For many security leaders today, it can feel like they are working against a stacked deck.

Understaffed and stressed security teams, the prospect of AI making cybercrime more prevalent and efficient and a rapidly changing regulatory landscape are just three pressing factors to incorporate into an organization’s security strategy.

C-Suite leaders can no longer look at cybersecurity as something that is handled in a silo, with individual threats that only require sufficient focus to survive one-off attacks. Instead, they need to muster people, processes and technology to achieve cyber resilience.

Cyber resilience refers to an organization’s ability to anticipate, respond to, and recover from cyber attacks while continuing to operate effectively. It encompasses a comprehensive set of strategies, processes, and technologies that mitigate the impact of cyber incidents and enable rapid and efficient recovery.

Conceptually, this may seem simple and straightforward enough. But, why has it taken so long to make holistic resilience strategies mainstream? Historically, conversations around cybersecurity have been reactive and tactical. ‘How did the breach happen?’ ‘How much is it going to cost to remediate?’ ‘How are we going to prevent this from happening again?’ ‘Does our insurance cover it?’ and, of course, ‘Whose fault was it?’.

But a sea change is underway. Leaders are recognizing that a smoothly operating organization requires real cybersecurity that can anticipate, adapt, and overcome. Organizations can no longer wait for disaster to strike or, when it does, count on insurance to prop them up. IBM reports that the average cost of a data breach has reached $4.45 million in 2023.

Time is the new currency in cybersecurity. And time can work both for and against organizations. Time is critical given the costs of preventing a breach is far smaller than that of recovering from a breach. The one surefire method of reducing the costs of a breach is faster incident response.

Given the pressing challenges, cyber resilience allows CISOs not only to react but to shift to a strategic proactive approach.

This briefing report gives CISOs practical guidance on how to begin achieving cyber resilience within their organizations.

To security leaders, the drivers for cyber resilience may be obvious: less downtime, fewer successful attacks and faster resolution to name a few. But, cyber resilience also has other meaningful business-level impacts.

Cyber attacks can result in substantial financial losses due to data breaches, system downtime, legal costs and penalties, as well as reputational damage. Cyber resilience measures help minimize these losses by reducing both the likelihood and impact of attacks. Verizon’s just-released Data Breach Investigations Report (DBIR) notes that the financial impact of data breaches is increasing: the average cost of a data breach is now $4.24 million, up from $3.86 million in 2021, with ransomware accounting for one out of every four breaches.

Organizations that demonstrate strong cyber resilience earn the trust of their customers, partners, and stakeholders. By protecting sensitive data and ensuring business resilience and continuity, organizations can maintain their reputations and competitive advantage. From our own research, the ROI for cyber resilience strategies can be as high as 5 to 1.

Remember, too, that consumers are also negatively affected by cyber attacks. The Colonial Pipeline hack resulted in gas shortages across the Southeast of the United States. Attacks against healthcare systems have created chaos for hospitals and patients alike.

As a joint Forbes and IBM report wisely notes: Winning back trust also has a profound cost. Consumer confidence is a clear differentiator for business. Digital trust is defined by ISACA as “the confidence in the relationship and transactions among providers and consumers within the digital ecosystem. This includes the ability of people, organizations, process and technology to create and maintain a trustworthy digital world.”

Cyber resilience is closely tied to regulatory compliance requirements in many industries. Class action lawsuits are driving change. The settlements in data breach class actions have reached well into the millions of dollars: Solarwinds ($26 million); Equifax ($575 million); Home Depot ($200 Million); Capital One ($190 Million); Uber ($148 Million); Morgan Stanley ($120 Million); and Yahoo! ($85 Million). And these class actions, along with a matured understanding of the role of government to protect organizations, stakeholders, and consumers have led to a radically transformed regulatory environment. Just consider the changes coming into play with the SEC’s cybersecurity rules or the California Consumer Privacy Act (CCPA).

In a digital landscape where cyber threats are pervasive and constant, organizations that prioritize cyber resilience are set to gain a competitive edge. Customers, investors, and partners are more likely to choose organizations that demonstrate a robust cybersecurity posture and the ability to withstand cyber attacks.

Gartner reports that “By 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents.” The same research also predicts that by 2027, 50% of large enterprise CISOs will adopt human-centric security design practices. Achieving cyber resilience goals allows your organization to gain and retain cyber talent in today’s highly competitive marketplace.

Remember Benjamin Franklin’s adage on the merits of fire awareness and prevention: “An ounce of prevention is worth a pound of cure.”

