Larry Ponemon
With cyber attacks growing increasingly frequent and complex, cybersecurity strategies are shifting: while prevention is still important, it is more about prevailing. Cyber resilience supports businesses efforts to ensure they’ll continue to thrive despite the increased likelihood of a data
breach.
That’s the essence of cyber resilience – aligning prevention, detection, and response capabilities to manage, mitigate, and move on from cyberattacks. But are businesses ready today to face cyber threats head on? To find out, Ponemon Institute, with sponsorship from Resilient Systems, surveyed 623 IT and IT security practitioners about their organizations’ approach to becoming resilient to security threats. The findings are presented in the study, The Cyber Resilient Organization: Learning to Thrive against Threats.
In the context of this research, we define cyber resilience as the capacity of an enterprise to
maintain its core purpose and integrity in the face of cyberattacks. A cyber resilient enterprise is
one that can prevent, detect, contain and recover from a plethora of serious threats against data, applications and IT infrastructure. A cyber resilient enterprise successfully aligns continuity management and disaster recovery with security operations in a holistic fashion.
Figure 1 shows why cyber resilience is emerging as the standard for which to strive. The
protection of high-value intellectual property and compliance with laws and
regulations are best achieved with cyber resilience, according to 91 percent and 90 percent of respondents, respectively. Cyber resilience also is considered to enhance brand value and reputation (75 percent of respondents) and maximize employee productivity (72 percent of respondents).
Key takeaways include the following:
The state of cyber resilience needs improvement. Only 25 percent of respondents rate their
organizations’ cyber resilience as high (7+ on a scale of 1 = low resilience to 10 = high resilience)
based on the definition described in the introduction. Moreover, a key component of cyber
resiliency is the ability to recover from a cyber attack and only 31 percent rate this as high.
Prevention is also rated fairly low at 33 percent. The ability to detect and contain cyber attacks is rated much higher by 45 percent and 47 percent of respondents, respectively.
Only 25 percent of respondents rate their organizations’ cyber resilience as high based on the definition described in the introduction. Moreover, a key component of cyber resiliency is the ability to recover from a cyber attack and only 32 percent rate this as high. Prevention is also rated fairly low. The ability to detect and contain cyber attacks are rated much higher by 44
percent and 47 percent of respondents, respectively.
Human error is the enemy of cyber resiliency. The IT-related threat believed to have the
greatest impact on an organization’s ability to be cyber resilient and the most likely to occur is
human error. Persistent attacks are considered to have the second greatest impact on cyber
resiliency but are less likely to occur. Planning and preparedness is key to cyber resiliency. It is interesting that a lack of knowledgeable staff or enabling technologies is not as much a hindrance as not devoting the necessary time and resources to planning and preparedness (65 percent of respondents) or insufficient risk awareness, analysis and assessments (55 percent of respondents).
The majority of companies are not prepared to respond to a cyber security incident.
Despite the importance to preparedness to cyber resilience, 60 percent of respondents either say their organization either does not have a cybersecurity incident response plan (CSIRP) (30
percent of respondents) or it is informal or “ad hoc” (30 percent of respondents). Only 17 percent of respondents have a well-defined CSIRP that is applied consistently across the entire
enterprise.
A high level of cyber resiliency is difficult to achieve if no one function clearly owns the
responsibility. Only 24 percent of respondents say the Chief Information Officer (CIO) is
accountable for making their organizations’ resilient to cyber threats. This is followed by 20
percent who say it is the business unit leader and 10 percent who say no one person has overall
responsibility.
Collaboration among business functions is essential to a high level of cyber resilience but it rarely happens. Only 15 percent of respondents say collaboration is excellent. Almost one third of respondents (32 percent of respondents) say collaboration is poor or non-existent.
Leadership and responsibility are critical to improving collaboration.
Organizational factors hinder efforts to achieve a high level of cyber resilience. The
importance of cyber resilience is often not recognized by senior management. Only 44 percent of respondents believe their organizations’ leaders recognize that cyber resilience affects enterprise risks and brand image. About half (50 percent of respondents) say cyber resilience does affect revenues. Other factors that are a hindrance are insufficient funding and staffing.
Preparedness and agility are most important to achieving a high level of cyber resilience.
Respondents were asked to rank those factors considered important to achieving a high level of
cyber resilience. Once again preparedness to deal with cyber threats is critical followed by agility and a strong security posture.
Technologies that enable efficient backup and disaster recovery operations are by far
most important to building a cyber resilient enterprise. Seventy-seven percent of
respondents say technologies that support efficient backup and disaster recovery operations are essential or very important. Also important are technologies that provide advance warning about threats and attackers (59 percent of respondents) and those that provide intelligence about the threat landscape (58 percent of respondents).
Read more about resilience, and a Q&A with Larry, at ResiliantSystems.com