Keys to Building Cyber Resiliency in Your Enterprise

For IT professionals with cyber security as their mandate, the job duties are clear: protect the enterprise and keep the business running. How that plays out depends on the sector. Manufacturers worry about supply chain disruptions. Tech companies are concerned about intellectual property theft. Banks are on the alert for ransomware attacks.

It’s natural to take an industry-specific approach to cyber. But it’s important to remember that cyber threats fall into common categories across sectors. Getting a clear picture of the threat environment requires accessing advanced intelligence and insights that you may not have handy without the right tools, policies, and public-private relationships. Such data and people-to-people connections are important in making decisions regarding threat characterization, equipment purchases, and staff training.

“Proper preparation can enable your enterprise to do what the defense department calls for: defend forward”

As the CIO at Draper and a Brigade Commander in the New Hampshire National Guard, I have seen the benefits of cyber threat preparation in business, government, and the military. Cyber resiliency, most agree, is never 100 percent assured. The threat environment keeps us on our toes. Proper preparation can enable your enterprise to do what the Defense Department calls for: defend forward.

Management Mindset

In the early days of the internet, cyber threat prevention and mitigation were left largely to IT. Now cyber resiliency is emerging as a top management concern. Recently the “Hiscox Cyber Readiness Report 2022,” which assesses how prepared businesses are to fight back against cyber incidents and breaches, reported that in seven out of eight countries, cyber threats are now seen as the biggest risk to business—ahead of the pandemic, economic downturn, skills shortages, and other issues. 

IT professionals don’t like surprises. And cyber threats are becoming an all-too-common surprise. The following are the top questions management asks IT professionals regarding cyber, and my advice for you on taking action.

How can we keep employees cyber-compliant? Strengthen staff training and raise your cyber awareness--that’s my short answer. Invest in your people. 

And make them aware they could unwittingly become an insider threat. An example is when an employee devises a workaround to the security rules to work faster or differently. My advice is to reduce your threat profile by aligning your IT structure and strategy with your employees’ workstyles. Give them the resources and training they need, so they don’t go rogue. Make their jobs easier by providing the assets and solutions they require to be successful. As a bonus, you should see an uptick in the employee retention rate, especially the hard-to-find tech-savvy talent.

How much should we rely on automating cybersecurity? Cybersecurity software is reaching new levels of automation, in some cases allowing you to execute security actions across the entire infrastructure in a matter of seconds. Successful tools can minimize false alarms, missed detections, and the need for human filtering of results to prove properties. But while automation may be the future, the center of gravity for cyber is talent management, not equipment or resources. Your cyber readiness is dependent on your team. It’s a balance of technology and people. Right size the toolset to your team. Don’t get in a situation where you are only using 20 percent of a tool because you don’t have the staff to use it.

What public-private relationships will help my business? Successful defense against cyber threats requires robust relationships that include information and intelligence exchanges across the public and private sectors. Have a relationship with your state fusion center, law enforcement, FBI, the Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency. Take advantage of training sessions, automated threat alerts, and other resources offered by these agencies. And get some face time with them. Have those entities and points of contact embedded into your incident response plan. After all, it’s better to exchange business cards before a disaster than during one.

Probably the biggest factor impacting cybersecurity today is the ever-changing threat environment. Maybe a decade ago, you could say most organizations were adequately prepared for cyber-attacks. Today, IT is up against advanced persistent threats (APTs), and, more importantly, these attacks are being spearheaded not by human assailants but by automated bots— droves and droves of them.

Attacking the Problem, Together

Defending against cyber attacks is, for now, IT’s job. But the U.S. government has a major stake in this battle, too. In 2019, Congress created the U.S. Cyberspace Solarium Commission to identify a strategic approach to securing cyberspace. I served as an adviser to the CSC, giving me a front-row seat relative to its business, government, and military strategies.

In the CSC’s recently issued annual report, the commission spotlighted its general efforts for manufacturers and businesses, including new budgets, legislation, and services. The business issues covered in the report include supply chain readiness, domestic supply chain preference, domestic technology production, cyber incident reporting, and a range of initiatives to provide protection to private industry.

Of the dozens of recommendations the CSC initially submitted two years ago, some 85 percent either have been implemented, are nearing implementation, or are on track for completion, the CSC’s report concluded. The commission’s 82 recommendations are organized into six pillars: reform the U.S. government’s structure organization for cyberspace; strengthen norms and nonmilitary tools; promote national resilience; reshape the cyber ecosystem; operationalize cybersecurity collaboration with the private sector, and preserve and employ the military instrument of national power.

What’s Next?

Today, every disaster, every incident, has a cyber component. As CIOs and CISOs prepare to strengthen the enterprise against cyber-attacks, the smart teams are always trying to get ahead of ‘what’s next?’