Interested in hearing how folks define “cyber resilience” for their current org – is it mainly about minimizing risk/potential losses for you, minimizing MTTR, or something else altogether?

768 views25 Upvotes17 Comments

Director of IT in Education, 5,001 - 10,000 employees
From an high level perspective, I look at cyber resilience from the lens of three lines of defense, management controls, risk management, and internal audit. Management controls must include the monitoring process (cybersecurity framework (NIST), Identify, protect, detect,respond and recover). Risk management, aggregate risks across the entire organization and prioritized risk. The third line of defense is internal/external audits, which are independent assurance that evaluates the overall process of cyber risk governance (resilience) for the entire organization. It ensures that the organization’s internal control framework is adequate for dealing with the risks the organization faces.
Head of Cyber Security in Manufacturing, 501 - 1,000 employees
Biggest risk reduction you get out of cyber hygiene/life cycle management, mixed with strong identity and sse for prevention/redirection to official acceptable tools and sandboxing in all file transfer/sharing tools plus edr/mdr
Senior Information Security Manager in Software, 501 - 1,000 employees
Cyber resilience is just a fancy way of saying DR/BCP.

It is defined as: the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.

So it is just a matter of building IT systems so they can deal with things like downtime, ransomware, natural disasters, hardware/software failures and more.
2 1 Reply
Director of IT in Education, 5,001 - 10,000 employees

NIST - The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.
NIST SP 800-172

Director of Network Transformation, Self-employed
Good question.  Leading a discussion on this topic tonight here in Portland Oregon.  To me it is about putting together the foundations of a long term security program from a 360 perspective.  Understand the business, learn how a $ is made, determine what you must protect and then create a program based on that.  If you don't really know what to protect, how can you recover?  And are you protecting/recovering the right part of the business?  All that said, will be interesting to see what the group has to say.  
2 1 Reply
Director of IT in Education, 5,001 - 10,000 employees

I agree, and your program must involve categorization of your systems based on (information types and information systems) and allocate appropriate protection on the system assigned category (low, moderate, high).

CISO in Healthcare and Biotech, Self-employed
Cyber resilience is an organization's ability to resist, respond to, and recover from cyber threats and incidents, combining risk management, cybersecurity, business continuity, and organizational resilience. It's not only about preventing and defending against cyber attacks but also maintaining the integrity, confidentiality, and availability of data, as well as the capacity to minimize the impact of successful attacks, recover quickly, and adapt by learning from these incidents. Cyber resilience aims to ensure the continuity of operations and minimize disruption and damage to the organization's reputation.
Chief Information Security Officer in Healthcare and Biotech, 1,001 - 5,000 employees
Cyber resilience involves implementing proactive measures to identify and mitigate potential risks and vulnerabilities within an organization's infrastructure, systems, and processes. This includes conducting risk assessments, implementing security controls, and adopting best practices to reduce the likelihood and impact of cyber incidents.

Minimizing Mean Time to Recover (MTTR): Cyber resilience focuses on reducing the Mean Time to Recover (MTTR) from a cyber incident. This involves having incident response plans in place, well-defined processes for incident detection, containment, eradication, and recovery, and robust backup and disaster recovery mechanisms. The goal is to minimize the downtime and disruption caused by security incidents.
Director of IT in Manufacturing, 5,001 - 10,000 employees
I think this is about security of cyber how to strategy to defence of attacking in cyber resilience
CISO in Healthcare and Biotech, 2 - 10 employees
Cyber resilience is bounce-back ability - the quick return to normal operational business posture.  With the complicated, inter-connected business systems that develop and evolve over time, it is the built-in tactile strength of your cybersecurity toolset to rapidly and effectively respond to any threats or outages within those systems.  It is also a coordinated four "P's" effort - People, Process, Policy and Product.  It leverages Zero-Trust design aspects to help create that resilience factor.  
Co-Founder in Services (non-Government), 2 - 10 employees
 The ability to support company business during a time when there is a cyber incident is, in my opinion, part of Business Continuity Planning (BCP) and Disaster Recovery (DR) as already mentioned here by other folks. This includes the redundancy and availability of the critical parts of the business. This first requires understanding what is critical for the business and then determining the availability.

-Amount of money that will be lost during downtime
-Hardware and software support
-Personnel available for triage and support
- Escalation path"
CISO in Software, 201 - 500 employees
For me, cyber resilience is a holistic approach to information security, data protection and business continuity, that acknowledges and accepts that perfect security can't be achieved and aims to build both lines of defense and recovery strategies. The aim is to find the right balance between investment and costs of a potential incident. This includes making tough informed decisions about where further investment into preventative controls is not worth the efforts and building a solid recovery strategy, including fire drills covering testing of backup restorability, internal and possibly external communication is not seen as a secondary safety net, but a legitimate "plan A". 

As my other colleagues correctly highlighted, understanding the business and its needs and ability to communicate the plan, the risks and the decisions across all personnel is a key success factor. 

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
44.8k views132 Upvotes322 Comments

Integrating more data sources8%

Calibration training38%

Refining risk scenarios27%

Statistical modeling9%

AI/ML capabilities11%

Adding standards integration4%

Other (list in the comments)1%