Should CIOs and CISOs Be Talking Security or Resiliency?

(Illustration: Shutterstock)

Many individuals are running to grab a seat on the cybersecurity train. A clear sign is the sheer number of new companies and vendors at last year’s RSA conference. Most are trying to secure a portion of the network to prevent the latest flavor of cyber threats—crimeware, Web app attacks, DDoS, etc. While their intentions are good, these individuals overlook a crucial part of enterprise security, the business.

 Often we’re so focused on locking down data access that we lose sight of whether our business can continue when data is lost, stolen, or compromised.

Instead of asking if your network is secure, step back and ask yourself, “Is my network resilient?

The Federal government can learn a lot from the commercial sector when it comes to cyber resiliency. Take, for instance, the banking industry. Think about it. If someone denies you the ability to use your money or even steals it, you generally can still get it at the end of the day.

Banks have accomplished this through a level of coordination that extends beyond cyber and information systems to include a series of business processes that allows them to fight through the adversity caused by a cyber incident. They’ve become resilient.

CIOs and CISOs can start to filter through what they need to focus on by asking themselves, “If I were to be attacked today, are we resilient enough to still do business?”

By adopting resilient business and technology practices, business activities will continue regardless of the circumstances. This will reduce the risk of incidents, and it will give you the ability to translate information technology issues into a language that resonates with policymakers and higher-level stakeholders.

Here are some questions to start thinking about when moving toward a resiliency mind-set.

  • What services deliver the most value to your business and what quality of service is needed for your customers to be satisfied?
  • How aligned are you to the goals of business owners, and do your security priorities match theirs?
  • Are you spending more time on threat prevention than threat remediation?
  • How much do everyday employees know about the latest cyber threats and the impact they can have on their organization?

Resilience should be not only considered, but implemented, exercised, and debriefed to further strengthen given business models.

And remember, there’s nothing wrong with the cybersecurity train, just so long as you know your final destination before you jump on.

For more on cyber resiliency, take a look at “Six Principles of Resilience to Manage Digital Security,” by Gartner contributor Heather Pemberton Levy.

You can also visit our website for free white papers, case studies and blogs on the topics of security compliance, risk mitigation, threat remediation, technology architectures, and much more.

Tim Lunderman
About Tim Lunderman
Tim Lunderman is a principal consultant for World Wide Technology (WWT). He regularly consults with federal and civilian leaders to build and sustain enterprise security programs. He has spent more than 27 years in the U.S. Air Force and has over 10 years experience in federal cybersecurity that includes work with USCYBERCOM.