Rethinking Cyber Resilience
The concept of cyber resilience–the ability of an organization to respond to and recover from a cyber incident–has been around for decades. Underpinning the broader concept of business resilience, it is a critical aspect of business operations. In the digital era, business processes are only as resilient as the systems on which they run. In the face of compounding challenges and global crises, I very strongly advocate that cyber resilience be on every CxO’s agenda. So why is it that many organizations seem unprepared when a cyber-attack happens??
?To unpack that question, I invited Sounil Yu, author, advisor, and CISO at JupiterOne on the latest episode of Afternoon Cyber Tea. Sounil is a well-known expert on cyber resiliency – having created several frameworks that Security leaders use today. I wanted to know why organizations are struggling– and what leaders can and should be doing differently to improve their cyber resiliency. It was a fun and lively discussion – you can listen to the full episode here.??
?Here are a few highlights from our discussion that resonated with me:?
?Applying old solutions to new problems?
No doubt, the cyber attack surface has increased, and attackers are becoming more sophisticated by the day. So why have cyber resilience plans not kept pace? Sounil posits that many are still applying old solutions to new problem sets – and that there are massive gaps in the ecosystem when it comes to supporting recovery from a cyber event. Sounil said, “One of the challenges that I saw and one of the reasons why I tried to shake up the ecosystem is because I didn't see the conversation evolving as quickly as it needed to. What I saw in the market was the propensity for us to sell solutions - or from vendors to sell solutions that really solved all the problems. And one of the frameworks that I created was this thing called a Cyber Defense Matrix, and it's a simple mental model that helps us understand all the different things that the vendors are selling us. And it became pretty clear as I was mapping out all these different vendors that there was a massive gap in the market for solutions that help us recover against cyberattacks.”?
领英推荐
?A new approach: distributed, immutable, ephemeral?
I asked Sounil what leaders and organizations should do to become more resilient. Without pause, Sounil described a new framework he has invented – the D.I.E. triad, which stands for distributed, immutable, and ephemeral. He mentioned, “The D.I.E. triad takes a complete break from the CIA (confidentiality, integrity, availability) triad. And specifically, one of the things I'm arguing is we tried to take a DIE approach first before we try to secure anything. And this may sound heretical to a lot of people in security because we oftentimes think security first. But I am actually arguing we need to take security - do security second, with the primary emphasis being, how do we make some system or some data or whatever it is that we're trying to deal with more distributed, more immutable and more ephemeral?”?
?What is standing in the way? Funnily, it is (potentially) security people.?
Part of my conversation with Sounil centered on the barriers to resiliency – what is standing in the way of organizations moving toward systems that are more distributed, immutable, and ephemeral. Perhaps controversially, he said it was potentially security people that would be a barrier. Sounil said, “So a funny thing is, I think that what's going to get in the way is security people. Because effectively, we in security are well vested and well employed and what we're rewarded for doing - CIA. And what I'm actually arguing is that, on the other end of the spectrum, we have a situation where we are not going to be - where we lower our burden for security.?
?Cyber resilience is one of my favorite topics to discuss, so I was thrilled to have Sounil on to unpack this critical issue. For the full episode and more Afternoon Cyber Tea, visit www.afternooncybertea.com. New episodes are released every other Tuesday and are available on the Cyberwire and most major podcast platforms.?
Learning new ways to secure the world one module at a time.
2 年You should read the FFIEC AIO booklet. CIA serves well and facilitates the D in DIE when the program is executed correctly. The very definition of immutable, lasting a short time, goes against what security tries to do. We need continuity of coverage, not some spectre of security. Good programs are living and need to be tailored over time based on need. What it sounds like your saying is "I wish I could get security for less because these people are expensive".