Cyber security is no longer enough: businesses need cyber resilience

Today, we work from anywhere, on more devices, more networks, facing more risk than ever before. Widespread phishing, malware, ransomware attacks, and other frauds pose a risk not just to individuals or platforms, but to entire economies, governments, and our way of life.

Yet the way we think about securing our businesses and our data hasn’t really kept up. Business resources are often still allocated to defensive cyber security, which is focused on protecting the confidentiality and integrity of data. But these defenses are proving insufficient in the face of attacks that grow more sophisticated by the day. We need cyber resilience in addition to cyber security, and it’s important to understand the difference.

Cyber resilience starts with nailing the cyber security basics; at Salesforce, we call it “doing the common uncommonly well.” This includes patching vulnerabilities, detecting and mitigating threats, and educating employees on how to defend company security. But we need to be doing these things continuously, not just once a year.

Beyond that, businesses need to build resilience into every part of the business, from business process mapping to engineering service availability to critical vendor dependency. They need to limit the impact of cybercrime to a company’s brand, finance, legal, and customer trust obligations. While these areas typically receive limited attention, resources, or executive focus, they are significant elements in the case of a real threat.

The aim of cyber resilience is clear enough: to ensure operational and business continuity with minimal impact. But the reality can be harder to pin down, because there’s currently no good way to measure cyber resilience. As leaders, we need to have a certain level of confidence in our ability to respond to an attack, to maintain our customers’ trust, to absorb the financial, legal, and brand impact and get back to business. But there is no widely-accepted cyber resilience framework, no maturity model, and I think there should be.

After all, there are countless other maturity models, which allow businesses to measure capabilities, digital transformation, supply chain, cyber security, and data management to name just a few. What might cyber resilience maturity look like? This is not just about the ability to respond and recover; it's how quickly we recover and what we prioritize.

I am not proposing another checklist or self-assessment methodology. A mature cyber resilience approach should be flexible, adaptable, and continuously improving. I propose we design a framework that describes a set of characteristics that helps a company and its leadership understand what cyber resilience is and how it will be achieved. This framework would describe an approach and attitude towards delivering cyber resilience.

For instance, is your organization committing random acts of resilience? Building a plan only to look at it when an auditor asks? Building call trees when you would be better off using PagerDuty? Real resilience involves a multi-dimensional approach that dynamically responds to threats while keeping your business goals intact.

- identifying your crown jewels and critical capabilities;

- looking at the interconnectedness of your systems and how vulnerable you are to attack;

- adapting more quickly to the broader social and political climate;

- creating partnerships with peers, competitors, and public entities;

- looking at how your team hires and develops skills;

- changing your approach, so you are not only securing the business but enabling the business through security;

- measuring whether you are maintaining a culture of trust and agility; and

- measuring customer trust and transparency.

Every organization will have its unique risks, and no one model can serve as a one-size-fits-all approach to cyber resilience. But this approach can help guide investment decisions, unite stakeholders around a common goal, and usher in the practice of continuous improvement. Most of all, cyber resilience should provide leadership with the confidence that when the worst happens, an organization can still deliver on its commitments.

An assessment-focused framework based on a numerical score can lead to a box-checking culture. But cyber resilience is not about comparison, and there is no final destination. This measurement framework should scale for industry by focusing on the people, processes, and technology required to ensure entire value chains are resilient.

When the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cyber security was introduced there was a national call to action. Now, society and business is at another turning point. Both public and private organizations are working in entirely new, more digital, more distributed ways, which has further opened the floodgates to cyber risk. The May 2021 Presidential Executive Order states that: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy." It calls for a public-private partnership to make the bold changes necessary to protect hybrid cloud infrastructures.

And like the NIST Framework, it’s important that a new, scalable cyber resilience framework is developed out of just such a partnership, fit for organizations to use across industries. So consider this an open call: can we come together to establish this framework? Can we make cyber resilience a part of business as usual? We need to work together, to make everyone stronger.