July 3, 2024

Definition of cyber resilience

Cyber resilience is an organization’s capacity to maintain effective operations in the event of a major disruption to digital systems. An organization’s cyber resilience is measured in terms of how long it takes to identify, respond, and recover from an IT security incident.  

Cyber resilience strategies also focus on understanding risk, as organizations should be prepared to face a significant cyber incident from any number of disruptive events, including:

  • Cyber attacks that result in a data breach
  • Damage purposely caused by a malicious insider 
  • Extreme weather that disrupts power to data centers 
  • Innocent human errors 
  • Natural disasters 
  • Political conflicts 
  • Public health emergencies 
  • Ransomware attacks 
  • System failures 

An organization is considered to have cyber resilience when it can ensure business continuity during and after cyber incidents. The objective of cyber resilience is that the organization is able to deliver goods and services regardless of what happens to IT systems. 

High-profile, sophisticated ransomware attacks have driven the increasing prioritization of cyber resilience.

The far-reaching implications of these cyber incidents drew the attention of executives, board members, regulators, and government leaders, driving them to push their IT and security teams to ensure that their organizations are cyber resilient. 

The four pillars of cyber resilience

Cyber resilience is predicated on the assumption that cyber incidents will occur. A cyber resilient organization operates with the understanding that it must be prepared for incidents and that when they happen, they need to be able to maintain critical operations.

To fully embrace a culture of cyber resilience, it is important to understand the four foundation pillars of cyber resilience—anticipate, withstand, recover, and evolve.

Pillar one: Anticipate to understand and prepare for cyber threats

Anticipating cyber threats requires understanding the types of bad actors who are most likely to target an organization, the types of attack vectors they will exploit, and the tactics, techniques, and procedures (TTPs) they will employ. This includes the behaviors, methods, or patterns of activity used by threat actors to develop threats and engage in cyber attacks, such as advanced persistent threats (APTs), denial-of-service (DoS) attacks, phishing and spear-phishing, and ransomware.

Other cyber threats besides cybercriminals should also be considered. These include natural disasters (e.g., such as storms and earthquakes), structure failures (e.g., power outages), and system stresses (e.g., unexpectedly high loads on systems).

In addition to anticipating who is most likely to cause problems, anticipation also should include an assessment of vulnerabilities. This should cover everything from networks and endpoints to cloud services and storage.

It is important to note that the anticipation extends beyond the IT and security teams. Executives should be involved in considerations about what areas of the organization hold the most value.

Additionally, department heads should weigh in and help provide insights into their systems. Business leaders should be thinking about the workstreams needed to support critical operations, while IT security teams start looking for gaps in the kill chain and legacy systems.

Pillar two: Withstand by developing robust systems that can limit disruptions

The withstand pillar focuses on limiting the impact of disruptions. In the event that a cybercriminal successfully exploits an attack vector, a user makes a mistake that impacts systems, or other unanticipated disruptions occur, cyber resilience best practices position the organization to resume normal operations quickly.

To effectively withstand disruptions, standard operating procedures must be created based on the anticipate pillar. IT and security teams operations teams should have playbooks that cover the most likely attacks on the organization. In addition, traditional security event response tactics should be in place, such as an incident management plan.

Another part of withstanding is drawing adversaries away from critical assets and resources. This is typically done using honey pots. These are decoys made to look as though they are high value. This not only helps keep attackers from accessing priority resources, but also gives IT and security teams a look into their tactics and the type of targets that they are seeking.

Pillar three: Recover rapidly from cyber incidents

In the context of cyber resilience, a disaster recovery plan to restore critical data is often considered sufficient. It is not. Cyber resilience goes beyond simply recovering data. It encompasses all of the services and workflows that use that data.

To recover rapidly from cyber incidents, all applications, platforms, and networks must be restored. This means quickly providing account access, database services, and access to cloud systems, as well as keeping these protected from the incident. Programs should be in place to enable teams to redirect to an exact replication of an application or series of applications, and these should be isolated from the original ones to ensure that no residuals (e.g., malware or ransomware) can impact them.

This can be done by keeping duplicates of applications and associated services in a cyber vault. This should be kept on separate networks and ideally be located in one or more remote locations. Core application services to keep in a cyber vault include Active Directory, authentication, domain name systems, firewalls, key management systems, public key infrastructure, and virtual private networks. 

