Organizations are beginning to implement cyber resilience processes that help them proactively identify and remediate issues quickly and at scale.

And it all starts with the necessary awareness that cyber resilience requires robust risk management to enhance security.

While there are many variations and many frameworks, from Gartner® Continuous Threat and Exposure Management (CTEM) to NISTs Five Pillars in the Cybersecurity Framework, there is alignment in approaches around very similar risk management concepts.

At the heart of all processes and frameworks for cyber resilience (including this one) is that the process must be situated in risk management. With risk management policies in place, we can know what to do when things go wrong. Risk management done right sheds light on roles, responsibilities, what to protect and at what level, and more.

As Michael Chertoff puts it, “We can turn risk into opportunity: if we can coalesce around mechanisms to measure cybersecurity performance with transparency, accuracy, and precision.

Also, risk management strategies must be understandable using plain language for leaders and practitioners alike. Keep in mind that the International Standards Association suggests that plain language will benefit all industries and sectors.

Critically, cyber resilience is a continuous cycle – there’s no such thing as “one and done” here. Instead, a resilient organization is constantly evolving to meet changing risks and needs. Done properly, the cyber resilience process will be nimble while continuously working through the five steps based on organizational bandwidth and emerging threats.

Increasingly large, cumbersome cross-departmental initiatives are being broken into multiple, parallel rapid projects. Remember that time is the new currency. As such, our approach is broken down into these steps: Focus, Action Plan, Verify, Prioritize, and Remediate.

Mozart was hugely productive. His adage should ring true to many: “The shorter way to do many things is to do one thing at a time.”

Put more bluntly, the death of any strategic initiative is trying to do everything at once. According to recent studies, some 60–90% of strategic plans never fully launch. And that is no different in cybersecurity.

Many security and risk frameworks fail to properly take sequencing into account, forcing organizations to start with the step of gathering mounds of intelligence about all potential exposures, risks, and threats the organization could face.

And yet… the reality is that today’s cybersecurity teams are almost universally understaffed and tasked with supporting and sustaining the organization against constant challenges. For most, understanding the overall cyber risk is bound to lead to large backlogs of items that will never be actioned.

Instead, CISOs or others charged with managing cyber risk should begin by scoping the current iteration of the cyber resilience process.

This process can be scoped by:

• Attack surface (ie., external-facing assets, cloud assets),
• Threat vector (ie., lookalike domains, insecure emails),
• or Business application (ie., brand abuse, executive impersonation).

Critically, you need to start somewhere and build out.

While many cybersecurity approaches make the last step “fix” or “recover,” the action plan for remediation is best considered shortly after a project is scoped.

This can be helpful for scenario planning, identifying key stakeholders to involve in the process, and gaining organizational alignment on resources and timeline.

For example, if a current cyber resilience initiative is focused on brand abuse, security teams should not wait until impersonating websites are discovered to create a plan for resolution. Instead, the cross-functional team should agree on the action that will be taken when an impersonating website is discovered.

It is imperative to begin with the end in mind and build the plan accordingly.

Digital transformation has made this step even more important than it once was. While there are often automated fixes for issues — like patches or upgrades — it is becoming increasingly common for remediation to require human intervention. All the while the non-patchable surface is growing.

Action plans will require the involvement of non-technical stakeholders as well. This should include employee training, business-wide communications about new threats, and regular conversations with the board and C-suite about enterprise-level risk.

Going forward, action planning will be centered upon leadership’s ability to drive organizational change when critical challenges are discovered.

Once a team has scoped this iteration of the cyber resilience process and worked cross-functionally to agree on an action plan with stakeholders, they need to verify that remediating the identified exposures, risks or threats is the best investment of resources – including time.

Generally, this comes down to three key questions:

• Is this genuinely exploitable? 85 percent of security issues in backlogs cannot be exploited.
• What are the attack paths? And which are most likely to be exploited?
• Can we remediate it quickly enough to have an impact?

The best way to do this is to see your organization through the eyes of an attacker. Once dominated by larger organizations, the “attacker’s eye view” approach is becoming widely accepted and is the key to having an anticipatory strategy. Shutting open doors and hardening your defense is critical to making yourself less likely to suffer a costly breach.

Once issues have been validated as truly being exploitable, the security team can then begin prioritizing the issues to be fixed.

In short: Risks that are in scope and have been validated as truly exploitable should be prioritized based on business impact, likelihood of exploit and severity.

While automated tooling can be helpful in classifying risks with traffic light systems, or ‘high’, ‘medium’, and ‘low’ classifications, human intervention taking full advantage of people, process, and technology is required to truly prioritize what is most important to protect critical assets.

“Once a team has gone through the first four steps, they are now equipped to remediate.

Automated tools are the key for this to become achievable at scale. And it is important that the technology used is suitable for the scope.

Finding risks does not begin and end with staff patching critical vulnerabilities. Instead, the security team and those charged with enterprise risk management need to take a holistic view accounting for known and unknown risks. These might be lookalike assets, vulnerabilities, misconfiguration and any other doors that could be opened by bad actors.

The key to this step is realizing the number of found issues is not the metric to optimize. The key is the business impact the team can have (and communicate about effectively).

Remember, this is about plain business language. The moment you go off in the direction of technical complexity, you will lose a considerable portion of your stakeholders’ and leadership’s attention.