Compound Effects: What Does It Mean to Be Ready and Resilient? Part III
By Josh Bozarth, Practice Lead / Director, Readiness & Resiliency
The terms “readiness” and “resiliency” complement each other, but they’re different.
Readiness is preparedness
- penetration tests: evaluations of a network’s ability to withstand a cyberattack
- tabletop exercises: attack simulations that find gaps in your cybersecurity landscape
- training programs: lessons that teach employees what to do during a cyberattack
It’s about proactively determining what your security compliance program is ready for via:
Readiness is also:
- developing healthy suspicions WITHOUT creating paranoia
- recognizing that a cyberattack is not an “if” but a “when”
- accepting that the cybersecurity landscape is everchanging
- anticipating how automation will soon increase the frequency and level of attacks
- encouraging preventative controls and detection systems
- shaking down those controls and systems as aggressively as possible
- discovering compliance gaps without embarrassing those responsible
Now, resiliency? That’s something else entirely.
Resiliency is restoration
It’s about getting your network back to its original state in the event of a cyberattack — WITHOUT ever experiencing a breach.
Together, readiness and resiliency form a crucial step in your threat-informed defense strategy, which includes understanding the type of threats you’re dealing with, recognizing what the threat means to your network, and deciding which tactics you’ll use to stay up-to-date on the latest trends as they change over time.
But how do we at CISO Global even begin to deliver this to clients when our findings from one year’s risk assessments — tests, exercises, and programs — are often identical to the next year’s? How do we put an end to the perennial folly of running these initiatives, prescribing specific remediating actions, and then finding the same shortcomings when we stop by the client’s office again?
We create customized opportunities
… to revisit the tests, exercises, and programs more frequently, at the cadence the client prefers, and to a degree that’s appropriate for them specifically. This can take the form of:
- quarterly penetration tests instead of just annual ones
- monthly security testing to supplement monthly vulnerability scans
- a whole new set of tests inspired by recent breaches straight from the headlines
Typically, we’ll take the results of these tests and categorize them as low, medium, high, or critical, with critical being the one where we’ll tell the client to drop everything and get on top of it right away.
But to preserve the sanctity of the “critical” category, we look at the results relative to the organization itself, not to any standard rubric.
What CISO Global might mark as a critical risk for one client’s network may only be considered a medium risk for another’s, as that latter network already has various controls in place to reduce the overall level of risk.
And for the “critical” company?
More tests, exercises, and programs–
All of which will lead to the adjustment of controls, processes, and procedures, because sometimes these are too lax OR too rigid. Unless properly aligned to risk, controls, processes, and procedures may be the reason for the company’s “critical” rating.
But discovering that is the whole point — calculating the company’s actual risk based on what’s known. That information can then be used to realign, a repeating process that is a vital part of improving your posture and keeping your security program healthy.
Readiness and resiliency do more than complement one another
They deliver compound effects, layers upon layers, like an onion: The more layers you can add, the more difficult it is for cyberattackers to come in and get what they want, and the easier it is to stop them in their tracks and never have to rely on the extra layers at all.
Interested in learning more about the steps you need to take to make your company ready and resilient? Let’s talk. Contact CISO Global, Inc. today.