk, while phase 3 tackles essential but complex capabilities. Adjust your target state regularly to account for internal and external factors, such as mergers or acquisitions, new regulations, changes in contractual arrangements, or strategic business direction. Reporting progress to the board reinforces credibility with stakeholders and should be based on the target state.

7. Build Capability and Prioritize Quick Wins

Assessing existing capabilities and budget is important to execute a cyber transformation strategy in the agreed timeframe. CISOs often over-commit to initiatives, underestimate the complexity, and lack skilled cybersecurity professionals. Focusing on five areas can accelerate cyber resilience:

• Assessing internal team capabilities.

• Leveraging external resources.

• Prioritizing quick wins.

• Reducing the attack surface.

• Establishing a project delivery team.

Purchasing cyber insurance, bundling incident response capabilities, and removing unnecessary risks are important steps. CISOs should prioritize leadership, cultural change, and stakeholder management. Finally, establish a proper project delivery team led by an experienced program manager to translate goals into reality and manage stakeholders.

Conclusion

For organizations to stay safe from cyber threats and keep their businesses running, they need to create and use a comprehensive cyber resilience strategy. The CISO playbook for cyber resilience strategy provides a roadmap for CISOs to tailor their strategy to their organization’s unique needs and risk profile. However, cyber leaders face challenges such as unrealistic expectations, limited resources, and compliance-focused approaches. To address these challenges, CISOs should adopt established business strategy principles and seek support from key senior stakeholders. Ultimately, cyber resilience is an ongoing process that requires constant monitoring, evaluation, and adaptation to ensure organizational security and resilience in the face of evolving cyber risks.