The Expert View: Building Cyber-Resilience - Preparing for the Inevitable

The delegates were all senior executives from a range of industries, including vendors and users of cybersecurity services, cyber insurance providers, law firms, and voluntary sector organisations.

 

What is cyber-resilience?

 

There was a broad initial discussion about what cyber-resilience means to the attendees. This initial conversation rested on the idea that organisations have had to pivot from an “if they get breached” approach, to a “when they get breached” approach, and that their approaches to resilience have similarly adapted, changing from reactive responses to immediate threats to a more proactive approach, maintaining constant scanning, threat assessment, and robust disaster recovery simulations.

 

The consensus was that cyber resilience is more than just a technical issue - it’s a comprehensive business strategy, broadly focused on the speed at which a business can resume normal operations after a cyber incident, regardless of system status. Similarly, the attendees agreed that effective cyber resilience involves people, processes, and technologies, not just IT solutions. Some key components of resilience were outlined, encompassing proactive monitoring and measuring security infrastructure; continuous improvement; third-party risk management; the ability to detect, respond to, and recover from cyber incidents; and cultural awareness and employee education.

 

The cost of cyber resilience 

 

The issue of cost to the business of robust cyber-resilience was discussed, with the key message being that cyber resilience is a necessary business expense, rather than an optional cost. There was recognition that the investment needs to be proportional to the organisation’s size and risk profile. Smaller organisations might rely more on shared services or syndicated security providers. The cost of not investing was also stressed, with one participant noting IBM data showing document theft increasing from 4 billion to 26 billion in a single year. Throughout the discussion, the potential financial impact of a breach (lost income, reputation damage, regulatory fines) was consistently presented as a compelling argument for investment.

 

One of the delegates particularly highlighted the plight of voluntary and third-sector organisations in this respect, noting the difficulty of obtaining funding for tech initiatives, especially when budgets are tight. Some participants suggested alternative funding approaches such as seeking sponsorships from cyber security vendors; leveraging corporate social responsibility (CSR) program; and utilising free resources like the National Cyber Security Centre (NCSC) and Met Police Cyber Unit.

 

The complex issue of cyber insurance was discussed, with the overall tone suggesting that cyber insurance is moving from a reactive to more proactive and collaborative approach. Several useful insights for the future state of cyber insurance were presented, specifically the potential for a government-backed cyber insurance model, the possibility of a “Flood Re” equivalent for cyber risks, and the possibility of developing more granular certification levels for insurability. The idea of self-insurance was also discussed.

 

Board level involvement and communication  

 

Those in attendance highlighted the importance of board-level buy-in and understanding, treating cyber threats as a business risk rather than purely a technical problem. One delegate noted that board-level investment is crucial. Companies need to be prepared to invest "serious money" in cybersecurity, or they’ll end up with a "half-cut system”, leaving them vulnerable. To achieve this, several key ideas were raised - translation of cyber risks into business language; cyber risk quantification in dollar value of potential loss; linking cybersecurity to client demands and competitive positioning; using visualisation tools like maturity matrices and heat maps; and inclusion of the board in simulation exercises.

 

The key message was that effective board communication requires translating technical risks into business language, demonstrating tangible impact, and treating cybersecurity as a strategic business imperative.

 

Challenges in incident response and coordination 

 

The sheer complexity of incident response was highlighted by a number of those present, particularly if it involved coordination of responsibility across multiple organisations. This was put into even sharper relief when discussing the ever-growing threat surface presented by every organisation’s supply chain, particularly in light of the advances in business email compromise and “attacker in the middle” attacks. Furthermore, the attendees agreed that including third-party providers in any attack simulations and incident management was essential to robust resilience, and the need for provisions and safeguards in contracts to stipulate third-party participation was additionally highlighted. The role of the NCSC in providing guidance and direction was generally praised.

 

Sources of threat intelligence 

 

Many delegates highlighted the importance of accurate and timely threat intelligence and several  key approaches were discussed, including:

•    Reliance on external SOC partners, leveraging their broader visibility

•    Community sharing - Industry-specific Information Sharing and Analysis Centres (ISACs) were highly recommended

•    Specific intelligence sources, including CVE, CISA, and the MITRE attack framework

•    Specialised monitoring services for specific industry sectors

 

Challenges were also highlighted by the group. One delegate notes that interpreting threat intelligence is as important as obtaining it, while others agreed that multiple sources can create overhead in decision-making. There was agreement on the need for accurate prioritisation of vulnerabilities, as well as the risks posed by the potential fragmentation between US and European threat intelligence frameworks. The consensus was that a multi-layered approach, combining external partners, community sharing, and structured databases, provides the most comprehensive threat intelligence.

 

Cybersecurity certifications and standards

 

Many of the delegates expressed the desire for a unified set of standards of cybersecurity certification, with one participant advocating for a tiered system (e.g. gold, silver, bronze) indicating resilience levels. Challenges presented by the current system were also discussed - for example, existing certifications like ISO 27001 and Cyber Essentials were seen as point-in-time snapshots, which have limited usefulness. Also, auditing is often viewed as a business that may not truly improve security, with there being a risk of companies finding ways to "pass" audits without meaningful improvement.

 

Third-party certification was discussed, with there being strong interest in certifying suppliers and understanding their security maturity, as well as a desire for a standardised way to assess third-party cyber risk. A “traffic light” certification system for vendors was offered by one delegate. The practicalities of implementation were also mentioned, with participants promoting continuous assessment over annual certifications. Importance was also placed on making certifications meaningful and actionable, and reflective of “real-world resilience”, rather than just a paperwork exercise.

 

However, concerns were also raised about how far this need for additional certification and auditing could lead, particularly given the ever-growing list of legislation and regulation for businesses to comply with (including DORA, NIS2, the GDPR, etc), and whether this could lead to the danger of organisations “auditing themselves to death”. The overall sentiment was a desire for more comprehensive, meaningful, and dynamic certification standards that truly improve organisational cyber resilience, while avoiding over-reliance on auditing.

 

A holistic response

 

The overarching view was that cyber resilience is a holistic approach to managing and mitigating cyber risks, integrated into the broader business strategy, rather than a siloed IT function. The discussion overall underscored the necessity of integrating cybersecurity into business culture and processes to enhance overall resilience. The conversation also covered the evolving nature of cyber threats, including nation-state actors and the need for proactive threat intelligence. The use of threat intelligence platforms like CVE and the EU vulnerability database was debated, emphasising the need for standardisation and collaboration to mitigate risks effectively.

 

---

To learn more, please visit: www.ek.co