04/10/2024 | Press release | Distributed by Public on 04/10/2024 10:19
Cyber resilience is crucial for organizations to withstand and recover from cyber threats and incidents. Despite its importance, many face common challenges in achieving an optimal level of cyber resilience. Understanding these challenges and adopting strategic measures to overcome them is essential for maintaining security, continuity, and integrity in the digital realm.
New initiatives such as the EU DORA, the US Sound Practices to Strengthen Operational Resilience (OCC, Federal Reserve, FDIC), and the UK FCA/PRA Operational Resilience Regulation are changing the business landscape. Enterprise Architecture (EA) and Security, Risk, and Compliance (GRC) teams face various operational resilience challenges posed by upcoming financial sector regulations.
Understanding Cyber Resilience
Cyber resilience enables organizations to withstand cyber threats, maintaining operations through detection, response, and attack recovery.
At the recent MEGA EA Exchange 2023 digital conference, founder and CEO Trustable Olivier Patole spoke with Paul Estrach, Product Marketing Director at MEGA International, and Cyril Amblard-Ladurantie, Senior Product Marketing Manager at MEGA International. The three experts discussed how to foster active collaboration among EA and GRC teams.
In terms of cyber resilience, IT is the initial stage, involving various individuals. This includes the Chief Information Security Officer (CISO) and their security team, the IT department, and Enterprise Architecture (EA) personnel, each assigned different responsibilities.
The CISO oversees cyber security management and incident detection, ensuring prompt organization-wide alerts. The IT team concentrates on maintaining critical asset inventories within the information system. The architecture team serves as the link between critical assets and applications. Subsequently, the business process becomes the next crucial phase.
Responsibilities for cyber resilience extend to the top of organizations, with boards potentially facing legal accountability for non-compliance. Boards seek assurance on asset protection and business continuity amidst incidents. Risk and compliance teams manage risks, implementing necessary controls and procedures. Cyber resilience intersects IT, business, and compliance realms, necessitating effective team communication.
Despite organizational-wide involvement in cyber resilience, inadequate inter-team communication poses a significant challenge.
READ: What is DORA?
The Need for a Connected Approach to Cyber Resilience
To properly address the individual challenges, we must focus on the qualitative challenge. We need to lean on different people within the organization. Each individual needs others from different departments to perform personal tasks.
If we take for instance the case of a failure of a third party, we need to involve procurement, as procurement is in charge of the third-party registry. The procurement department needs to open discussions with IT as the IT department maintains the critical asset inventory. Discussion with business stakeholders must occur to identify the key activities at the top of this application. Different dots within an organization must be connected to address cyber resilience challenges.
There is a real need to establish a continuous trend. If there is a failure in the third-party register, the organization must be able to understand where the third party plays into its processes. Does it impact a critical process or just a secondary process? What is the impact on the whole trend? Will it impact customers? Will it impact the financial market as a whole?
At the business level and also in IT, people don't have the required vision. They can't tell you what process is powered by the applications and technology and what happens if one fails. Are there proper business continuity plans (BCPs), continuity, and disaster recovery plans in place? Can the get organization back into a business model? This is another major challenge regarding cyber resilience.
It's crucial to identify the criticality of the third party. However, it can be quite difficult to identify high-risk parties. It's easier to identify which third parties are linked with an application, asset, or process.
In this way, we can identify if there is a net stance process outside the company. We can see if there is support from the third party. We can identify the key third party we need to assess.
"Everybody is involved in cyber resilience, and everyone needs each other to achieve their objectives. Everyone needs to speak the same language. That's probably the biggest challenge. Talking the same language and having the same taxonomy. That's probably where the main challenge lies."
Cyber Resilience as a Comprehensive Transformation Project
Cyber resilience is a major transformation for an organization. It involves the entire organization: the board, the CISO, the Chief Information Office (CIO), risk and compliance, and procurement teams. The legal team will be involved as clauses regarding third parties will need to be drafted onto contracts to ensure compliance. IT processes will be impacted as will business continuity processes. Compliance processes and third-party management processes will also be impacted.
It's also a technological challenge because all these processes are supported by different applications. For example, the IT registry, a GRC tool, a business continuity tool, or a third-party management tool. All of these applications will be impacted by cyber resilience regulations.
"I think what we're trying to say is that it's not just a trivial matter - it's going be massive. It will be on the scale of the GDPR."
Four Steps to Ensure Cyber Resilience
Step 1: Build an ITC Risk Management Framework
The required approach to successfully execute a major transformation project impacting process is to look internally. An organization probably already has systems in place to create a risk management framework.
What is crucial is to make a connection between the application and the process. If an incident impacts an application, they can potentially very quickly identify if it's going to impact the whole business, if it's a minor incident, or if it will disrupt the whole market. The risks attached to first parties must be identified.
