Cyber Resilience: Why CISOs should prioritise it in 2023

By Amit Tailor, Systems Engineering Director at Palo Alto Networks.

  • Friday, 24th February 2023 Posted 1 year ago in by Phil Alsop

The cyberthreat landscape continues to evolve at an exponential rate, posing an active threat to businesses and driving accelerated cybersecurity spend. 37% of UK cybersecurity leaders polled in a recent Palo Alto Networks survey highlighted that they expected cybersecurity budgets to increase by up to 10% in the coming year – but effective cyber-threat management relies on more than more money thrown into a pot for use.

 

One concept that should be top-of-mind for CISOs looking to protect themselves effectively against threats is cyber resilience. Often, this is defined as a tactical state of preparedness which enables organisations to minimise business disruptions and maintain their reputation in the event of a cybersecurity incident. 

 

Effective cyber resilience can be achieved by creating the necessary processes, organisational culture and structures to pivot business delivery mechanisms and core system functionality quickly when responding to threats. As we move further into 2023, here are some key considerations CISOs should be aware of to maintain a lasting state of cyber resilience.

 

Battling fragmentation and attack surface growth

 

To drive effective cyber resilience, organisations must thoroughly understand their current resilience posture – inclusive of capabilities, practices, risk tolerance and business objectives. This is often achieved by way of an assessment against a dedicated cybersecurity resilience framework and incorporates an emphasis on operational requirements and organisational mission, objectives and goals. 

 

One key issue CISOs can face when it comes to mounting an effective state of cyber resilience is growth in the attack surface due to vendor fragmentation. According to recent research, 51% of UK organisations work with more than 10 security vendors – which can often happen almost unconsciously as companies look to protect themselves against rapidly proliferating cyber threats. However, the more vendors in use increases risk of interoperability issues, information silos and a corresponding growth in attack surface. 

 

Organisations should ensure that the attack surface, inclusive of assets and data, is meticulously managed. This should mean putting plans and configurations in place to restrict the use of unauthorised software, hardware or applications wherever possible - and this includes the dreaded “shadow IT” spectre. Critical business and service infrastructure must be identified, managed, monitored, protected, prioritised and maintained - and stress tested on a regular basis. 

 

Managing cyber resilience skill shortages

 

Another challenge CISOs face is a lack of cyber skills when it comes to both recruitment and internal skill sets. In fact, the lack of skilled cyber professionals is the biggest challenge UK cybersecurity leaders identified in our recent research. When it comes to cyber resilience, the skills gap is not insurmountable but requires investing in people, processes and technology – especially people. 

 

Technical training and certifications can provide a long-term skills gap solution for certain cyber roles. Still, effective cyber resilience involves skills such as cybersecurity governance, risk management, incident management and strategic thinking – which are harder to recruit for. As a result, there should be a focus on educating people on cyber resilience from the ground up – upskilling entry-level employees from day one – as well as investing in training and retention of senior cybersecurity professionals. This will help to build a cyber-resilient culture organisation-wide, enabling all stakeholders to keep pace with the proliferating threat landscape.

 

Securing executive buy-in

 

It’s also typical for conversations around cyber resilience – including the above – to be minimised when it comes to executive meetings. Many cybersecurity leaders avoid difficult conversations with business-minded leaders that focus on security operation metrics for fear of overloading them with reports on the status of tools and technologies, in addition to new risks or threats. However, resilient organisations are invested in spreading the word about security throughout all levels of their organisation – including the most senior leaders.

 

This means being willing to move beyond the metrics alone and to have the tough conversations – for example, under what circumstances would the organisation pay a ransom? Are there clear decision trees that build in fail-safes for circumstances such as a CISO’s incapacitation at the time of an incident? How would customer trust be maintained in the face of media scrutiny and stock price turbulence? Having these conversations will help stave off both threats and associated business continuity risks.

 

In 2023, moving cyber-resilience efforts forwards should form a key part of every CISOs brief. Organisations willing to have the hard conversations to align business considerations with cybersecurity efforts and encourage a thorough understanding and dedicated approach to resilience throughout the organisation, will thrive above competitors when faced with cyber threats. By focusing on culture, skills and processes and moving beyond simply spending money on tools, companies can set themselves up optimally to manage proliferating threats in 2023 and beyond.