The security advisory firm Cybersecurity Ventures reports that cybercrime damages are set to cost businesses $6 trillion annually by 2021, with cybersecurity spending topping $1 trillion from 2017 to 2021. A trillion here, a trillion there … pretty soon you’re talking real money — more than enough to acknowledge that managing an organization’s cyber risk has truly become a CEO and Board-level responsibility.
It is essential today that enterprises build digital resilience into their business plans—and do so deep and wide.
Tip #1: Understand the difference between digital security and digital resilience. Security is about locking up and hunkering down. Resilience is about standing up to do business while fighting back. Security is necessary to protect your business but not sufficient. In the fulness of time, an attacker will get through. You need a strategy that gives you the ability to fight, stay connected, and keep doing business while responding to and recovering from a cyberattack. You need resilience.
Tip #2: Create awareness in the C-suite and the boardroom of both the risks associated with your digital infrastructure and the certainty of cyberattack. In other words, frame resilience as a business issue, not a security issue. Make management see it like any other business issue that impacts the whole enterprise. This means planning for and budgeting resilience not as an operational adjunct, a regulatory burden, or so much defensive hardware, but as a positive business asset: a competitive value proposition. Resilience will help stop data theft, keep you in business, and facilitate recovery from even the most successful attacks. And, resilient companies become trusted companies, as customers, partners, and investors all get increasingly savvy in choosing vendors, partners, and investments.
Tip #3: Nurture a resilient organizational culture from the top down. In a business, culture emanates from the top, from the leadership of the board and the CEO and, from there, throughout the C suite, through operational executives, and down to the frontline employees. This said, employees at every level must be recruited and trained to value and protect whatever data assets they handle. Nowhere is this more important than among personnel who deal with customer data and other core, critical assets of an organization.
Tip #4: Prioritize your data assets and audit the resilience of your network. Focus on hardware security but focus even harder on data resilience. Recruit the entire organization to contribute their detailed working knowledge and insight so that you can prioritize all data assets according to the business value of data items as well as their accessibility to attack. A resilient digital strategy balances the security of selective user privilege against scope of access. Critically important assets call for close control, including high levels of encryption. Less sensitive data can be made more widely and readily accessible. Security is smart. Resilience is even smarter.
Tip #5: Deploy resilience in all business processes. In planning, overseeing, and auditing resilience, think in terms of processes, not organizational silos. Boards and the C-suite must ensure that resilience is designed into such vital business processes as product development, marketing, sales, human resources, and the supply chain. Building into all processes such features as strategic redundancy, alternative sequences, and segmentation of operations is a resilient approach to workflows that enable businesses to survive attacks and buy time to contain breaches while continuing to do business.
Resilience is not a product or a service you can buy and deploy. It is a state of mind and an operational philosophy destined to be embedded in all future management training, schooling, and corporations. Why wait for that? Implemented today, resilience is a competitive advantage.