Downtime costs may not be survivable for many organizations, particularly small to medium-sized enterprises where competition is fierce. Uptime Institute’s 2022 Outage Analysis Report found that more than 60% of outages ended up costing businesses more than $100,000. Even worse: 15% cost over $1 million.

Organizations are beginning to implement cyber resilience processes that help them proactively identify and remediate issues quickly and at scale.

And it all starts with the necessary awareness that cyber resilience requires robust risk management to enhance security.

While there are many variations and many frameworks, from Gartner® Continuous Threat and Exposure Management (CTEM) to NISTs Five Pillars in the Cybersecurity Framework, there is alignment in approaches around very similar risk management concepts.

At the heart of all processes and frameworks for cyber resilience (including this one) is that the process must be situated in risk management. With risk management policies in place, we can know what to do when things go wrong. Risk management done right sheds light on roles, responsibilities, what to protect and at what level, and more.

As Michael Chertoff puts it, “We can turn risk into opportunity: if we can coalesce around mechanisms to measure cybersecurity performance with transparency, accuracy, and precision.

Also, risk management strategies must be understandable using plain language for leaders and practitioners alike. Keep in mind that the International Standards Association suggests that plain language will benefit all industries and sectors.

Critically, cyber resilience is a continuous cycle – there’s no such thing as “one and done” here. Instead, a resilient organization is constantly evolving to meet changing risks and needs. Done properly, the cyber resilience process will be nimble while continuously working through the five steps based on organizational bandwidth and emerging threats.

Increasingly large, cumbersome cross-departmental initiatives are being broken into multiple, parallel rapid projects. Remember that time is the new currency. As such, our approach is broken down into these steps: Focus, Action Plan, Verify, Prioritize, and Remediate.

Mozart was hugely productive. His adage should ring true to many: “The shorter way to do many things is to do one thing at a time.”

Put more bluntly, the death of any strategic initiative is trying to do everything at once. According to recent studies, some 60–90% of strategic plans never fully launch. And that is no different in cybersecurity.

Many security and risk frameworks fail to properly take sequencing into account, forcing organizations to start with the step of gathering mounds of intelligence about all potential exposures, risks, and threats the organization could face.

And yet… the reality is that today’s cybersecurity teams are almost universally understaffed and tasked with supporting and sustaining the organization against constant challenges. For most, understanding the overall cyber risk is bound to lead to large backlogs of items that will never be actioned.

Instead, CISOs or others charged with managing cyber risk should begin by scoping the current iteration of the cyber resilience process.

This process can be scoped by:

• Attack surface (ie., external-facing assets, cloud assets),
• Threat vector (ie., lookalike domains, insecure emails),
• or Business application (ie., brand abuse, executive impersonation).

Critically, you need to start somewhere and build out.

While many cybersecurity approaches make the last step “fix” or “recover,” the action plan for remediation is best considered shortly after a project is scoped.

This can be helpful for scenario planning, identifying key stakeholders to involve in the process, and gaining organizational alignment on resources and timeline.

For example, if a current cyber resilience initiative is focused on brand abuse, security teams should not wait until impersonating websites are discovered to create a plan for resolution. Instead, the cross-functional team should agree on the action that will be taken when an impersonating website is discovered.

It is imperative to begin with the end in mind and build the plan accordingly.

Digital transformation has made this step even more important than it once was. While there are often automated fixes for issues — like patches or upgrades — it is becoming increasingly common for remediation to require human intervention. All the while the non-patchable surface is growing.

Action plans will require the involvement of non-technical stakeholders as well. This should include employee training, business-wide communications about new threats, and regular conversations with the board and C-suite about enterprise-level risk.

Going forward, action planning will be centered upon leadership’s ability to drive organizational change when critical challenges are discovered.

Once a team has scoped this iteration of the cyber resilience process and worked cross-functionally to agree on an action plan with stakeholders, they need to verify that remediating the identified exposures, risks or threats is the best investment of resources – including time.

Generally, this comes down to three key questions:

• Is this genuinely exploitable? 85 percent of security issues in backlogs cannot be exploited.
• What are the attack paths? And which are most likely to be exploited?
• Can we remediate it quickly enough to have an impact?

The best way to do this is to see your organization through the eyes of an attacker. Once dominated by larger organizations, the “attacker’s eye view” approach is becoming widely accepted and is the key to having an anticipatory strategy. Shutting open doors and hardening your defense is critical to making yourself less likely to suffer a costly breach.

Once issues have been validated as truly being exploitable, the security team can then begin prioritizing the issues to be fixed.