Companies today are connected with an ecosystem and rely on third parties for different activities. We analyze different processes within an organization one aspect may be internal and the second part will be external. Building an internal and external ITC risk management framework is the first step.
Step 2: Reinforce Cyber Resilience
It's important to identify and analyze the real cyber resilience of third parties. This will ensure a global view and a good awareness of the level of resilience. Organizations can then build resilience and reinforce their capabilities and their services. Reinforcing other services is the next step.
Step 3: Manage Incidents
A company will usually have BCP and public relations (PR) plans in place. These must be tested to ensure that in case of disruption the organization can resume business as usual quickly.
When incidents occur, a full root cause analysis must be performed to enable remediation and incidents will need to be declared to regulatory authorities. The incident management needs to be exemplary to ensure compliance with different cyber resilience regulations. Ensuring excellent incident management strategies is the third step.
Step 4: Monitor the Framework
It's very easy to assess an internal application, but assessing a third-party application can be complex. Companies must be able to perform a consistent assessment of third parties regarding cyber resilience.
To do this, an organization needs to understand how the third party manages security. There must be an understanding of the processes in place. If a mechanism is deployed within the infrastructure and IT assets its efficiency must be understood. Monitoring the framework is, therefore, the fourth step.
To achieve an assessment of a third-party application, different activities must be performed. These include penetration testing to evaluate the efficiency of the mechanism. The IT architecture must be analyzed. Business processes must be analyzed by document reviews. Interviews should be held with key people within the organization.
This provides a global view of the cybersecurity maturity of the third parties. This allows professionals to provide clients with a rating of a third party, such as AAA or D minus, and so on. Essentially, it is a continuous audit of the third parties.
Cybersecurity threats evolve continuously. As do information systems and assets. These variables must all be considered to perform a relevant evaluation of third-party applications.
It is both an internal and external challenge that requires a global view. This is the keystone for cyber resilience.
Managing the complexity of cyber resilience is difficult but many companies already have internal solutions. The common taxonomy and language are already there. They have a common registry where they manage processes, applications, technology, and risk. There is usually an established GRC model to manage risks and controls related to IT. In partnership with other entities, companies can develop BCPs to manage the cyber risk of third parties.
Ultimately, cyber resilience is everyone's business within an organization. To strengthen an organization's cyber resilience, collaboration must be fostered across all stakeholders.
But why is cyber resilience important in cybersecurity?
Cyber resilience is crucial in cybersecurity as it enhances an organization's ability to mitigate risks and handle cyber threats effectively. By being cyber-resilient, organizations can minimize the impact of attacks, maintain business continuity, and protect sensitive data from unauthorized access.
Related: Will AI replace cybersecurity experts?
Common Challenges in Achieving Cyber Resilience
Achieving cyber resilience is not without its challenges. Let's explore some of the most common obstacles to bolstering cyber defenses. Organizations can better prepare themselves against evolving cyber threats by understanding and addressing these challenges.
Identifying and Prioritizing Assets
Challenge: Many organizations struggle with identifying which assets are most critical to their operations and require protection.
Solution: Conduct thorough asset identification and classification exercises to prioritize assets based on their criticality and value to the organization. Implement a tiered security approach that allocates more resources and protective measures to higher-priority assets.
Insufficient Incident Response Planning
Challenge: Organizations often lack a comprehensive incident response plan, leaving them unprepared to manage and recover from cyber incidents efficiently.
Solution: Develop and regularly update an incident response plan with clear procedures for various incidents. Conduct regular drills and simulations to test and refine the plan, ensuring all stakeholders know their roles and responsibilities.
Talent and Skills Gap
Challenge: A widespread talent and skills gap in cybersecurity makes it difficult for organizations to find and retain qualified personnel.
Solution: Invest in training and development programs to upskill existing staff. Consider outsourcing certain cybersecurity functions to specialized firms or adopting automated security solutions to alleviate the pressure on in-house teams.
Compliance and Regulatory Pressures
Challenge: Navigating the complex landscape of cybersecurity regulations and compliance requirements can be overwhelming and costly.
Solution: Develop a compliance framework that aligns with industry standards and regulatory requirements. Consider leveraging compliance management software to streamline and automate compliance processes.
Limited Budget and Resources
Challenge: Cybersecurity initiatives often compete with other business priorities for limited budgets and resources.
Solution: Advocate for cybersecurity as a critical business enabler and risk management tool. Prioritize spending on measures that offer the most significant risk reduction and leverage cost-effective solutions like open-source tools and cloud-based services.
Siloed Efforts and Lack of Collaboration
Challenge: Cyber resilience efforts are often fragmented across different departments, leading to inefficiencies and gaps in security.
Solution: Foster a culture of collaboration and shared responsibility for cybersecurity across all levels of the organization. Establish cross-functional teams to coordinate cybersecurity initiatives and ensure a unified approach to cyber resilience.