Pillar four: Evolve by learning and adapting from cyber events

Cyber resilience is an ongoing effort. Once plans are in place, they should be reviewed on a regular basis to ensure that they evolve to remain relevant and optimized. This includes evaluating systems’ functionality and architecture. In some cases, legacy systems may need to be moved to cloud services, or critical systems should be moved on-premise.

Reviews should be scheduled at least once a year. In addition, if there is a cyber incident, cyber resilience strategies and plans need to be assessed and updated based on lessons learned during the incident post-mortem review.

Cyber resilience vs cybersecurity

Organizations should have both cybersecurity and cyber resilience strategies and programs. Cyber resilience and cybersecurity complement one another, improving an organization’s overall security posture, ensuring business continuity, and facilitating compliance with regulations and standards.

Cyber resilience encompasses an organization’s ability to limit damage to systems, processes, and reputation, as well as resume normal operations in the wake of a security incident or other disruption; conversely, cybersecurity focuses on an organization’s ability to defend against and mitigate the increasing risks posed by cybercriminals.

Also, cyber resilience helps prevent data breaches and reduce the risk of malicious activity. On the other hand, cybersecurity helps mitigate the impacts of these attacks and other scenarios that disrupt digital systems’ operations.

The following are several best practices for integrating cyber resilience and cybersecurity strategies and programs.

Backup and recovery

A key part of cybersecurity is protecting data. This extends beyond data protection tools, such as encryption, to include data backup and recovery systems that assure the confidentiality, integrity, and availability of information. These also play a critical role in cyber resilience as data as data backup and recovery systems ensure that data can be restored quickly. 

Simulation testing

Performing simulation tests helps identify any deficiencies in cybersecurity and cyber resilience systems and processes. Simulation tests use real-world scenarios to ensure that systems will perform as expected. They also can uncover opportunities for optimization. In addition to assessing systems, simulation testing helps staff better understand their roles and prepares them to respond quickly when needed. 

Leadership engagement

Both cybersecurity and cyber resilience are initiatives in which priority should be driven by leadership. To engage leadership (i.e., executive managers and boards of directors), they must be made aware of what is being done with regard to cyber resilience and cybersecurity. This not only helps them drive the message that these are important for the organization but also helps get and keep them on board with the ongoing funding of these initiatives.

Continuous improvement 

Cyber resilience and cybersecurity should be regularly reviewed. This ensures that changing requirements and priorities are reflected in these initiatives. These reviews also highlight areas that are underperforming so they can be improved.

How cyber resilience relates to enterprise resilience

Cyber resilience and enterprise resilience are inextricably connected. Cyber and enterprise resilience hinge upon sustained access to data regardless of what incident occurs. Like a well-run enterprise, a good cyber resilience program takes a data-centric approach to enterprise data protection and security.  

A key objective of cyber resilience is to keep data available and recoverable if needed while an incident is being mitigated and resolved. Cyber resilience programs should include policies, methods, and solutions to ensure an enterprise can identify, respond, and recover from a cyberattack. At its core, a cyber resilience framework drives end-to-end security approaches that maintain the highest possible enterprise data and system availability. 

Why cyber resilience is important

Cyber resilience is important because technology is foundational to nearly every business’s operations. Downtime can have negative to critical impacts on organizations. A cyber resilience plan has become a must-have rather than a nice-to-have program.  

Cybersecurity programs can help plan how to handle a broad range of cyber risks. Cyber resilience aims to ensure readiness to act effectively and quickly in the event of a cyber incident by being prepared for it, able to respond to it, and quickly recover from it. Businesses can continue operations with minimal disruption to workflows and processes. 

The need for cyber resiliency is well summed up by Lt. Gen. Ted F. Bowlds, Former Commander, Electronic Systems Center, USAF: 

“You are going to be attacked; your computers are going to be attacked, and the question is, how do you fight through the attack? How do you maintain your operations?”

Several important reasons for businesses to embrace cyber resilience are: 

  • Adhering to compliance regulations 
  • Ensuring continued customer trust 
  • Maintaining business continuity 
  • Meeting data protection requirements 
  • Protecting sensitive information, such as credentials and personally identifiable information (PII) 

How cyber resilience enables enterprise resilience

Cyber resilience enables enterprise resilience by ensuring that systems downtime is minimized and business continuity is maximized. Because enterprise resilience relies on systems uptime, cyber resilience plays an important role.  

