Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

Cyber security is no longer enough: businesses need cyber resilience

Wednesday, November 3, 2021

Categories: ASCF News Cyber Security

Comments: 0

Source: https://www.weforum.org/agenda/2021/11/why-move-cyber-security-to-cyber-resilience/

Photo: FLY:D for Unsplash / Cyber security is not enough to combat attacks that grow more sophisticated by the day. Businesses need to develop a wider understanding of cyber resilience

Frauds such as phishing, malware and ransomware attacks pose a threat to entire economies, governments, and our way of life.

Cyber security focuses on protecting data, but it is no longer sufficient; businesses need cyber resilience.

To help businesses implement greater cyber resilience a framework is needed to measure it.

Today, we work from anywhere, on more devices, more networks, facing more risk than ever before. Widespread phishing, malware, ransomware attacks, and other frauds pose a risk not just to individuals or platforms, but to entire economies, governments, and our way of life.

Yet the way we think about securing our businesses and our data hasn’t really kept up. Business resources are often still allocated to defensive cyber security, which is focused on protecting the confidentiality and integrity of data. But these defenses are proving insufficient in the face of attacks that grow more sophisticated by the day. We need cyber resilience in addition to cyber security, and it’s important to understand the difference.

Why Cyber resilience over cyber security
Cyber resilience starts with nailing the cyber security basics; at Salesforce, we call it “doing the common uncommonly well.” This includes patching vulnerabilities, detecting and mitigating threats, and educating employees on how to defend company security. But we need to be doing these things continuously, not just once a year.

Beyond that, businesses need to build resilience into every part of the business, from business process mapping to engineering service availability to critical vendor dependency. They need to limit the impact of cybercrime to a company’s brand, finance, legal, and customer trust obligations. While these areas typically receive limited attention, resources, or executive focus, they are significant elements in the case of a real threat.

The aim of cyber resilience is clear enough: to ensure operational and business continuity with minimal impact. But the reality can be harder to pin down, because there’s currently no good way to measure cyber resilience. As leaders, we need to have a certain level of confidence in our ability to respond to an attack, to maintain our customers’ trust, to absorb the financial, legal, and brand impact and get back to business. But there is no widely-accepted cyber resilience framework, no maturity model, and I think there should be.

After all, there are countless other maturity models, which allow businesses to measure capabilities, digital transformation, supply chain, cyber security, and data management to name just a few. What might cyber resilience maturity look like? This is not just about the ability to respond and recover; it's how quickly we recover and what we prioritize.

I am not proposing another checklist or self-assessment methodology. A mature cyber resilience approach should be flexible, adaptable, and continuously improving. I propose we design a framework that describes a set of characteristics that helps a company and its leadership understand what cyber resilience is and how it will be achieved. This framework would describe an approach and attitude towards delivering cyber resilience.

For instance, is your organization committing random acts of resilience? Building a plan only to look at it when an auditor asks? Building call trees when you would be better off using PagerDuty? Real resilience involves a multi-dimensional approach that dynamically responds to threats while keeping your business goals intact.

Measuring cyber resilience might involve:
- identifying your crown jewels and critical capabilities;

- looking at the interconnectedness of your systems and how vulnerable you are to attack;

- adapting more quickly to the broader social and political climate;

- creating partnerships with peers, competitors, and public entities;

- looking at how your team hires and develops skills;

- changing your approach, so you are not only securing the business but enabling the business through security;

- measuring whether you are maintaining a culture of trust and agility; and

- measuring customer trust and transparency.

Every organization will have its unique risks, and no one model can serve as a one-size-fits-all approach to cyber resilience. But this approach can help guide investment decisions, unite stakeholders around a common goal, and usher in the practice of continuous improvement. Most of all, cyber resilience should provide leadership with the confidence that when the worst happens, an organization can still deliver on its commitments.

Challenges in the use of maturity models
An assessment-focused framework based on a numerical score can lead to a box-checking culture. But cyber resilience is not about comparison, and there is no final destination. This measurement framework should scale for industry by focusing on the people, processes, and technology required to ensure entire value chains are resilient.

When the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cyber security was introduced there was a national call to action. Now, society and business is at another turning point. Both public and private organizations are working in entirely new, more digital, more distributed ways, which has further opened the floodgates to cyber risk. The May 2021 Presidential Executive Order states that: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy." It calls for a public-private partnership to make the bold changes necessary to protect hybrid cloud infrastructures.

And like the NIST Framework, it’s important that a new, scalable cyber resilience framework is developed out of just such a partnership, fit for organizations to use across industries. So consider this an open call: can we come together to establish this framework? Can we make cyber resilience a part of business as usual? We need to work together, to make everyone stronger.

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.