Rethinking Cyberresilience

Larry Marks
Author: Larry Marks, CISA, CRISC, CGEIT, C|CISO, CCSK, CFE, CISSP, CSTE, ITIL, PMP
Date Published: 15 July 2021

The National Institute of Standards and Technology (NIST) Special Publication 800-160 has caused organizations to do some rethinking when it comes to cyberresilience and disaster recovery, and what this standard means to existing plans. NIST 800-160 comprises an integration of security best practices and design principles. It asks organizations to review their underlying information security risk and use cases that current plans are built on. Key action items to consider include the following:

  • Do the existing use cases meet the current business practices? Use cases are ever evolving.
  • Are the lessons learned from testing and retesting the plans being reviewed and implemented?
  • Has continuous monitoring and maintenance been implemented? Continuous monitoring relates to changes moving to production, threat assessments, risk control and self-assessments; reviewing privileged access; and ensuring the enterprise is patching and remediating vulnerabilities based on risk and available resources. The output of these processes will feed back to the cyberresilience plan. The key is to maintain an evergreen plan.

Cyberresilience goes beyond the typical prevent, detect and respond models found in basic cybersecurity and requires an operational resilience program to ensure critical business processes can recover from cyberattacks with minimal disruptions and within prescribed recovery time objectives. The key is to build robust use cases that stretch the scenarios to understand where the holes and risk may lie. Organizations may not ever become 100% resilient, but strengthening existing plans by understanding key business processes will improve resiliency.

The following steps can guide organizations in creating a successful program:

  1. Review the organization’s current operational resilience program. Is it built on realistic use cases? Does the program incorporate other areas of the organization other than business, information security and risk management? Areas such as privacy, legal and compliance may also need to be incorporated. Organizations should also include existing vulnerabilities and internal and external threats.
  2. Create a scenario library. The scenario library should include severe but plausible disruptions, threats and events. The various MITRE Frameworks should be used to supplement the techniques and threat vectors as it includes approaches used by attackers.
  3. Validate program sufficiency. Organizations should validate their operational resilience program against the previously identified threat scenario library. Validation will be considered sufficient if testing is successful and processes can be re-established within prescribed recovery time objectives.
  4. Rinse and repeat. This is a continuous process that will need to be continuously repeated and updated.

Editor’s note: For further insights on this topic, read Larry Marks’s recent Journal article, “Cyberresilience in an Evolving Threat Landscape,” ISACA Journal, volume 3, 2021.

Don't forget—Members can earn free CPE from ISACA Journal quizzes!

ISACA Journal