With cyber attacks – and their high-profile news reports – on the rise, companies have gradually begun to realise the extent of the imminent threat cyber crime presents.
Senior managers are taking an interest in the potential impact on the business, particularly in terms of reputation, resiliency, and financial or regulatory consequences. It is no surprise that a recent Accenture survey draws a picture of managerial concern, if not alarm.

However, being aware is only one side of the equation. Tolerating cyber crime and attacks, or adopting a fatalist attitude, is a strategy doomed to fail. Raising the barriers by strengthening defensive capability may go a long way, but legitimate companies may still lose the cyber arms race in the long run as threat actors respond in kind and increase the strength of their attacks.
When seen from this perspective, the lack of resilience thinking is the most striking outcome of the Accenture study. In a climate of daily attacks and an increasing war of attrition, the single most effective corporate answer to cyber threats should be to build a resilient organisation that is able to absorb, and rebound from all kinds of attacks.
The tools of the resilience trade have been in existence for quite some time, and most of them are readily available. From detecting weak signals of a crisis-prone firm to forming a high-reliability organisation, the business continuity and disaster research communities have developed the frameworks, standards and ideas that are now gradually applied to cyber security.
In practice however, very few firms have made the mental connection between what is seen as business continuity management or disaster recovery and managing cyber incidents.
Isaca has recently launched a research paper addressing this very issue from a board-level point of view. Identified in it are the key questions board members should ask to assess the company’s resiliency situation: 
Is sufficient attention given to the ability to defend against intrusions as well as the ability to recover and restore essential functions and services?
Is the board routinely informed about the potential material operational risk and risk mitigation strategies as well as incidents that could impact the brand?
To what extent have essential services and functions been identified and programmes implemented to provide for their resilience in the event of a disruption or cyber incident? 

It also identifies some steps that can be taken to ensure resiliency such as having the processes in place for a prompt initial response, and also instigating a system that links together detection, response, recovery and the continuance of core services and functions.
In future, we are more than likely to see the emergence of pragmatism: While not all attacks can be avoided, the level of resilience – and therefore resistance – will be the target of innovative cyber security strategies. In today’s business environment, this is the message that senior management should internalise and transform into a sustainable journey towards the resilient enterprise.
Isaca, as one of the most active industry associations in the field of cyber security, has published a series of books and short papers that address the issue of resilience in a down-to-earth and practical manner.
The European cybersecurity implementation series explicitly addresses resilience in a dedicated paper, while larger volumes such as Transforming cybersecurity using Cobit 5 link the resilience issue back to more formal frameworks in governance, risk and compliance.

Rolf von Roessing is a past international vice-president of Isaca and president of Forfa.

This was first published in September 2015

Leave a Reply