In many cases, cyber resilience plans augment enterprise resilience plans that are tied to disaster recovery plans. Cyber resilience plans provide a framework and processes to resume normal operations quickly after a disaster strikes. 

Cyber resilience and digital transformation

Cyber resilience is crucial even for businesses in the early stages of digital transformation. The pervasive role of technology has increased risks with new vulnerabilities, expanded attack surfaces, and heavy reliance on systems’ continuous uptime. Cyber resilience allows businesses to reap the benefits of digital transformation while significantly mitigating a variety of risks. 

Three critical components of cyber resilience

Robust cyber resilience frameworks and strategies include the following capabilities. 

Protection

Protection is a foundational element of any cyber resilience strategy. The first step in establishing a cyber resilience program is to ensure that appropriate and effective security measures are in place to protect all systems, applications, and data from unauthorized access.  

Among the many protection tactics that can be used to bolster protection and cyber resilience are identifying, assessing, and managing cyber risks across all systems. This also applies to third and fourth parties, which can bring risks

Detection

Detection is also a key part of cyber resilience. Early detection of a cyber threat provides the best chance to stop it before damage is done. Continuous monitoring and attack surface management help identify malicious or unintentional threats to prevent cyber incidents and keep operations running without interruption.   

Recoverability

The ability to recover from an incident in a timely manner is one of the most important functions of cyber resilience. Many organizations will experience a serious incident at some time. Being prepared with a recovery plan results in cyber resilience.  

This requires developing and implementing a detailed incident response plan and taking time to test it. Infrastructure redundancies and data backups are also imperatives for business continuity. 

Additional cyber resilience components

Adaptability

With a rapidly changing threat ecosystem, businesses must build adaptability into their cyber resilience plans. Adaptability plays an important role in cyber resilience, whether it is proactively changing or adding defenses in response to a new threat or shifting course to respond to an attack rapidly. Another adaptability component is learning from past events and threat-related data to adjust plans.   

Solutions, programs, and processes for cyber resilience

To effectively execute a cyber resilience strategy, a number of solutions, programs, and processes need to be in place, including: 

  • Backing up data automatically to expedite recovery from breaches (e.g., malware, ransomware) or other disruptive incidents (e.g., human error, network outages, natural disasters)   
  • Detecting and blocking threats before they can infiltrate systems and networks  
  • Enhancing cyber resilience by making improvements and ensuring optimization of systems, configuration management, vulnerability management, and attack surface management  
  • Improving security by taking measures to make it more difficult for attackers to gain access to systems and networks   
  • Protecting endpoints from the latest threats
  • Recovering from attacks in a timely manner to minimize downtime and impact on operations   
  • Responding to attacks quickly by having a detailed cyber resilience plan in place   
  • Training to remind users how important security is and to educate them about threats, how to spot them, and how to respond to them 

Improving cyber resilience

Cyber resilience can be improved by implementing and continually assessing security practices, such as: 

  • Allowing access by exception (i.e., enforce the principle of least privilege
  • Applying role-based access policies with contextual rules  
  • Creating multiple protected instances of critical resources 
  • Diversifying components and vendors to reduce vulnerabilities 
  • Educating users about cyber attack vectors and how to avoid them
  • Employing a defense-in-depth strategy that limits attackers’ ability to exploit a breach 
  • Installing patches promptly 
  • Monitoring systems for threats and unusual behavior continuously 
  • Regularly upgrading to the latest versions of software  
  • Requiring different multi-factor authentication for all systems 
  • Segmenting networks to provide separation for sensitive resources and data 
  • Separating user functionality and system management functionality— physically, logically, or both 
  • Staying apprised of new external threats and common vulnerabilities and exposures (CVE) 
  • Using encryption to protect sensitive data 

Measuring effective cyber resilience

Cyber resilience effectiveness is ultimately measured by the time lapse between detecting, mitigating, and resolving a threat or attack. Accurately measuring the efficacy of cyber resilience starts with understanding and collecting data related to several key metrics, including the following. 

