Cyber Resilience: What Is It, and How Do Organizations Achieve It?

It’s a question of when, not if, an organization will be breached, and experts say that cyber resilience is as important as cybersecurity. State and local government agencies must be in a position to not only weather an attack but to recover and adapt to threats following a breach.

“Every day is a learning day,” says Jon France, CISO of ISC2, a cybersecurity training and certification organization. “And if you go through a scenario where you’ve been attacked, compromised or even endured an attempt, you take the opportunity to learn from it as well. Resilience is a discipline, not a point-in-time action. And going through some tough times can inform future action and give you the opportunity to learn from it.” 

What Is Cyber Resilience and Why Is It Important?

Cybersecurity resilience refers to an organization’s ability to “continuously deliver the intended outcomes despite adverse cyber events,” says Lisa Plaggemier, executive director of the National Cybersecurity Alliance. “It encompasses the ability to prepare for, respond to, recover from and adapt to cyberthreats, ensuring the protection and recovery of information systems by planning for potential issues before they arise.”

Resilience, France notes, involves not only dealing with cybersecurity incidents but also recovering and getting back to a normal operating environment. That doesn’t necessarily mean returning to exactly as things were before a breach, however, since cyber resilience involves adaptation. IT and business leaders may decide to prioritize restoring some functions or processes early, and some not at all.

Cyber resilience is important because it allows government agencies to lessen the severity of inevitable attacks and minimize the cost of recovery, he says.

Cyber resilience helps “ensure continuous operation and reliability of services, even when faced with cyberthreats,” Plaggemier says. Such strategies can reduce downtime, protect sensitive data, maintain customer trust and help organizations comply with regulatory requirements, “thereby safeguarding the organization’s reputation and financial stability.”

How Is Cyber Resilience Different from Cybersecurity?

Cyber resilience is related to but distinct from cybersecurity. “Going beyond typical cybersecurity tactics, which primarily focus on preventing and responding to attacks, cyber resilience acknowledges that despite our best efforts, breaches may still occur. A strong cyber resilience strategy will emphasize preparedness and the ability to bounce back swiftly,” writes Gary McIntyre, managing director of cyberdefense at CDW, in an article on the company’s website. 

Cyber resilience incorporates disaster recovery and business continuity as well as playbooks for how to respond to attacks that include how business functions such as finance, IT and corporate communications will react and recover. 

“Cybersecurity is about building strong defenses; resilience is about maintaining functionality and bouncing back quickly after a breach or attack,” Plaggemier says.

LEARN MORE: Lodi, Calif. is using a ransomware defense metric to strengthen cyber resilience.

What Does Effective Cyber Resilience Look Like?

One key to effective cyber resilience is a continuous practice of risk management as organizations anticipate and weigh risks and plan for their occurrence.

Another core element involves having conversations with business leaders and deciding which assets and decisions are most important to the organization in recovering from an attack, then having that information inform technology, processes and procedures.

Ultimately, this manifests itself as minimal disruption to operations during cyber incidents, quick recovery times and the ability to adapt to new threats, Plaggemier says.

Key metrics of effective cyber resilience include mean time to detect and mean time to respond to incidents, she notes, as well as recovery time objectives, the number of incidents over time, and the success rate of incident response and recovery efforts.

Can a Cyber Resilience Review Help?

In practice, cyber resilience involves developing an incident response playbook that “outlines the step-by-step actions that must be taken following a cyber incident, ensuring that every cog in the organizational machinery understands its role and responsibilities during a crisis,” McIntyre writes.

These playbooks can “enable rapid response to cyber incidents by providing clear guidance on containing a detected threat, mitigating its impact and initiating cyber recovery processes,” he adds. “Generally, the swifter the response, the easier recovery will be.”

France says that organizations also should conduct tabletop exercises to run through various cyberattack scenarios and how the organization would respond.

EXPLORE: Zero trust plays an upstream role for state’s seeking cyber resilience.

“What you’re trying to do is build muscle memory, because the time to learn about your strengths, weaknesses and capabilities shouldn’t be during the time of crisis — it’s before that,” France says.

Similarly, as the Cybersecurity and Infrastructure Security Agency notes, a cyber resilience review can help an organization “develop an understanding of its ability to manage cyber risk during normal operations and times of operational stress and crisis.”

Such reviews can help “identify vulnerabilities, assess the effectiveness of current strategies and determine areas for improvement,” Plaggemier says. “This review process ensures that policies, procedures and technologies are aligned with the organization’s resilience objectives.”

Key Strategies for Enhancing Cyber Resilience

There are many technology solutions and services that organizations can turn to for cyber resilience, experts say. Those include automated incident response systems, advanced threat detection tools, data backup and recovery solutions, and network segmentation technologies, Plaggemier says.

Additionally, she notes, cloud services and Disaster Recovery as a Service “can provide robust and flexible options for maintaining operational continuity during and after cyber incidents.”

PREPARE: Incident response services that improve time to detection and recovery.

Other cyber resilience capabilities that organizations can work with trusted third parties to deploy include infrastructure analysis, red and purple team exercises, incident response planning and testing, cyber recovery plan automation and management, and incident response tabletop exercises.

“Cybersecurity resilience is a business concern,” France says, meaning that IT leaders must talk to business leaders and find out what is critical for the business. “It’s never done in isolation. Cybersecurity is not a treatment to the business; it is an inherent part of the business.”