Cyber Resilience : Almost 5 years on
I have started to think of my career in blocks of 5 years time, which is to say I'm now old enough that I can see my careers in multiple blocks of 5 years. Slightly depressing when one puts it that way, eh?
When it comes to information security & cyber security, I find an occasional pause useful to reflect on what has been and what is yet to come. Complete with virtual rocking chair on my virtual porch. Get a bit of perspective, lift the head out of the current day to day grind. Of course, it's easier to say then done.
My current reflection is the state of the name of our information security industry.
*dream sequence and fade*
Back in the late 1990s (and I'm well aware that some folk's careers go way further back then that) there was this thing called Computer Security. It would come as no surprise that that is exactly what the focus was on - securing the computer. Enter the arms race of the big 4 endpoint vendors. Symantec, McAfee, Trend Micro, Kaspersky Labs. Heck, I worked for all of those except the big Yellow. Of course, there were some others dependent on region. (And now there are too many endpoint security vendors to count and list on one page) For me in Australia, it was VET Anti-virus, acquired, digested and eventually ruined by Computer Associates. I mean, some of us have forgotten that firewalls and antivirus were pretty much the technology stack back then.
Then along came IT Security. ITIL v2 was released in the early 2000s, and was beginning to be more popular as they had begun to lessen the barrier for following their 'best practice'. I remember it being relevant to me, as I undertook ITIL v2 Foundations to ensure that my view of security was balanced against the aspirational trends of IT. And by the mid to late 2000s ITIL v3 came out and introduced itself as a service lifecycle. Somewhere around this stage, the industry became about Information Security. It was no longer about protecting the computer asset, or the IT department technology stack, It was about being relevant to anywhere that Information resided or flowed.
As the Internet boomed, we had a shift in consumption of services like online banking and online retail. In short, Cyber Security became the next buzzword. Oh how I writhed in agony and pain. This was yet another industry re-phrasing to suggest that the effort should be centred on the cyber presence of most organisations. And I get it. Many organisations had poorly invested in this area. But was the real risk from the outside or the inside? Was there a risk of now focusing so much on Cyber security? We were being fed a lot of misinformation (or half truths at best) based on self-serving statistics... this vendor would tell us that most attacks are from Insider Threat. Another vendor would tell us that most attacks were external. And the rest of us hedged our bets that it was a combination of both internal and external threat - and it is for that reason I've never been a huge fan of the term Cyber Security.
About 5 years ago give or take, a new term started poking us in the eyeballs. Cyber Resilience. Well, according to Wikipedia Homeland Security in the US started using this term in 2012, and I'm sure we can find other pockets of this term being thrown around... but it started to get mainstream attention.
I like Wikipedia's definition, I'm sure (and hope) that other's have their own however here is the wikipedia 1 sentence definition:
Cyber resilience refers to an entity's ability to continuously deliver the intended outcome despite adverse cyber events
If I was going to have to adopt a cyber term, I felt like this is one I could get behind. I remember hearing about an upcoming book from AXELOS in June 2015, the same folks you can get ITIL 4 from. (don't say v4, apparently it's a big no no) I remember pre-ordering the book on Cyber Resilience (Resilia), which certainly resonated with me.
Of course, Gartner also released their 6 Principles of Resilience to Manage Digital Security ( oh look, another possible industry name we can all use! Digital Security! Hmmm... actually I don't mind this one) After the 2015 Sydney Gartner Security & Risk Summit, I came back enthused and gave a recap on Linkedin here.
And... it wouldn't be fair not to ignore the well publisized and brand-optimised launch of Philimon Zongo's The Five Anchors of Cyber Resilience another fine contribution to the topic.
In the NIST Cybersecurity Framework v1.1 released in April 2018, resilience is mentioned 7 times but make no mistake - resilience is embedded in the framework. The framework core functions of Identify, Protect, Detect, Respond, Recover exist as a holistic whole to provide the resilience that organisations must seek today. The NIST SP800-160v2 on Systems Security Engineering is another good example of this concept being embedded. Incidentally, I am curious to see how the next version of ISO27001 will adapt and use the cyber resilience.
So what's next?
As I will be attending Gartner's Security and Risk Summit this year again Sydney, I am keen to hear whether there are more discussions around what people are doing (or attempting to do) around cyber resilience. I'm also keen to hear balanced views and experiences of managing a holistic Information Security practice. I'm hopeful that while cyber security and cyber resilience are all very important things in a hyper-connected world... that we don't lose sight of the risks and flows that happen internally. For me, this includes continuing to invest in process, practices and tooling that protect the Information asset themselves...which is why I'm still mostly behind the term Information Security ... augmented (but not replaced) by the cooler, hip and funkier terms of Cyber Security and Cyber Resilience.
Cyber Security Architect and Advisor
5 年NIST published Firmware Resiliency Guidelines last year https://www.nist.gov/publications/platform-firmware-resiliency-guidelines They want OEM to develop resilient firmware/OS, esp for non-traditional devices like IoT devices..
Privacy, information and cyber security | AI | child safety | AML & CTF | speaker | mentor | writer | CIPM | FGIA
5 年Hi Nigel, I've just seen your article and thank you.? We develop security policies and procedures (often for organisation-wide tech users, not solely ICT).? For any organisation which is actually serious about uplifting its security posture...we find information security is not only recognised by much of the broader population of tech users, it of course includes cyber - the external threat.? So, it's also my preference when we develop user facing documents.? Importantly, if users feel confused about meaning based on the language used, it just creates another barrier to getting policies adopted, which is so not what we need!
Problem Solver |Passionate developer|Azure|.net core| Docker| Kubernetes| Devops| DevSecOps| Research & Development enthusiast
5 年Brilliant, very well written. Found the new topic research to improve my knowledge bank “Cyber Resilience”..
Helping People With Security | Hanwha Defence Australia Cyber Security
5 年Cyber resilience is a good term because it brings it back to the confidentiality, Integrity AND availability. Does this mean the opposite of cyber resilience is being a cyber snowflake??
COO | Enterprise Technology & Cybersecurity Leader | Scaling Business | Building High Performing Teams
5 年Well written Nigel. You have to remain focused on protecting critical information, but there is always the challenge of protecting your brand which can be affected by cyber attacks that are not specifically targeting information. I like the term cyber resilience for that reason.