Security Vs. Resilience – which promotes business value best?

Cyber security is heavily associated with the protection of information. While this is technically correct, there is a much more specific, more simple definition that can prevent the muddying of understanding in a business scenario. Focusing on protecting computer systems, cyber security is the frontline defence in halting the access of unauthorised users who may try to access or damage your network. The average financial cost of a single data breach to businesses in 2019 was £3 million. Driving business value is not just about making money – it’s about eliminating needless costs. The power doesn’t just lie with tech wizards, managers can make a difference.

The issue of cyber security is an important one, because once your system is compromised it can be hard to even recognise a breach – with the average SMB in the UK not finding breaches for 101 days in 2019. An adept intruder only needs hours network access to compromise large swathes of information should they bypass security measures, so consider what can be achieved in over one hundred days. This is why every business needs a management approach that can identify and implement ideal cyber resilience frameworks.

 

Meet your fire prevention officers – Security and Resilience

Thinking in terms of security may not be enough for cyber safeguarding. Resilience is key. The best cases of cyber resilience implementation show an integration of both security and resilience that compliment existing business strategies. Perhaps an analogy will explain it better. If both security and resilience were personified as two fire prevention officers tasked with keeping a building safe from fire hazards, they would both have very different approaches.

Security would take every precaution possible to ensure that nothing flammable entered the building, and no open flames were allowed on the premises. Security tends to coalesce around prevention. It sounds sensible but is potentially restricting and lacks complete infallibility.

Resilience, however, would be far more focused on ensuring that in the inevitable case of a fire everyone in the building was well versed in how to combat the flames, and make sure it caused minimal damage. We’re talking about having fire extinguishers in every room and training the people occupying the building in how to combat fire – because it would be naïve to think that a fire would never happen. This illustrates the strengths that the two approaches combined could have in providing the ultimate cyber defence.

 

It’s all a matter of perspective –

Cyber resilience takes the view that you’re going to get hacked, because if you believe otherwise then it’s too late, you’ve already succumbed to the sin of hubris. That’s how resilience is more rounded than an approach dedicated purely to cyber security. It’s a mindset that prevents risks from becoming real issues by building a layered recovery plan. It’s as important as prevention. But across the subjects of cyber security and cyber resilience there are three perspectives that all mesh together to manage risks and create fundamental support for the business. These are: preventive, detective and corrective.

  • Preventive: This perspective lies in the domain of cyber security. There is no explanation needed for the importance of developing your means of attack prevention. Identifying gaps in your security and shoring up the weak points is the explicit starting point in achieving this. In a perfect world this would be all you need; put the preventative measures in place and then sit back knowing that your cyber territory is safe from invasion.

 

  • Detective: The first real introduction of resilience. Knowing how you plan to detect breaches in your network is crucial. If you don’t know anything’s wrong, how can you hope to fix it? Being vigilant in monitoring your systems confirms appropriate awareness of an ever persistent cyber threat.

 

  • Corrective: At the heart of cyber resilience, there lies the procedures that must be followed to swiftly erase foreign presences within your systems. But the corrective perspective doesn’t just relate to individual circumstance. A true corrective course is changing your procedures so you can quickly recover and are better prepared for subsequent threats. Combating issues through change is a management staple and can’t be ignored in the cyber landscape.

 

Expanding horizons to encompass all three of these perspectives unlocks a new depth of cyber preparedness.  

 

Security, that dirty word

Anyone that is trained in security will have been told that security is, as “S words” go, not a dirty word. This makes reference to the fact that security is a term synonymous with an attack and puts many on edge. They don’t engage with security as they should. This spreads throughout the business, and negatively affects vigilance of other staff. Opening phishing emails accounted for 90% of data breaches this year, so the mistakes of individuals potentially affect the entire network – and opens the phished organisation up for repeated targeting.

You don’t have to be technically minded to breed resilience. As a manager adopting the frameworks outlined in Resilia, you can upgrade the effect of your current security by introducing frameworks for resilience to your organisation. For example, as a CISO you’d be tasked with constantly asking questions before performing any task. “What are the potential cyber implications of what I’m doing here?” This best practice guidance is integrated into service management frameworks, as Resilia is built using the ITIL lifecycle. There is no excuse for those that don’t want cyber resilience implementation to disrupt current operations. Organisations can make the most of their existing IT service management investments and add resilience as a new capability. We can see the dollar signs appearing in your eyes, as this is the icing on the cake (a value flavoured cake).  

 

 

So as you’ll see, there is no clear “best value” driver in terms of Cyber concepts, both security and resilience are equally valid. Service managers could stand to create a huge uptake in business value from becoming knowledgeable in the Resilia frameworks, which lends you the tools to create the best possible Cyber defence. Want to find out more? Contact us today!

 snip

Like what you've read? Download the pdf here!