Planning for the unknown: A modern approach to resilience

When a cybersecurity crisis happens, organizations often find themselves on their back foot. In a world where threats can come in many shapes and sizes, it’s impossible to proactively plan for every circumstance. That’s why in times of disruption, a spotlight often shines on resiliency. However, much of what organizations thought they knew about resiliency is stale, outdated, and insufficient protection for the modern enterprise.

In many cases, the greatest risk to business resiliency isn’t disruption, it’s stagnation. Disruption is a given. Being able to recognize, contextualize, and act upon critical risks in a modern, data-driven fashion, isn’t.

Resilience is a large, multi-faceted concept undergoing significant transformation. It requires a holistic view, allowing traditionally siloed domains to converge to mitigate emerging threats. This convergence is required to facilitate a well-orchestrated response and recovery from high-impact events.

With a modern approach, organizations can become more confident in their resilience.

What is operational resilience? Today, discussions on resilience focus on operational resilience, which includes business resilience, technical resilience, cybersecurity resilience, and data resilience. It covers the entire scope of an enterprise's operations. Consequently, resilience should be designed and integrated into various domains, such as business continuity, human health and safety, physical security, cybersecurity, privacy, data protection, incident response, and crisis management rather than being addressed as an afterthought.

The key to unlocking resilience is proactive planning and shared responsibility across these groups. Within cybersecurity, for example, traditionally enterprise security has fallen squarely on the CISO. But today, amid rising threats, that is changing. CISOs are increasingly getting a seat at the table, which includes increased collaboration with the C-suite and sometimes structural changes where the CISO reports directly to the CEO or chief risk officer.

By extending the chief risk officer role to include resilience, this emphasizes that resilience is a critical piece in the overall health and success of an organization. It also shows that resiliency is as diverse and big of an industry as the areas it oversees, like cybersecurity.

Why is this more important than ever? It’s clear that the stakes for organizations have never been higher. Not only is business continuity essential to any enterprise, but weak resilience can cause reputational fallout amid a headline-grabbing crisis. While there are somewhat unpredictable risks like natural disasters, there are also risks that can be predicted and actively monitored, like rising cybersecurity threats.

Deloitte’s “2024 Annual Cyber Threat Trends” report found that ransomware affected 66% of organizations in 2023, and that number is expected to increase. Managing third-party risk is at the forefront due to the way criminals can exploit an opening in one company and move to other systems undetected. It’s important for organizations to assess the resilience strategies of their entire ecosystem. The interconnectivity of operations between suppliers, business partners, and technology support organizations make any risk a shared risk, underscoring the fact that resilience is a shared responsibility.

The idea of shared responsibility is gaining traction in security communities. For example, this year’s theme for October’s Cybersecurity Awareness Month was “Secure Our World,” emphasizing connectivity and the steps individuals and businesses can take to protect themselves and the wider ecosystem. As such, there is no better time to revisit your security strategies and resiliency plans.

What to watch for There’s no one size fits all plan for resilience – it’s important for organizations to fully understand their critical business services and processes when developing their resilience strategy. However, there are some common stumbling blocks to watch out for, including:

Plans built for compliance, not resilience: Oftentimes, testing and exercising programs are designed to meet compliance requirements, not to identify gaps and opportunities for resilience enhancement. Additionally, static documents and plans can quickly become outdated without regular maintenance or fresh data.
Lack of visibility with leadership or failure to show ROI: To avoid this potential pitfall, measure and align recovery capabilities to the strategic goals of the organization. Take care not to overcorrect and overemphasize the number of plans and conducted exercises as a measure of program effectiveness. This can create a false sense of preparedness and response capabilities.
Unclear roles and responsibilities when a disaster occurs: This results from siloed efforts across crisis management, disaster recovery, and business continuity, and increasing collaboration across these groups can help mitigate any disconnect.

Embarking on a holistic resilience plan True resiliency requires a collaborative cross-business effort. A good place to start is by asking exploratory questions to those holding resilience roles at your organization around readiness, prevention, monitoring, and response to get a pulse check on current resilience capabilities. This includes questions like: “how diligent are you monitoring to ensure the early detection of potential threats?” and “when was the last time our leaders exercised their resilience muscle by restoring operations during a live event?” and “what one thing should we work on that would give you more confidence in our resilience capabilities?”

Armed with answers, the next step is to align on a governance model as well as an integrated engagement model to connect capabilities into a holistic resilience program. These capabilities – including data driven decision-making, scenario modeling, resiliency by design, management of third-party risk, and convergence of cybersecurity and resilience in the field – can make or break resiliency.

For example, data driven decision-making utilizes high-quality data to drive efficiency and improve decisions when disruptions occur, rather than static, outdated materials. On the other hand, horizon scanning and scenario modeling confirms that specific business units, regions, and business services are aware of and model resilience strategies of potential disruptive scenarios for more accurate results.

Truly resilient organizations understand that traditional business continuity management methods and static plans are insufficient for mitigating contemporary risks. Instead, they focus on strategically designing and positioning assets and information to improve their capacity to withstand and recover quickly from disruptions. Organizations that don’t take steps toward improved resilience may experience long shutdowns, lost data, and months to recover to business as usual. Some may never recover.

Planning for the unknown: A modern approach to resilience

Tags

AI Data Centers: Scaling Up and Scaling Out

Advanced Networks for Artificial Intelligence and Machine Learning Computing

DCD>Survey: Data center networking trends

Future-proof your datacenter with DDC S-Series