The idea of cyber resilience remains a distant dream for many enterprises. Faced with a barrage of high-profile data breaches, most impacting highly respected organizations, some business leaders now harbor deep-seated beliefs that cyber threat actors are undeterrable and cyber resilience is unachievable. Inside boardrooms, there is a significant amount of justified frustration. As I wrote in my bestselling book, The Five Anchors of Cyber Resilience, most leaders feel like passengers on a run-away train that can neither be controlled nor stopped.
These are reasonable sentiments, but they also raise important questions. Why are some enterprises able to withstand cyber stresses while other enterprises are hacked into bankruptcy? And why can some companies bounce back as quickly as they are taken down?
John Maxwell, a famous leadership coach, once said, “Everything rises and falls on leadership.” Cyber resilience is no different – a robust strategy underpinned by unwavering support from the board and the CEO is the bedrock of sustained cyber resilience. In the absence of an effective and business-aligned strategy, cyber resilience can easily become a slippery slope of endless expenditure, exerting untenable pressure on the business and ultimately heaping fatigue upon often poorly resourced cybersecurity teams.
In our recent CISO Cyber Resilience Strategy Playbook, we provided comprehensive guidance for CISOs to create high-value cyber resilience strategy, thus maximizing the value of limited security budgets, accelerating cyber resilience posture and reinforcing their credibility with the C-suite and the board. Here are five of those key recommendations:
- The CISO must actively resist the urge to rush into execution mode. On the contrast, the CISO must take a step back and ask an important question: What’s going on here? Through rigorous assessment of internal audit reports, red teaming results, risk assessments, board papers, and third-party assurance reports, the CISO will uncover serious blind spots, gauge the strengths of existing capabilities and direct limited resources toward the areas of highest risk.
- To thrive in this high-pressure role, the CISO must build credibility with the CEO, other senior stakeholders and the board. To do so, however, the CISO must deliver on his or her promises. It’s therefore important to agree on a roadmap, with a clear target state in mind. But our interactions with peer CISOs have identified a common problem – some CISOs tend to promise a utopian end state and bite more than they can chew. These exaggerated promises always boomerang at stunning speeds. Once CISOs fail to deliver on those grand promises – often because of budgetary constraints or unforeseen technical hurdles – their credibility suffers.
- Another terrible mistake CISOs make is disproportionately focusing on delivering bleeding-edge technologies. While these certainly can play their part, an effective strategy starts by answering some basic questions: Do we have a clear view of our crown jewels? Do we have high-risk applications exposed to the internet without multifactor authentication? Which third parties have remote access to the network? Is privileged access tightly controlled? Can we bring core systems back online if we are hacked tomorrow? Is our network segmented to prevent unobstructed movement of threat actors? By answering these questions, the CISO can rapidly reduce the attack surface, as well as deliver some quick wins.
- A cyber resilience strategy built in isolation fails before it even starts. To succeed, the CISO needs to pitch cyber resilience as a business enabler or growth advantage, not a necessary evil. To do this effectively, look at cyber resilience through the lens of the business value chain – building new strategic partnerships, securing new products, enhancing customer trust, increasing success in mergers and acquisitions, improving public perception, reducing perceived risks and enabling employee flexibility. Equally important, the cyber resilience strategy should carefully consider the digital transformation program and help the CIO securely deliver those initiatives in a scalable way. When built in isolation, cybersecurity becomes an impediment to business agility and results in needless customer friction.
- W. Chan Kim and Renée Mauborgne, in their famed book, Blue Ocean Strategy, argue that, “It (the Blue Ocean Strategy), recognizes and pays respect to the importance of aligning people’s minds and hearts with a new strategy so that at the individual level, people embrace it of their own accord and willingly go beyond, compulsory execution to voluntary cooperation in carrying it out.” Similarly, leading CISOs put people’s hearts and minds, not technology, at the center of their strategies. This includes building a capable and inspired team, developing a cyber-savvy workforce and, most importantly, building a strong tone at the top.
There is certainly no one-size-fits-all cyber resilience strategy, but I recommend that CISOs look beyond risk and consider cyber resilience in the entirety of the business value chain, enlist the buy-in from senior stakeholders early, ruthlessly prioritize, and never forget the basics.