Security incidents can cast an unforgiving light on many organisations’ readiness. They highlight the need for security programmes that go further than just fixing things when they break.
Response has been security’s classic default reaction to an incident. Something is broken, so we need to fix it. But this misses a critical ingredient: resilience. If an important system fails, organisations need to know they can continue by using alternative systems, be they technical or manual.
Resilience, not just recovery
“Security incidents invariably lead to downtime. So it makes sense to focus on resilience in security programmes, not just detection and recovery. This way, a business can continue to survive and function even if key services are disrupted or temporarily unavailable,” says Brian Honan, CEO of BH Consulting.
Last year’s ransomware outbreaks were a classic case in point. FedEx’s TNT subsidiary shipped a $300 million loss following the NotPetya infection. It took weeks to restore IT operations fully, and deliveries and sales declined during this time. The NHS in the UK cancelled 22,000 hospital appointments as it struggled to cope in the wake of WannaCry.
Steps to resilience
Brian recommends that organisations should become more resilient by integrating incident response and business continuity. He suggests the following four steps:
- Identify key systems and services for your business
- Look at the key risks and threats to those services
- Based on that risk analysis, identify the key areas to address such as single points of failure, inter-reliance of systems and interdependency of systems
- Engineer ways to mitigate the impact of any potential failure, either through cybercrime or other means.
Once you start talking the language of risk, you’re talking the language of business, not IT. That’s why Brian recommends getting agreement from business owners as to how the organisation manages the risks that it discovers. Suppose the assessment stage uncovers a vulnerable system. The organisation has three choices: replace the system outright, upgrade the current version, or accept the risk that the business will be unavailable for whatever time it takes to recover from downtime.
Decision time for the business
Each option comes at a price, but it’s up to the business to determine the cost it’s willing to bear. “The security professional’s role is to give the business well informed data and analysis so that they can make the appropriate decision for the business. The CSO is chief security officer, not the chief scapegoat officer,” says Brian.
There’s still vigorous debate over the meaning of resilience in the context of information security. Kelly Shortridge of Security Scorecard recently wrote a lengthy and thoughtful post that’s well worth reading. Drawing on a range of examples from far beyond security, she says security has too often focused on robustness. “Resilience is ultimately about accepting reality and building a defensive strategy around reality,” she writes. Quoting the ecological economics scholar Peter Timmerman, she adds: “resilience is the building of ‘buffering capacity’ into a system, to improve its ability to continually cope going forward.”
Another word for resilience is flexibility. That’s arguably an incomplete definition too, but the term hints at an ability to bounce back from an interruption to something approaching normal service.