(Tia is a contributing SME)
As organizations prioritize cyber resilience, the role of the chief cyber resilience officer is expected to become prevalent in the coming years. However, there’s debate on how to approach cyber resilience.
Over the past decade, the composition of the C-suite has significantly expanded. It now includes various roles such as the CEO, CIO, chief information security officer, chief data officer, chief risk officer, and even chief resilience officer. According to certain industry experts, the C-suite will continue to grow by introducing a new position in the coming years: the chief cyber resilience officer.
There is debate around the inclusion of chief cyber resilience officers in the C-suite, as well as the necessity of this role altogether. However, the consensus is that cyber resilience has become more important than ever before. Resilience refers to the capability to bounce back from tough situations by developing understanding, communication, and agility. Put another way, resilient organizations can swiftly assess new situations, adapt accordingly, and overcome obstacles.
What Is Cyber Resilience vs. Operational Resilience?
So, what sets cyber resilience apart from overall operational resilience? The distinction lies in its focus on the cybersecurity aspects of resilience, delving into areas such as cybersecurity threat management, incident response, business continuity/disaster recovery, frameworks, roles, and compliance. In contrast, operational resilience takes a wider lens, encompassing the development of programs, processes, and frameworks to prepare a business for disruptive events and minimize their impact. Cyber resilience specifically addresses digital business and how cyberattacks and the evolving threat landscape affect business operations.
Additionally, cyber resilience uniquely focuses on emerging technologies and their impact on resilience. Emerging technologies can include the integration of 5G in manufacturing, drones in logistics, general automation, and artificial intelligence. As these technologies become embedded in core business processes, they require testing, understanding, management, and comprehensive security measures.
“The idea is that you can’t protect against every eventuality, so you have to recover,” explained Kris Lovejoy, global security and resilience leader at Kyndryl, an IT infrastructure services company. “Cyber resilience means knowing how you plan to recover, [which includes] knowing what your critical business services are and how they work, what data and systems configurations need to be protected, and in what order things need to be brought back up.”
Kyndryl, in fact, is quite bullish on the concept of cyber resilience, even believing that it will surpass cybersecurity as the top security priority this year. The company’s stance aligns with a December 2022 survey from Cisco, which found that 96% of executives consider security resilience a high priority.
Taking Responsibility for Cyber Resilience
Tia Hopkins, a cybersecurity evangelist and author, was eSentire’s field CTO until February when she became the company’s first chief cyber resilience officer (CCRO). In addition to recognizing the necessity of cyber resilience, Hopkins wanted the company to demonstrate the same principles that it promotes to customers.
“As Field CTO, I had conversations with our customers about quantifying and reducing risk,” Hopkins said. “I was really on my soapbox about this last year, and I got to a point where we needed to complete the sentence.” After studying the National Institute of Standards and Technology’s (NIST) approach to cyber resilience, Hopkins realized that the framework aligned with eSentire’s core values.
As CCRO, Hopkins has experienced a significant shift in her responsibilities. Today, she highlights what cyber resilience delivers to eSentire’s customers and the company as a whole. This entails activities related to risk management, such as conducting penetration testing and red team/blue team tests and exercises. Additionally, she plays a leading role in eSentire’s risk advisory team, which focuses on developing a roadmap for resilience.
Hopkins’ day-to-day tasks have also changed. For example, if an organization has a ransomware incident despite maintaining good security hygiene and risk management, it’s the CCRO’s job to contain the breach’s impact. This involves narrowing down the scope of the event to “user zero” – the user who might have inadvertently clicked a malicious link or file.
“If you can limit the scope, you have helped ensure business continuity,” Hopkins explained. “Now it’s just ‘cleanup on aisle six’ versus the building burning down. It really comes down to completing the business continuity piece. That’s where resilience comes into the picture.”
Although Hopkins has the formal position of chief cyber resilience officer, she’s among a relatively small group of professionals with this title. While most agree that the role should belong to someone with a line to the top, not everybody believes it needs to be a C-level position. Some argue that the responsibilities of cyber resilience can be incorporated within the roles of chief resilience officer, CIO, or chief risk officer.
James Hardy, chief resilience officer for State Street Bank, considers cyber resilience to be part of his overall responsibilities, alongside operational resilience. Among his various duties, he keeps track of the potential threats from cloud providers and supply chain partners that could affect the bank.
According to Hardy, the specific job title is unimportant. “[The] role is to look through all lenses for the bank as a whole: what systems we use, what third parties we use, where we operate, and the threats we are exposed to,” he said. “Then it’s about how [threats] could impact the distribution of human, technical, third party, and data resources; the impact to the firm and its services; and what our contingency capabilities are.”
Like Hopkins, Hardy progressed through various roles before stepping into his current position. He started his career as an engineer and subsequently held the positions of CIO and COO for State Street’s capital market business before becoming the bank’s first chief resilience officer three years ago. “You need people who can talk the talk and walk the walk of tech, operations, security, risk, and compliance to some extent,” Hardy said.
To address the cyber resilience angle, Hardy works closely with the bank’s CISO, who is responsible for much of the day-to-day cyber resilience.
Kyndril’s Lovejoy believes that CISOs eventually will morph into CCROs. During the COVID-19 pandemic, many CISOs assumed the responsibilities of cyber resilience due to their crisis management skills. “Now organizations are realizing that they need this role,” Lovejoy said. “It’s a logical progression for a CISO.”
Another consideration is to whom the CCRO or cyber resilience lead should report. Some suggest reporting to the CIO or chief risk officer, but many agree that reporting to the COO is preferable. At eSentire, Hopkins reports to the COO. “All organizations are structured differently, but what’s important is that someone focused on resilience has the visibility and influence to be able to ensure these resilient outcomes,” Hopkins said. “If it’s the CFO that’s best positioned to provide that exposure, great. It’s whatever areas of the business makes sense.”
How To Improve Cyber Resilience
Sure, appointing someone to be responsible for cyber resilience is an important step towards achieving it. However, there are three additional efforts that organizations must undertake.
1. Change the mindset
Many organizations still primarily focus on defense, but resilience requires a proactive approach from a defensive position. “Yes, we need to assume breaches [will happen], but that doesn’t mean being irresponsible and not doing anything you should be doing as best practice,” Hopkins said. “But it does mean that we have to change the conversation about what we’re focused on from a prevention perspective. That is preventing or limiting the impact of disruption. Those are the fires we fight every day.”
2. Formalize the cyber resilience role
Although organizations have implicitly prioritized cyber resilience and business continuity, it is crucial to explicitly assign responsibility to one individual or entity.
3. Adopt a framework
There are several valuable resources available to help organizations in jumpstarting their cyber resilience efforts. Examples include the World Economic Forum’s Cyber Resilience Index, NIST’s 800-160v2, and MITRE’s Cyber Resilience Engineering Framework. Implementing a framework can provide organizations with guidance and a structured approach to developing their cyber resilience practices.
The Future of Cyber Resilience
Over time, the cyber resilience function, whether a standalone C-level position or not, is expected to become ubiquitous across many companies. It will likely begin in regulated industries like the financial services, critical infrastructure, technology, and utilities sectors. Lovejoy predicted that it will become a fairly standard role within 10 years.
Hopkins largely agreed. “Risk is a critical part of ensuring business continuity, but the focus shouldn’t be implied, but deliberate. That means it will start with more forward-thinking organizations and more mature organizations.”
Original Publication: ITPro Today