True cyber resilience is a business enabler
Cyber resilience is about much more than just cybersecurity. It’s about preventing operational disruptions of all kinds, that may impact your profitability, productivity, and reputation, says Patrick Evans, CEO of SLVA Cybersecurity.
South Africans are renowned for their resilience when facing a multitude of problems – from the high cost of living to rolling blackouts. However, the resilience of the average South African citizen is not always matched by the resilience of the businesses they run.
Your business – small or an enterprise - needs to be able to deal with things like power disruptions, unpredictable weather or civil disobedience, and for these you have plans and contingencies ready and are designed to cater for such disruptions. So when organisations are ‘secure by design’, they are more than just cyber secure, they are cyber resilient.
The problem is that too often, board members think of cyber as mainly a compliance scenario, rather than an enabler of the business. Moreover, while companies today often have a chief information security officer (CISO), they seldom receive the privilege of being part of the C-suite, and typically report to the CIO.
The reality is that cyber resilience requires a shift in the mindset and culture of the organisation. The first shift is that one needs to work from the assumption that your business operations will be interrupted at some point due to a cyberattack. This change in mindset is required by business leaders and executives, who need to start thinking about what resilient measures they can put in place across the company’s people, processes, and technology.
Until the board accepts that cybersecurity can serve as a business enabler, they won’t achieve this mind shift. And the reason it is an enabler is simple: a cyberattack will inevitably create operational disruption, which in turn impacts profitability, productivity, and even your company’s reputation in the market.
If you are a national or international business, the impact of such a disruption may be measured in millions of rands. To prevent this, business leaders have to engage in careful planning to ensure their organisations are able to withstand whatever the world throws at them.
Implementing a cyber resilience programme is imperative because cyber is more than IT, it is something that literally touches every part of your business. A robust programme will help you to understand which are your critical environments, the benefits they bring to the business, and the risk they pose to the company should they fail.
Such a programme views the business holistically, so for example you may need to make sure your supply chain is resilient, and that everybody you're dealing with - whether they're online or not - has the same, or similar, measures in place. You should come at this from a risk management point of view, seeking to understand the business risk first, before worrying about the cyber risk.
Of course, in order to help make the business more resilient, it is crucial that the right behaviour is inculcated in employees: How should they react in the event of a disaster? Does everybody know what the playbook looks like? How do they know what they need to do?
The question, then, is how to implement true cyber resilience. Part of the answer is to use a methodology that begins with communicating to everybody what the business is doing. You need to discover the current state of things and analyse those findings accordingly.
You also need to understand what your business-critical data are and business-critical processes. In other words, which applications are crucial to business operations? A good example is that your business may run SAP, but you still need to understand which aspects of SAP are the most critical to keep operational in a disaster.
Then you need to ensure that all the people that need to know the details and play a part in the plan are empowered to do that. Lastly, you need to continuously test and update the plan, because businesses aren't static, they change continuously.
Of course, being able to anticipate cyberattacks remains a key aspect of staying resilient, and there are mechanisms available to help businesses understand whether they're going to be targeted or not.
Ultimately, the best way to build cyber resilience is to first make sure that everybody understands what the business objectives are. From there, you build backwards from these objectives, determining the risks inherent in the objectives, and crafting a cybersecurity plan that has technology resilience built into it - by ensuring that the business priorities align with your people, processes and technologies and that the plan aligns to and supports the business effectively.
We call this secure by design.