Written by Robert Vescio, SSIC, Chief Analytics Officer and Inventor of X-Analytics
Since I started in this industry, an inordinate amount of time, money, and energy has been spent grappling with cyber risk. “We must profile our risk,” “we must assess our risk,” “we must mitigate our risk.” The word “risk” can invoke fearful emotions– which is why the entire cybersecurity industry focuses on mitigating and avoiding it.
But is that really that right approach and is “risk” the word we really care about?
Smart business leaders know that every business comes with risks, and they must embrace certain risks to invent something amazing, tackle a new market, or outpace their competition. These same business leaders also know that the world is a dangerous and uncertain place. They know that cyber threats are real. They know that human error can cause loss of data and business outages. They know that state-sponsored cyber-attacks could lead to extortion, disruption, and theft of intellectual property.
These business leaders do not need more fear, uncertainty, or doubt. They want answers, they want assurances, and they want options.
___ “Do not judge me by my success, judge me by how many times I fell down and got back up again.” - Nelson Mandela ___
A Better Word
Business leaders need to know that their business can recover from difficult events. They need to know that adverse conditions will not cripple their business, and that they can bounce back and grow after such conditions.
In a word, what business leaders need is resilience.
Resilience is a journey. It requires time, fortitude, and help. It may come with challenges and setbacks. However, with resilience, the business will achieve certain goals, and the business will be able to measure how far it has come.
Cyber resilience refers to how cyber threats, changes, and losses affect a business and how the business can adapt to withstand the impacts. This does not mean that the business will not experience stress related to cyber, for that would be highly unlikely. But it does mean that the business has knowledge and tools to work through the stress and will bounce back.
Five key cyber resilience principles:
1. Recognition – the identification of cyber threats, changes, and losses from previous encounters.
2. Understanding – the ability to understand adverse cyber conditions before they occur, and the ability to understand options that would alter future outcomes of such conditions.
3. Tolerance – the willingness or capacity to endure a difficult cyber loss.
4. Significance – the realization that cyber threats, cyber changes, and cyber losses are worthy of attention.
5. Moving On – a deliberate decision to recover and learn from an adverse cyber condition without letting that adverse condition define the business.
Developing Cyber Resilience
Developing cyber resilience is complex and unique to each organization. It involves discipline, leadership, dependency, and knowledge. All businesses are different. Despite the adoption of cybersecurity frameworks and compliance mandates, there is no universal formula for a business to achieve cyber resiliency. One business may require certain protections that another business may not require. Additionally, one business may collapse following a traumatic cyber loss, while another business might be able to shake off that loss and return to normal within a month.
This ability to shake off a cyber loss is related to the following factors:
Internal and External Support: Every business needs a support system. This system provides credible and objective observation, trusted guidance and realistic options, pre- and post- cyber loss assistance, and much more.
Planning based in Reality: Businesses cannot operate in the abstract. They need the ability to design and execute realistic plans that enhance the strength of the business and focus on achievable goals. Again, progress is the main driver in business.
Problem Solving Skills: Following a traumatic cyber loss, the business must be able to cope with the loss and determine how to overcome the loss. This is beyond traditional cybersecurity respond and recovery. This includes repairing brand damage, controlling expenses, revenue recovery, and much more.
Communication Skills: Every business must be able to communicate a cyber loss clearly and effectively. Communication will ensure employees are operating with the same mission, will provide comfort to regulators and shareholders, and will re-instill confidence with customers.
Rational Decision Management: During a time of crisis, irrational decisions can be the death of a business. Business leaders must have the capacity to manage their business during challenging times. With the right support structure, business leaders can anticipate these cyber-related problems, develop plans to account for these problems, and prioritize decisions based on the specific problem.
Cyber resilience requires that the business understands and can manage its unique dynamic environment. This includes constant re-assessment of its exposure profile, tracking threat and information technology changes, promoting protective measures, and reducing stresses within its supply chain. Cyber resilience is not something that is only relevant following an adverse cyber condition. It is something that business leaders need to maintain and build over time. It will continue to improve after each adverse cyber condition. Most importantly, it will never be perfect and will require attention throughout the life of the business.
My Inspiration for X-Analytics
Like with many things, cyber threats, cyber changes, and cyber losses are often feared, because they are not understood. I created X-Analytics to bring a true understanding of cyber risk by building a cyber exposure profile – through the lens of cyber economics – and then presenting actionable options for addressing cyber concerns.
X-Analytics provides an economic lens to contextualize the technological nuances of cyber and guide businesses along the pathway to achieving cyber resilience. Cyber economics helps leaders transcend from tactical risk actions to delivering true cyber resilience.
X-Analytics provides the map for a cyber resilience journey – providing a clear understanding of the current business impact of cyber risk, providing insights and guidance on different potential decisions, and then tracking the progress of that journey over time.
The world is dependent on information and operational technology. Customers, shareholders, employees, and regulators continue to become more cyber sophisticated and are losing patience with excuses and vagueness. They expect the businesses they trust to operate with integrity and without interruption. They also expect these businesses to be cyber resilient.
Most people understand that businesses will experience cyber incidents and they want to know that business are proactively preparing to deal with the reality of such events.