The Expert View: Building organisational cyber-resilience

Faced with today’s ever-expanding range of threats, businesses need to move from cyber-security maturity to cyber-resilience, said Adrian Cornell, Head of Sales for UK and Ireland at Immersive Labs. Introducing a TEISS Breakfast Briefing at the Goring Hotel in London, Cornell said that this requires a skilled staff and a board willing to back the necessary efforts. Many organisations, he said, are not sufficiently prepared to take the step.

At its core, the difference between cyber-maturity and cyber-resilience is between protecting the “crown jewels” – the most valuable data and systems – and ensuring that entire systems remain functional under threat or can be restored quickly after an outage. Where cyber-security is a bulwark against potential threats, cyber-resilience is the capability to bounce back when those defences are breached.

This is more than just a technology problem. People and culture are an essential part of a resilient organisation. That means finding and retaining IT experts with the right blend of skills, as well as ensuring staff throughout the business are educated in cyber-resilience and trained in what to do about it. Regular and repeated cyber-exercises across the whole workforce are an important way for CISOs to assess and demonstrate cyber-capabilities.

Establishing a foundation

Resilience comes at a cost, and two concepts play an indispensable role: the recovery time objective (RTO) and the recovery point objective (RPO). RTO refers to the target time within which a business process must be restored after a disaster to avoid unacceptable consequences. In other words, how long your business can afford to be “down” post-incident.

On the other hand, RPO is about data. It determines the maximum acceptable amount of data loss measured in time. Essentially, it’s the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs. For instance, an RPO of one hour means the organisation must recover data from no more than an hour before the disruption. The shorter the RPO and RTO, the more expensive the resilience plan.

The organisation’s appetite for risk and its willingness to cope with downtime often run into budget constraints. Those at the briefing said that stakeholders seldom like to discuss risk because they find it hard to conceptualise. However, reshaping the conversation around lost revenue or brand damage can help them understand the consequences of poor resilience.

Prioritisation and identification

A resilient organisation must begin by understanding its needs, according to attendees. There is often a miscommunication in how businesses establish their critical systems. The IT department might view a system as critical, whereas the business no longer sees it as important. Equally, the business might not have considered which systems are truly vital.

There are tools that can mitigate this, some attendees pointed out, such as those offering automated or continuous discovery of assets on the network. But the best approach is for IT and the business to spend time together assessing the priority of each system. The most vital systems and data can then be supported with the greatest resilience.

It’s easy for businesses to overlook critical systems, such as payroll. If an incident prevents people getting paid, then that will have obvious effects on recovery efforts. And, briefing attendees warned, hidden vulnerabilities can also lurk in legacy systems, technical debt and even key personnel dependencies. It’s not enough to back up just software. Configurations – a roadmap for the software – are equally vital.

Regulatory and reporting challenges

Regulated industries face the added challenge of maintaining resilience to a standard that satisfies the regulator. What they often forget, one executive noted, is that they need to be able to continue reporting to the regulator, even during an incident, and that they have a responsibility to gather evidence during an incident, as well as focusing on recovery.

For companies that operate in multiple nationalities, the problem is multiplied. Regulators in each country will likely have different requirements and reporting standards, and businesses must ensure that they are compliant while still running a joined-up operation.

People are central to making all this work. Businesses need workers with the skills to manage an incident and the ability to adapt to what is likely to be a rapidly changing situation. There was widespread agreement that more work is needed to address the cyber-security skills shortage, to improve resilience.

There is only so much that people can do, though. And, with busy jobs to deal with, it’s all too simple for people to just tick the necessary boxes when it comes to resilience. It’s easy to convince yourself that it will probably never happen. That why, attendees emphasised, it is vital to regularly test and validate systems to ensure that in the heat of a crisis things behave in the expected fashion.

The business landscape has shifted. Cyber-threats, once an IT issue, now have boardroom implications. Cyber-resilience, therefore, isn’t a luxury – it’s an imperative. Organisations must adopt a proactive stance, weaving resilience into their operational fabric, ensuring that they don’t just survive but thrive in a digital-first world.

For more information, please visit immersivelabs.com.