Cyber Resilience: Managing Cyber Risk With a Multidisciplinary Approach
Eric Chan, Director of Strategy & GRC, Cybersecurity – MorganFranklin Consulting
Businesses are facing greater cybersecurity risks than ever before. The cyber threat landscape is rapidly evolving, resulting in sophisticated attacks and an increase in data breaches and cybersecurity incidents. Simultaneously, companies’ infrastructures are becoming more complex, making it increasingly difficult to effectively monitor and manage their cyber health and security.
A security incident can have a significant impact on an organization’s ability to do business.
Some common impacts include:
Severe financial impact
Reputational and brand damage
Product and service delivery interruptions
Business continuity interruptions
Negative customer experience
Loss of investor confidence
Managing cybersecurity risk is essential to the health of the business and its compliance with a growing number of regulations. However, identifying and managing cybersecurity risk can be complex, leaving companies unsure of where to start.
7 Steps to Achieving Cyber Resiliency
Cyber resilience requires a multidisciplinary approach to managing cyber risk by combining traditionally siloed activities across the organization. Integrating these activities through GRC provides additional visibility into current risk postures and creates a vehicle for continuous improvement.
1. Plan for the Biggest Threats to Your Organization
A company could theoretically be attacked in various ways by numerous threat actors. However, a company may be more vulnerable to certain types of cyber attacks due to its size, location, industry, and a host of other factors.
Additionally, certain threats may have a greater impact on an organization’s operations, such as a ransomware infection in a critical system or a loss of sensitive business data or intellectual property.
A key first step in achieving cyber resilience is identifying and planning for the greatest cyber risks to your organization. This enables resources to be allocated where they can have the greatest impact.
To identify which threats your company should focus on, perform the following:
Analyze Threat Intelligence: Threat intelligence feeds provide information about the current activities of cyber threat actors, including active campaigns and their targets. This provides valuable information regarding current attack trends and which ones a company is most likely to face.
Evaluate Impacts: Different cyber-threats can impact the availability, integrity, and confidentiality of corporate data and systems. Identify the possible effects that a given threat—such as a ransomware infection—can have on a particular system.
Rank Identified Threats: Each potential cyber threat your company faces has a likelihood of occurrence and an associated impact. Risk-rank each identified threat based on the combination of impact and likelihood.
Identify Areas of Improvement: Resilience techniques and advanced recovery strategies can decrease the likelihood or impact of a particular threat. Use your risk rankings to identify instances where additional controls could have the greatest impact on your company’s cyber risk exposure.
2. Define Lines of Communication
Response speed is a critical factor in lessening the cost and impact of any cybersecurity incident. If incident responders can rapidly identify and quarantine a threat, they limit the attacker’s opportunity to cause damage or access critical data and systems.
Effective cyber incident response requires collaboration across multiple response and recovery disciplines, including site-level emergency response, technology incident response, executive-level crisis management, business continuity, IT resilience and disaster recovery (DR). Don’t wait until your organization is in the midst of an active incident to develop protocols and lines of communication/collaboration. In an effective cybersecurity resilience plan, it is essential to create, test and improve your incident response processes in advance.
3. Integrate Cyber Resiliency with GRC
Cyber risk is just one of several risks an organization should continually identify and manage. To achieve resiliency, an organization should consolidate risk management within the organization. Governance, Risk and Compliance (GRC) is the integrated collection of capabilities that enables an organization to monitor risk and regulatory obligations. At the same time, GRC provides essential oversight and governance that enables an organization to sustain its risk management activities in the long term and pivot to manage evolving risks.
Cyber resiliency and GRC are most effective when integrated across the organization. Key components of an integrated cyber resiliency and GRC strategy include:
Calculating Risk Appetite: An organization’s risk appetite is the amount of risk that the company is willing to accept vs. eliminate or transfer. Calculating risk appetite is essential to identifying the resources needed for risk management and how to best allocate them.
Achieving Asset Visibility: You can’t secure assets that you don’t know exist. Gaining visibility into the assets that your company owns—and knowing what they do—is essential to protecting sensitive data and achieving cyber resiliency.
4. Get Ahead of the Threat
Organizations’ cybersecurity strategies are often focused primarily on detection. After a potential attack has been identified, incident response begins and the threat is remediated. However, this means that the company is always playing catch-up, providing threat actors with opportunities to do damage before the threat is eliminated.