In short: Risks that are in scope and have been validated as truly exploitable should be prioritized based on business impact, likelihood of exploit and severity.

While automated tooling can be helpful in classifying risks with traffic light systems, or ‘high’, ‘medium’, and ‘low’ classifications, human intervention taking full advantage of people, process, and technology is required to truly prioritize what is most important to protect critical assets.

“Once a team has gone through the first four steps, they are now equipped to remediate.

Automated tools are the key for this to become achievable at scale. And it is important that the technology used is suitable for the scope.

Finding risks does not begin and end with staff patching critical vulnerabilities. Instead, the security team and those charged with enterprise risk management need to take a holistic view accounting for known and unknown risks. These might be lookalike assets, vulnerabilities, misconfiguration and any other doors that could be opened by bad actors.

The key to this step is realizing the number of found issues is not the metric to optimize. The key is the business impact the team can have (and communicate about effectively).

Remember, this is about plain business language. The moment you go off in the direction of technical complexity, you will lose a considerable portion of your stakeholders’ and leadership’s attention.

As with nearly every security initiative, pursuing a cyber resilience strategy cannot happen in a silo. Even with the right process, C-suite leaders need to also leverage people and tools effectively for the initiative to succeed.

It is well known that humans are often the weakest link in any security strategy. As stated earlier, 74% of all corporate data breaches involved people. For a cyber resilience program to succeed, it needs to also include robust cybersecurity policies and employee training.

Anticipating, adapting to and overcoming breaches requires cultural shifts in how businesses manage risk. As happened with the shift into DevOps, our conversations around incidents need to become blameless. Given the mounting pressures, there simply is no space for blame culture. Starting with blame-orientated questions will make things worse and cause people – your most important asset – to ignore or avoid potential security issues. It’s better to strengthen your organization’s security culture through shame-free training and awareness, ultimately addressing root causes as the most effective way to build a cyber resilient culture.

Effective communication within an organization and with external stakeholders is crucial before, during, and after a cyber incident. Promptly notifying relevant parties, such as customers, partners, and regulatory bodies, builds trust and allows for coordinated efforts to mitigate the impact of the attack.

Burying your head in the sand will not work.

Take the positive example of Werner Lanthaler who rushed to the office after learning his biotech company Evotec had been hacked. In what may become an example for others to follow, according to the Wall Street Journal, Lanthaler took an “uncommonly active, public role in the cyber response at Evotec. He communicated personally with business partners, wrote an open letter about the attack in the midst of Evotec’s ordeal and held town-hall meetings with employees every few days to provide updates.”

Looking through the eyes of an attacker and taking proactive measures to harden any weaknesses an attacker would see is acknowledged as the way forward to significantly reduce the likelihood of a successful cyber breach.

Standard measures include protection against:

• Exact domain impersonation
• Lookalike domain impersonation
• Logo and brand abuse
• Invalid certificates and certificate chains
• Open ports
• DNS and dangling DNS issues
• Usage of HTTP not HTTPS

By implementing strong preventive measures, organizations can significantly reduce the likelihood of successful cyber breaches.

Security experts often refer to the multiple stages of an attack as a “cyber kill chain.” To defend your organization, you need protection at each stage of the chain.

Despite preventive measures, cyber incidents can still occur. As former FBI Director Robert Mueller put it at RSA in 2012: it is no longer a question of “if,” but “when” and “how often. I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.

Therefore, organizations must invest in advanced threat detection systems and establish risk management plans. After all, timely detection and swift response can help mitigate the impact of attacks, minimize data loss and protect critical systems.

In today’s interconnected world, cyber resilience is the shared goal of government, industry, and society at large. Embracing cyber resilience is a strategic imperative to protect critical assets, maintain operations, and secure the trust of society and stakeholders in an evolving threat landscape.

By investing in a cyber resilience process and augmenting it with the right approaches to people and tools, organizations can enhance their ability to withstand cyber threats.

Organizations that prioritize cyber resilience gain a competitive edge. Customers, investors, and partners are more likely to choose organizations that demonstrate a strong cybersecurity posture and the ability to withstand cyber attacks. By showcasing their dedication to protecting sensitive information and maintaining operational stability, organizations can differentiate themselves and attract valuable stakeholders.

Sean Costigan is an expert in emerging security challenges and a highly sought-after speaker on technology and national security. He is the lead for NATO’s cybersecurity curriculum and is widely published on national security matters relating to information security and hybrid threats. He is also a Professor at the George C. Marshall Center, where he educates on global cybersecurity, hybrid warfare, crime, and national security.