Printer icon Print Page
Hot Topics in Technology and Innovation

Building Cyber Resiliency

Aug 15, 2018
Rachael Bryson
Senior Research Associate,
National Security and Public Safety

On March 1 and 2, The Conference Board of Canada hosted a cyber security conference, bringing together experts and practitioners to discuss the theme of “Building Resilience Now and For the Future.” Building cyber resilience is about more than preventing attacks; it’s about being able to limit the impact of attacks that do occur, and being able to resume regular business faster. This requires a fundamental change in how we think about and plan for cyber incidents, including data breaches. Our expert speakers and panellists shared their insights and recommendations for building resilience across organizations.

Address Cyber Security’s Place Within Organizational Culture

One theme that was repeated over the course of the conference was that cyber security experts are not seen as enablers. Rather, they are seen as “no” people, who impede progress on the organization’s business goals. This aspect of the organizational culture needs to change to facilitate better collaboration between cyber security and all other business areas, and to encourage positive partnerships rather than adversarial relationships. One expert suggested that cyber security practitioners stop defaulting to the “if there’s a security feature, enable it” mindset and instead start working with others to see how safe cyber practices can be integrated into their work.

Build a Cyber Resilience Program

Achieving resilience in every organization starts at the top. Executive-level support and buy-in is needed to develop a program that can help the organization achieve its desired level of cyber capabilities—whether it be 24/7/365 monitoring and response; the ability to conduct advanced cyber analytics, advanced hacking, and malware protection; or initiating a complete enterprise-wide cyber defence strategy. The needs and cyber security goals of each organization should be identified, and a plan implemented on how to get there.
An important part of that plan should be regular training across the entire organization. Training and experience are the building block elements that an organization requires to become more resilient. Every lesson learned or skill developed during a training exercise, and each time an organization survives a real cyber incident, adds to the building block—helping to enhance resilience. Organizations should test their technology and responsiveness regularly through exercises, and stay informed on emerging threats or patterns of concerning activities.

Have the Right People in Place

Having the right advisors in place in the event of a crisis can help strategize a response that will mitigate damage and help an organization return to business as usual. It is important to have frank conversations with the board of directors as well as cyber insurers to determine who to reach out to for a variety of scenarios. For example, establishing legal privilege under which to carry out certain conversations may be essential, as is knowing who will manage communications when news of an incident is made public.
When dealing with a criminal element, such as during a ransomware attack, it’s also important to use an experienced incident responder, such as a breach coach, who can provide advice on the best course of action that needs to be taken and ensure that all precautions are taken if negotiations are entered into to unlock the ransomed data. While these measures are meant to be back-up options—and should do not replace preventative cyber security practices—they are necessary to have in place before a crisis hits.

Enable Collaboration and Information-Sharing

Internal collaboration and information-sharing across the organization can help to detect, prevent, and mitigate the severity of cyber security incidents. Collaboration can help to break down silos within the organization, which can be a persistent problem for cyber security. A better understanding of cyber security by all employees can not only improve the implementation of security practices, but also generate better understanding of how cyber security can support business goals.

Opportunities for information-sharing across the organization can help maximize research resources, provide sharable and actionable information, and identify patterns of attacks already experienced. By sharing resources, organizations have the chance to make attacking them (or their area) as difficult and expensive as possible, dis-incentivizing criminal actions. In fact, one presenter believed that almost 40 per cent of cyber attacks could have been avoided had internal, multi-area information-sharing been in place. Some organizations are already establishing networks, such as sharing hubs and multi-area collaboration centres, to facilitate data exchange—thus, building a better picture of the threat landscape.

Building cyber resiliency is not a single-solution strategy. It involves buy-in from the executive level, establishing comprehensive plans and policies, providing ongoing training, and thinking outside of the traditional constraints of the organization. We will continue to explore this shift in dealing with cyber threats with a more in-depth research briefing at the end of 2018.

Related Webinar

Understanding Cyber and Physical Security Convergence
The Conference Board of Canada, June 7, 2018 at 02:00 PM EDT

Monthly Newsletter

If you enjoyed this article, get regular updates by signing up to our monthly newsletter.

Related Executive Networks

The Council of Chief Information Officers (CCIO) provides the opportunity to discover how leading-edge private and public sector CIOs are addressing emerging challenges and building strategic advantage through information technology. The Council addresses executive leadership challenges such as strategy, change management, and innovation, through a CIO lens. By design, the Council allows for deep exploration of emerging topics and the formation of meaningful peer-CIO relationships, all in a closed door, private setting.

The Council for Information Technology Executives (CITE) helps strengthen capacity to effectively address the challenges of today’s rapidly changing business environment and stay competitive. CITE brings together senior IT executives to investigate and discuss leading-edge issues related to the field of information technology. This Council acts as the common voice of both private and public sector organizations to develop best practices, nurture the growth of Canadian IT specialists, and partner with influential bodies to increase awareness of the IT profession. The Council is made up of CIOs from small and medium sized organizations, and senior IT executives from large organizations who are direct reports to a CIO.

The Council for Innovation and Commercialization (CIC) provides innovation executives in Canadian firms with the contacts, concepts, tools and learning experience to improve innovation performance. Through networking with peers and facilitated discussion, members share experiences, best practices, and methodologies thus strengthening their innovation capacity. The Council is a broad-based membership spanning innovation infrastructure in Canada, including SMEs, large businesses, non-profit organizations, academia, and governments. This ensures that members have the opportunity to explore different facets of innovation in Canada while at the same time achieving focus on the needs of their own organization.