I was at an event earlier this year where Gus Hunt, former CTO of the CIA, said "Here is where we need to get to. What if he bad guys got in, stole your data, and you didn't care? That's the goal!"
That’s a formidable goal, but it sure makes sense. What if you opened the door, let the bad guys in and said have at it.
In addition to better firewalls, end point protection, SIEMs, threat intelligence and predictive technologies, what if we were more proactive about protection at the individual data level.
It’s increasingly difficult to stay abreast of all that’s necessary. Companies need to repel thousands or millions of attacks, while hackers need to only break through once. The odds don't seem to be in our favor.
This message rings loud and clear in a McKinsey/World Economic Forum book I’m reading called Beyond Cybersecurity: Protecting Your Digital Business, which coins the term Digital Resilience and aligns with Gus' point. So many historical cybersecurity technologies have been focused on keeping the bad guys out, the digital resilience concept twists the thinking a bit. It acknowledges that companies are very likely to be hacked, and as such, an increasing and perhaps different focus should be on protecting the data.
So digital resilience is about preparing for that one attack that gets through, whether the breach comes from the outside, or even from the inside.
According to the book, to achieve digital resilience, companies need to undergo fundamental organizational changes, including integrating cybersecurity with business processes and how they manage IT. The CISOs who participated in a panel at Colorado Cyber’s Inaugural event reinforced this viewpoint – that some of the biggest issues in security have to do with people and process. Not technology!
So what do we do?
Specifically, the book characterizes seven hallmarks of digital resilience:
1. Prioritize information assets based on business risks
2. Provide differentiated protection for the most important assets
3. Integrate cybersecurity into enterprise-wide risk management and governance processes
4. Enlist frontline personnel to protect the information assets they use
5. Integrate cybersecurity into the technology environment
6. Deploy active defenses to engage attackers
7. Test continuously to improve incident response across business functions
Everyone’s evolving. Technologists are. Hackers are. Just read the latest Ponemon or Verizon Breach Report, among others, to see the increasing prevalence of breaches occurring across industries. No one organization is immune.
What’s the answer to all of this? Maybe today’s answer is that it’s the combination. The combination of leading technologies, enhanced business processes, and digital resilience – along with increased internal mindshare on security – on which companies ought to be focused.
One thing we know, hackers will get in. How can we make it difficult for them to penetrate? How quickly can we detect it? How meaningless can we make the data we serve them on the proverbial silver platter? All formidable, yet honorable, goals.