Technical metrics 
Quantitative cyber resilience measurements can be gathered by evaluating the performance and identifying potential risks and vulnerabilities. Technical systems to measure include: 

  • Data protection
    Number of data breaches, number of records compromised, and how long it took to detect and resolve incidents
  • Disaster recovery
    Recovery time objective, disaster recovery tests conducted, and number of incidents that required disaster recovery
  • Network security
    Successful and attempted attacks, number of vulnerabilities identified, severity of identified vulnerabilities, and how long it took to detect and respond to incidents
  • System availability
    Systems’ uptime and downtime, mean time between failures, and number of system crashes

Human-related metrics 
Cyber resilience can be measured by recording and assessing data related to human behavior and decision-making related to cybersecurity. These cyber resilience metrics focus on the role of employees and end-users as related to: 

  • Incident response
    Measures an organization’s ability to respond to cybersecurity incidents and minimize the impact of a breach
  • Phishing awareness
    Programs in place and frequency of an organization’s ability to educate employees on the dangers of phishing scams and how to avoid them 
  • User training
    Assesses an organization’s investment in cybersecurity training for employees and end-users

Model-based metrics 
Model-based metrics are used to measure the overall cyber resilience of an organization. Incorporating technical, organizational, and human-related metrics, model-based metrics provide a comprehensive view of an organization’s cybersecurity posture and cyber resiliency. Examples of model-based metrics are:  

Organizational metrics 
Organizational metrics refer to characteristics and processes that contribute to cyber resilience, such as internal structure and governance of an organization, including:  

  • Data privacy
    Organization’s ability to protect sensitive information and comply with data privacy regulations 
  • Policies and procedures
    Extent to which an organization has documented and implemented its cybersecurity policies and procedures
  • Risk management
    Organization’s ability to identify, prioritize, and manage cybersecurity risks

Threat intelligence metrics 
Monitoring and measuring threat intelligence is essential to protecting systems, networks, and data. There are a number of key metrics organizations use to measure cyber resilience, including: 

  • Cost per incident
    Cost of each incident that the organization experiences 
  • False positive rate
    Number of false positives that the organization’s threat intelligence systems generate 
  • Threat detection rate
    Percentage of threats that are detected and prevented
  • Time to detect
    Amount of time it takes for the organization to detect a threat 
  • Time to respond
    Amount of time it takes for the organization to respond to a threat once it has been detected

Seven steps to cyber resilience

  1. Identify critical assets and vulnerabilities. 
    • Assess systems’ criticality to operations and impact if they were compromised.
    • Use risk scoring to develop a tiered risk profile map to help prioritize actions.
    • Identify known risks and potential risks.
    • Based on risk scores, implement risk mitigation tactics starting with systems that are the most likely to be attacked and that would have the most significant impact on the organization.
  2. Protect through effective cybersecurity measures. 
    • Develop and enforce cybersecurity policies for all systems and users.
    • Leverage technical security solutions to protect digital assets. There are a number of cybersecurity solutions to consider, but the main ones are endpoint protection tools, firewalls, encryption, data loss prevention (DLP), network access controls, and multi-factor authentication.
    • These solutions should be complemented with security awareness training and processes that ensure the timely installation of software updates and security patches.
  3. Detect cyber threats promptly.
    • Systems for continuous monitoring should be implemented to ensure timely detection of attacks or suspicious activity that could be the precursor to an attack or malicious activity.
    • Automated incident response systems should used to minimize exposure and damage.
  4. Respond to incidents with a coordinated approach.    
    • The best incident response is based on plans that include cross-organization input and have been thoroughly tested with simulations that reflect the characteristics of likely scenarios.
    • The plan and testing should include both malicious incidents, accidents, and disasters, as these all impact cyber resilience.
    • An incident response plan should detail systems and processes as well as roles and responsibilities.
  5. Recover critical functions and services post-breach. 
    • After an incident, the upfront work of identifying and prioritizing systems plays a crucial role. In addition to the guidance established in step one, teams should be trained, and processes should be established to direct a coordinated recovery of systems following a data breach or other security incident.
  6. Review and update cyber resilience plans. 
    • Establish review protocols to measure the efficacy and efficiency of each step.
    • Insight culled from reviews should be reported to stakeholders and management, as well as integrated back into each step and process.
  7. Cultivate a culture of cyber resilience. 
    • A culture of cyber resilience starts with the leadership team prioritizing and stressing the importance of it.
    • Practical steps to embed this into an organization’s culture include developing engaging training programs; these should focus on real-world scenarios that apply to the organization.
    • Training should be customized for different groups and roles to give employees actionable tactics to fortify cyber resilience.
    • Employee efforts to support cyber resiliency should be recognized and rewarded.

How can leadership teams support cyber resilience in an organization?