Identifying Cyber Risks
Challenge: Identifying and accurately assessing cyber risks can be difficult due to the complexity of IT environments and the sophistication of potential threats.
Solution: Implement a continuous risk assessment process that leverages automated tools and expert analysis to identify potential vulnerabilities and threats. This process should include regular vulnerability scans, penetration testing, and the use of threat intelligence to understand emerging risks. Engaging in cybersecurity frameworks, such as those provided by NIST, can offer structured approaches to identifying, assessing, and managing cyber risks. Additionally, fostering a culture of security awareness among employees can help identify phishing attempts and other social engineering tactics that automated systems might not catch.
Dealing with cyber threats
Challenge: Effectively dealing with cyber threats involves detecting them and responding swiftly and efficiently to mitigate damage. The dynamic nature of cyber threats means that organizations must be prepared to counteract known threats and adapt to novel and evolving tactics.
Solution: To address this challenge, organizations should employ a multi-layered defense strategy that includes preventive measures and responsive actions.
This involves:
Managing disruptions effectively
Challenge: Cyber incidents can disrupt business operations, affecting services, customer trust, and overall reputation. Managing these disruptions effectively requires a proactive approach to minimize impact and restore operations quickly.
Solution: Effective disruption management involves several vital strategies
Third-Party Risk Management
Challenge: Organizations face the challenge of ensuring their third parties adhere to the same cybersecurity standards and practices as they do internally. The complexity increases with the number of third-party relationships, each potentially exposing the organization to different levels of risk.
Solutions: Various practices and strategies can be developed to effectively manage cybersecurity risks associated with third-party relationships:
IT, Business, and Compliance challenges and solutions in cybersecurity
IT Challenges and Solutions
Challenge: Rapidly Evolving Cyber Threats
Solution: Adopt proactive cyber defense strategies, including continuous threat intelligence gathering, advanced threat detection systems, and regular security assessments to identify and mitigate vulnerabilities.
Challenge: Integration of Security into IT Operations
Solution: Implement a security-by-design approach, ensuring that security considerations are integrated at every stage of IT project development and execution. Utilize automation and orchestration tools to streamline security operations.
Business Challenges and Solutions
Challenge: Aligning Cyber Resilience with Business Objectives
Solution: Establish a cross-functional cyber resilience team with business leaders to ensure cybersecurity strategies are supported and aligned with business objectives. Regularly review and update the cyber resilience plan to reflect changes in business strategy.
Challenge: Ensuring Business Continuity Amidst Cyber Threats
Solution: Develop and regularly test business continuity and disaster recovery plans that address cyber incidents. This includes identifying critical business functions and establishing protocols for rapid restoration during a cyberattack.
Compliance Challenges and Solutions
Challenge: Navigating a Complex Regulatory Landscape
Solution: Maintain an up-to-date understanding of relevant regulations and standards and implement a compliance management system that can dynamically adjust to changes in the regulatory environment. Regular training and awareness programs for staff on compliance matters are essential.
Challenge: Ensuring Data Privacy and Security
Solution: Adopt a comprehensive data protection strategy that includes encryption, access control, and data lifecycle management. Regular audits and assessments should be conducted to ensure compliance with data protection regulations like GDPR and CCPA.
Integrated Strategies for Enhanced Cyber Resilience
The Need for a Connected Approach to Cyber Resilience
Addressing cyber resilience challenges demands a collaborative approach within an organization, emphasizing the need for cross-departmental coordination. For instance, handling a third-party failure requires the procurement team to liaise with IT for an updated critical asset inventory and engage with business stakeholders to evaluate the impact on essential operations. This scenario underscores the necessity of connecting various organizational segments to forge a comprehensive resilience strategy.
A proactive stance is essential in understanding the role and criticality of third parties within organizational processes assessing their impact on operations, customer relations, and potentially the broader financial market. Many organizations face hurdles in achieving a clear overview of how applications and technologies underpin their processes and the implications of their failure, highlighting the importance of robust business continuity and disaster recovery plans.
The challenge extends to recognizing high-risk third parties, necessitating a detailed understanding of their linkage to organizational applications, assets, or processes. This identification is crucial for evaluating external dependencies and ensuring appropriate support mechanisms are in place.
The essence of overcoming these challenges lies in fostering a culture of communication where everyone within the organization speaks a unified language of cyber resilience, underscoring the collective responsibility of safeguarding against cyber threats.
Summary
The crucial significance of cyber resilience for organizations is brought into focus amidst evolving regulations and intricate interconnections. Effective collaboration, communication, and a holistic approach are emphasized to navigate challenges successfully. Prioritizing robust risk management frameworks, resilience reinforcement, incident management, and continuous monitoring are highlighted as essential steps. Ultimately, cyber resilience is underscored as a shared responsibility across all stakeholders within an organization.