Cyber resilience as the calibrated synthesis of Business Continuity, Risk Management and Cybersecurity

The increasingly digitized context characterized by a continuous increase in cyber-attacks necessarily implies the ability of organizations to structure an effective and efficient cyber resilience framework, as the calibrated synthesis of Business Continuity, Risk Management and Cybersecurity.

Introduction 

Cyber events can affect the availability, integrity, or confidentiality of networked IT systems and associated information and services. These are events of different nature, namely:

• Events that are intentional in nature (e.g., cyberattacks) or unintentional events (e.g., software update failed).
• Events caused by humans, extreme weather events or a combination thereof.

As all we know, the goal of cyber resilience is to ensure the organization’s ability to achieve its objectives – even in the face of the occurrence of a crisis or a security breach – and to be able to recover, to restore processes, services or activities after such events. It is also a matter of continuously updating or modifying one’s risk management, business continuity and cybersecurity strategies against the evolution of technology and the scenario of risks and threats, in such a way as to guarantee not only cyber resilience, but also organizational and operational resilience.

In an increasingly digitized world, an organization’s systems should operate 24 hours a day, seven days a week, 365 days a year. Unfortunately, we must acknowledge that, nowadays, the continuous increase in adverse cyber events (intentional or unintentional) can put a strain on the resilience of the organization’s hardware and software assets. Therefore, it becomes essential to structure ourselves in advance.

Desperately seeking for cyber resilience

An organization’s cyber resilience involves being able to withstand adversity and continue to operate to ensure the organization’s goals are met. But, first, it is important for the organization to understand the difference between cyber security and cyber resilience. Namely:

•  Cyber security aims to protect organizations from cyberattacks by using firewalls, VPNs, anti-malware software, and by guaranteeing digital hygiene practices, such as patching software and firmware. However, these measures may be ineffective if employees are not trained in safe behavior. Ultimately, these defenses are valuable but not foolproof. 

•  Cyber resilience steps in when cybersecurity measures fail, or when systems are disrupted due to human error, power outages, extreme weather conditions, and other unforeseen events. It requires an organization to have a comprehensive understanding of its context, including its hardware and software assets, the operations reliant on technology, and the interrelationships and correlations between them. Additionally, it involves knowing the locations of critical data storage since this knowledge is crucial for comprehending the impacts and implementing necessary measures to mitigate them. 

Essentially, it is about anticipating risks and threats and defining strategies to withstand crises and incidents, ensuring the continuity of critical processes, services, and activities, even at a reduced level. Prolonged unavailability of these could prevent the achievement of objectives and irreversibly compromise the organization.

A structured cyber resilience strategy enables an organization to reduce both the likelihood of a successful attack and the extent of damage if an attack occurs. Furthermore, cyber resilience helps organizations lower their long-term risk profile, allowing them to face both current and future challenges arising from the increasing use of Artificial Intelligence, Internet of Things (IoT), and quantum computing technologies.

But what must the organization do to pursue Cyber Resilience?

Cyber resilience is an ongoing process in which business continuity and cybersecurity must be integrated to prepare/identify, protect, detect, respond, and recover, besides designing an ad hoc strategy to effectively respond to incidents and get organizations back up and running as quickly as possible. 

Therefore, every organization must be able to:

• Ensure proactive risk management – It is always a matter of knowing the internal and external context of the organization in terms of risks and cyber threats to identify mitigation measures and design effective and efficient strategies. It involves carrying out a census of hardware and software assets, accesses, endpoints, and data to identify vulnerabilities and points of failure and their impact on the organization.
• Have effective and efficient detection systems in place – According to “IBM data breach 2024” report, it takes an average of 272 days before a data breach is detected, while it takes an average of 204 days to pinpoint the breach and 73 days to contain it, respectively. It follows that continuous monitoring by the organization is more urgent and fundamental than ever, through the provision of effective and efficient detection systems capable of detecting any anomaly in terms of cyber security.

• Have response and recovery plans in place – When a breach or attack is detected, the organization must promptly activate a response system. Therefore, as is usually said, one must prepare in “time of peace” to act “in time of war”. That is, the organization should – where possible – equip itself with automated response and recovery systems as well as A defined response and disaster recovery plan, crisis management and crisis communication plan, identifying roles and responsibilities, as well as drafting the various procedures for activating the plans themselves.

• Implement self-assessment and improvement procedures – This involves periodically evaluating the various plans and updating and/or modifying the cyber resilience strategy in the face of changes in the internal and internal context, the evolution of technology and the type of cyber-attacks, the results of tests and exercises, as well as taking advantage of the lessons learned.

In short, what has been described above presupposes the design of a structured cyber resilience framework that is effective and efficient. It is necessary to underline that the involvement and the support of Top Management – in terms of both economic resources (to invest more in the necessary detection and response automation systems) and personnel with technical cybersecurity skills – is also fundamental.

The culture of cyber security embedded in the organization

Many companies make the mistake of leaving cyber resilience solely in the hands of the cybersecurity or IT team, forgetting that security is everyone’s responsibility. In fact, the entire organization will need to embed cybersecurity culture and be able to identify and detect malware, phishing threats, and understand when a data breach is being addressed.

The accelerated process of digitization and innovation, to which organizations are subjected, presupposes necessary paradigm shifts to promote flexibility, agility, synergies, and constructive dialectics between the various teams through open communication. In addition, organizations must prepare training programs, exercises and tests, career paths for cybersecurity professionals with a view to a continuous learning strategy and talent enhancement. 

Only in this way can the organization incorporate the security-centric culture that serves as a solid foundation of the cyber resilience framework. In fact, it is a matter of conceiving cyber resilience as the calibrated synthesis of people, processes, and technology – i.e. the so-called bionic organizations – which are also based on structured governance and regulatory compliance.

Conclusions

Cyber resilience is essential for companies, which are now destined to operate in an increasingly digital context. Being a cyber resilient organization, nowadays, means being able to fight adversity and continue to operate. 

Cyber resilience is achieved thanks to the calibrated synthesis of the principles of risk management, business continuity and cybersecurity. That is, thanks to cyber resilience measures, organizations can protect themselves from cyber threats, ensure business continuity in the event of a cyber incident, improve customer trust, and increase productivity and organizational and operational efficiency.

We are faced with the so-called bionic organizations – made up of technology and people – in which it is essential to ensure the centrality and involvement of personnel. The organization – even if it can draw on the power of data and take advantage of the latest technology – must be able to establish a dialectic and a constructive synergy between the various teams and the distinct functions. 

A context increasingly characterized by a holistic approach in which top management acts with heart and mind and, like a good magister – in the sense of the Latin origin of the term, i.e. the one who shows the way – initiates the implementation of a strong, agile, flexible culture, promoting peer learning, open discussion and continuous training. 

It is, in fact, a matter of structuring an effective and efficient framework to anticipate the so-called unpredictable certainty of cyber risks.