Drive a cyber-aware culture

Whether directly or through others in the organization, the leadership team should ensure that there is regular and meaningful communication about the importance of cyber resilience and cybersecurity. This should include town halls or other open discussions about cyber threats and incidents—both malicious and accidental. Executives and managers should also lead by example, demonstrating their commitment to cyber resilience by adhering to best practices and policies. 

Empower external sharing 

Give IT and security teams permission to participate in information-sharing networks with other organizations, industry groups, and government agencies.  

Encourage continuous improvement 

Support regular security audits and risk assessments to identify vulnerabilities and improve defenses. Also, IT and security teams should be given the budget to establish mechanisms for learning from incidents and integrate lessons learned into policies and procedures.

Enforce cyber resilience policies and procedures

IT and security teams should be given the resources needed to develop, maintain, and enforce comprehensive policies that support cyber resilience initiatives. These should cover all aspects of operations and include input from representatives of all departments. Policies should be reviewed and updated on a regular basis to keep pace with evolving threats and regulatory requirements.

Invest in cyber awareness and training

Cyber resilience and cybersecurity should be kept at the top of all employees’ minds. In addition to the communications note above, employees should be kept abreast of successes and any incidents with lessons learned being highlighted.

Training and educational materials should be used to share and reinforce cyber resilience and cybersecurity best practices. IT and security teams should be given access to advanced training in best practices, processes, and tools to keep them abreast of the latest trends and how to implement them in the organization. 

Set a clear vision and strategy

Involving an organization’s leaders, including executive teams and boards of directors, in cyber resilience is of the utmost importance. They can set the vision and strategy for cyber resilience by defining the strategic objectives of the program and explaining how it aligns with the overall goals of the organization.

Benefits of cyber resilience

Regardless of size, all businesses can benefit from prioritizing cyber resilience. Five of the most commonly cited benefits of cyber resilience include: 

  1. Improved compliance 
  2. Increased productivity 
  3. Minimized financial impact of unexpected disruptions 
  4. Protecting reputation and client trust 
  5. Upleveling overall cybersecurity 

Cyber resilience FAQ

What is the difference between cybersecurity and cyber resilience? 

Cybersecurity Cyber resilience 
Consists of information technologies, processes, and measures designed to protect systems, networks, and sensitive data from cybercrimes Encompasses cybersecurity, data security, IT infrastructure, business functions, and business continuity and disaster recovery (BCDR) 
Reduces the risk of cyber attacks and protects entities from the deliberate exploitation of systems, networks, and technologies Shows businesses recognize that attackers may have the advantage of innovative tools, zero-day threats, and the element of surprise 
Deals with how to protect business-critical data, systems, and applications Provides a strategy to run business operations with minimal disruption when such instances happen 
A defense strategy that involves using different tools, technologies, and processes to protect against and prevent unauthorized access to data and networks Helps businesses prepare, prevent, respond, and successfully resume pre-incident processes and operations 
Aims to keep threats away and prevent disasters from occurring in the first place Focuses on rapid recovery and business continuity in the face of an attack 
Protects against and avoids attacks from ransomware, malware, or other threats from cyber criminals Mitigates damage and gets mission-critical systems up and running quickly following a breach 

While there are many differences between cybersecurity and cyber resilience, the two work best together. Most cyber resilience tactics assume, leverage, or enhance cybersecurity measures.  

Together, cybersecurity and cyber resilience ensure that an organization’s critical systems and data are protected from internal and external threats, as well as minimize disruption and damage when the unexpected occurs. 

What is cyber risk?

Cyber risk is the chance of financial loss, disruption, or damage to an organization’s reputation caused by information system issues. There are two types of cyber risk—external and internal. These can take many forms, including cybercrime, cyber terrorism, corporate espionage, third-party vulnerability, malicious insiders, and simple human error.   

How can cyber resilience be incorporated into IT governance?

Incorporating cyber resilience into IT governance involves integrating cybersecurity practices into the organization’s overall IT strategy and management framework. This includes establishing robust policies, procedures, and controls to manage cyber risks.

Upleveling business operations with cyber resilience

The benefits of and need for cyber resilience are undeniable. The good news is that the effort required to implement or enhance cyber resilience results in better security and system uptime. Businesses with a robust cyber resilience program see overall operations improve.    

Assess the strength of your identity security program

Research-backed, industry-specific benchmark data and a roadmap for driving business value

See where you rank