THE ARTICLES ON THESE PAGES ARE PRODUCED BY BUSINESS REPORTER, WHICH TAKES SOLE RESPONSIBILITY FOR THE CONTENTS. Zscaler is a Business Reporter client. As organisations face up to the inevitability of cyber-attacks, they need to shift their approach from piecemeal measures to developing a culture of resilience by design.
This calls for a different approach to that traditionally taken by IT teams; one where organisations look to become truly resilient, able to protect themselves against the risk of cyber-attacks as much as possible but also to recover should one occur.
“Resilience is all about looking at the challenge holistically,” says Marc Lueck, CISO in Residence at cloud-based cyber-security platform Zscaler. “It requires looking at this as a philosophical challenge, rather than a technical one, so businesses can ensure they’re prepared and can respond quickly to any attack. We need to move away from the old-school thinking of controls as isolated measures that are applied to a business and look at how to achieve overall resilience.”.
Rather than merely tackling technical issues and reacting to events that happen, organisations need to implement a “resilient by design” approach, says Lueck. This means taking a step back to ensure the business architecture is set up to prevent interruptions and can protect itself against threats, with an IT infrastructure that is designed to reduce risk, and where there’s a strong focus – led by IT – on building teams and cultures that are resilient in nature.
“The ability to prevent an attack, withstand an attack as it’s going on and recover from an attack after it’s happened is not something that can be done by one group or one technology in one area of the business,” explains Lueck. “Businesses need to look holistically across their organisation and ensure they have this deep ability to prevent, withstand and recover from these attacks.”.
This means ensuring that resilience is factored into any decision-making process, including building and extending business capability, before it is already established. “It can enhance business agility, because changes in architecture can actually speed things up,” says Leuck. “It’s about thinking about the challenge before you enact business changes.”.
He uses the analogy of preparing for a storm, using a mixture of monitoring forecasts, deploying tools such as umbrellas and making building enhancements to help mitigate the impact, and then ensuring essential services such as roads and ambulances are on hand to cope with any damage. “The storm is a perfect example,” he says.
“By managing your external attack surface and looking at consuming threat intelligence, you’re starting to predict the storm. By ensuring that you have appropriate controls and connectivity, you are starting to work out how to clear up afterwards.” Carrying out testing through tabletop exercises is an important element of this, he adds, so businesses can predict what might happen in a time of crisis.
It’s essential, though, that this is not left entirely to SRM professionals. “We need board members making the case for resilience, and that’s why resilience is such a handy title, because it’s not mired in the jargon of cyber-security,” he says. The same approach can be applied to other risks organisations face, he adds, such as coping with disruption as a result of global conflict. Through this, business leaders can also improve their own personal resilience, helping them to become better leaders in the process.
Organisations that can adopt a resilient-by-design approach can expect to gain significant competitive advantages, as well as being more resistant to incidents. Gartner’s research suggests organisations that adopt the principles of resilience outperform their less resilient peers, building stronger, more adaptable cyber-security programmes and having a clear plan for when something goes wrong.
“Attacks are becoming more common and if we’re all going to experience this in some form, resilience can be the competitive advantage to get your business going quicker, with more profit or just to keep your business going at all,” says Leuck. “Investing in resilience can not only protect a business but ensure that it is successful. That is a first for security, and it’s only in this past couple of years it has become the enabler we always dreamed it might.”.