Managing the cyber risks of today’s complex and evolving cyber threat landscape requires a proactive approach to security. Instead of responding to active attacks, companies should proactively identify and manage the cyber risks that they face. By preventing an attack from occurring in the first place, a company minimizes the cost and impact on the organization.
5. Develop Cyber-Focused Recovery Strategies
Cyber threats can have many of the same impacts as natural disasters and other business-disrupting events. Critical systems can go offline, and a business’s productivity and performance may suffer.
However, cyber threats also bring unique risks such as the threat of self-propagating malware that spreads through the organization. As a result, recovering from a cyberattack requires additional advanced recovery strategies, including replication technologies and air-gapped cyber data vaults that protect critical data.
Cyber vaulting solutions provide tools to facilitate the backup and storage of critical data sets in a separate (air-gapped) environment. This allows the organization to maintain immutable copies of highly important and/or sensitive digital assets.
Examples of critical data sets include:
Golden OS build images
Proprietary source code for mainframe and distributed applications
Active Directory and privileged user credentials
System configuration/virtual machine snapshot running for critical systems
6. Integrate Crisis and Incident Management
To strengthen overall resilience, it is important to integrate cybersecurity incident management into the business’s crisis management functions and associated program. This enables an organization to more effectively address both physical and cyber incidents including:
Disruption to critical technology or data
Disruption to critical processes
Disruption to critical facilities
Disruptions to communications infrastructure
Disruptions to power or other critical services
7. Create a Crisis Management Team
Technical personnel only comprise one part of the incident response process. A company also needs personnel tasked with making critical decisions that guide the incident response process. For example, it may be necessary to shut down a critical system in order to remediate a threat. But because the action can have wide-reaching organizational impacts, it can require high-level approval.
A Crisis Management Team (CMT) is a cross-functional mix of senior leaders who can provide strategic direction and management in dealing with a crisis event. The CMT is responsible for high-level decision-making while assisting the tactical response teams in determining event impacts, providing resources to aid in the tactical recovery, and coordinating with the media, regulators, and public authorities as needed.
Improving Your Organization’s Cyber Resilience
Cyber resilience is essential to your organization’s ability to manage the increased risks associated with the rapidly evolving and expanding cyber threat landscape.
Some critical components of a cyber resilience strategy include:
Company-Wide Integration: Risk management, cybersecurity, business and technology resilience/recovery and crisis management are often siloed within an organization. Cyber resilience requires integrating these activities at the corporate level.
Proactive Threat Identification and Management: Proactive techniques such as cyber threat hunting can help organizations increase visibility into potential threats and attack vectors. The MITRE ATT&CK framework can be leveraged to facilitate threat hunting activities.
Attack Analysis and Retrospectives: During the incident response process, data about the attack and its impacts should be collected. After incident response is complete, these can be analyzed to extract lessons learned and improve security controls and processes.
Plan for Cyber Threats: Traditional disaster recovery techniques are often not sufficient to protect critical digital assets against cyberattacks. Strategies to store air-gapped, immutable copies of critical assets should be considered to enhance recovery solutions.
Integrate Crisis and Incident Response: Crisis management plans should be integrated into overall resilience processes to ensure escalations are appropriately handled and communications are effectively managed.
Combine Cyber Resiliency and GRC: Risk and resilience processes should be measured and monitored through an effective Governance, Risk and Compliance (GRC) program.
Learn more about MorganFranklin Consulting’s Cybersecurity Solutions and reach out to our team to find out how our experienced professionals can help your company achieve cyber resilience.
Meet Eric Chan!
Director of Strategy and GRC within MorganFranklin’s cybersecurity practice who is passionate about resolving corporate risk management and cybersecurity issues while delivering the best possible customer experience. The first 14 years of my career were dedicated to financial services risk management across all 3 lines of defense, helping build out best-in-class risk programs and methodologies for some of the largest global Fortune 500 banks in the world. I then helped found Vaco Risk Advisory Services in Cincinnati, OH, and served as Practice Leader until joining the MorganFranklin team. My diverse risk management experience has allowed me to serve a variety of clients and industries, including as interim Chief Risk Officer for one of the nation’s largest Credit Union Servicing Organizations where I led the implementation of their Enterprise Risk Management Framework.