Resilience: It’s not just about the technology

‘Cyber resilience’ seems to be something of a buzz phrase right now, with social media and vendor  promotional material often mentioning the importance of resilience.

Many conversations about resilience focus on the importance of strong, robust defences, however are robust and strong defences really signs of resilience?

Oxford University Press defines resilience primarily as “The capacity to recover quickly from difficulties; toughness” and secondly as “The ability of a substance or object to spring back into shape; elasticity.”

To understand resilience, it’s useful to look at the qualities of a resilient person. A person considered to be resilient, would probably exhibit some, or all, of these qualities:

  1. The capacity to make realistic plans and take steps to carry them out.
  2. A positive view of themselves and confidence in their strengths and abilities.
  3. Skills in communication and problem solving.
  4. The capacity to manage strong feelings and impulses.
  5. Capacity to avoid difficult situations but embrace challenges when they do occur
  6. A strong ability to learn from difficult events.

Almost all the qualities of a resilient person map directly to the qualities of a resilient organisation, including cyber. If I were to re-write the list above from an organisational viewpoint, it would look something like:

  1. A pragmatic, risk-focused, cyber security strategy – supported by a clear policy framework that has been implemented effectively.
  2. Confidence in cyber security controls and an understanding of their strengths and weaknesses.
  3. An effective communication channel throughout the organisation, with a diverse range of problem-solving skills.
  4. Cyber security leadership that supports employees and offers clear direction
  5. Confidence to push the business forward whilst managing risks and responding effectively when incidents arise
  6. A structured mechanism for learning from previous incidents, enabling the organisation to use this experience to strengthen its cyber security maturity.

The challenge here is to understand that resilience is not purely about the brute strength required to withstand anything thrown at the organisation, nor purely about technology or restrictive practices. As much as anything, resilience is about confidence, flexibility and organisational honesty. Apply this pragmatic approach to your cyber security programme, and you’ll be well on the way to being ‘resilient’ in the true sense of the word.

Stay tuned as we share more on how to make your organisation cyber resilient.

About the author

Simon Lacey
Principal Consultant, CRMG
Former Cyber Security Policy Manager, Bank of England
Industry of Expertise: Banking, Healthcare
Areas of Specialism: Cyber Security Governance & Policy Management