Skip to main content
Exploring what’s next in tech – Insights, information, and ideas for today’s IT and business leaders

Cyber resilience, unknown unknowns, and the transformation of enterprise security

The pandemic and an epidemic of ransomware attacks exposed the need for a new approach to enterprise security and protecting the supply fabric.

Prior to March 2020, it's safe to say that enterprise security professionals never game-planned for the zombie apocalypse. But with COVID, that's basically what we got.

Entire workforces disappeared from their offices, but their data centers still worked. Their networks were fine. It was just the personnel that changed. The loss was one of human function and the inability of people to get to the functions that were working. It was the first time we had to think about things in those terms.

Soon after, an epidemic of increasingly sophisticated ransomware attacks made thinking about security in a different and more comprehensive way even more urgent.

The concept of cyber resilience emerged as a result.

A whole greater than the sum of individual parts

The Ponemon Institute defines cyber resilience as the capacity of an enterprise to maintain its core purpose and integrity in the face of cyberattacks. In its simplest terms, to paraphrase a classic advertising slogan, cyber resilience is the ability of an enterprise "to take a licking and keep on ticking."

Cyber resilience brings together the formerly separate disciplines of information security, business continuity and disaster response (BC/DR), and organizational resilience to work toward common goals. Traditionally, these disciplines tended to stay in their own lanes. But COVID and ransomware, and the devastating effects they had on operations, demonstrated the vulnerabilities of such a siloed approach.

Cyber resilience reflects an emerging consensus among the enterprise security community that holds that for enterprise security to be truly effective, these separate disciplines need to work together to align their strategies, tactics, and planning to weather whatever might happen and handle any type of adversity. It reflects an understanding that when these teams mix, they create a whole greater than the sum of their individual parts.

Please read: Security: The foundation for transformation success

One of the great benefits of cyber resilience is that it helps organizations recognize that hackers have the advantage. It's a cultural shift as organizations now see security as a full-time job and embed security best practices in day-to-day operations.

In "Developing Cyber Resilient Systems: A Systems Security Engineering Approach" (SP 800-160 Vol. 2), NIST defines cyber resilience as "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources," and organizations now see cyber resilience as a natural follow-on in terms of maturity from a traditional BC/DR model. The main difference between traditional BC/DR and cyber resilience is that whereas BC/DR is focused on recoverability, cyber resilience is focusing more on sustainability.

In terms of dealing with a zero-day attack, the following four-step plan can help improve resilience:

  • Anticipate: As part of the planning phase for cyber resilience, performing holistic risk assessments across the entire organizational estate to understand where risk exists is a critical first step in becoming cyber resilient and being prepared to deal with any states of adversity. Risk assessment can be controls-based—for example, looking at existing architecture documentation—or of a more technical nature, such as performing a vulnerability assessment against an in-house developed application.
  • Withstand: Being able to maintain business-critical functions during a zero-day attack depends upon having the right cybersecurity architecture in place. A cyber-resilient organization has followed principles such as zero trust in segmenting the infrastructure and has a mature level of security hygiene to efficiently reduce the impact of a zero-day attack. Business continuity planning in the face of impending disaster plays a key role here, as does having a tried and tested incident response plan detailing the roles and responsibilities that will be called upon during a cyber incident.
  • Recover: Although cyber resilience is aimed more around continuity than recovery, having a disaster recovery strategy in place that highlights the steps that should be followed to neutralize the impact of a zero-day attack is a necessary part of cyber resilience.
  • Adapt: The final goal of a cyber-resilience plan is to be able to learn from what has happened and adapt architectural capabilities to be able to better withstand future events, based upon changes to either the operational environment or the threat landscape. Handled correctly, the adapt phase can be considered as ongoing threat modeling following the agile concept of continuous improvement.

A major focus of cyber resilience is protecting the enterprise supply fabric. Supply fabric is a new understanding of how the global supply chain relates to the enterprise and how the enterprise itself operates. A supply chain is a single set of points in a line of supply. The supply fabric is multidimensional and better addresses the complex supply-demand interdependencies that cyber resilience seeks to protect. A supply chain is essentially a single unique path through a complex fabric of interdependencies.

Whatever a business consumes, transforms, or provides is an integral part of the supply fabric. And what that means is that basically every business process can be viewed as a collection of supply fabric—dependencies, upstream providers, and downstream consumers. In short, everything and anything that makes an enterprise go.

Preparing for unknown unknowns

Cyber resilience is fundamentally different from traditional cybersecurity in that it requires organizations to think differently about their approach to threats and become more agile in their handling and response to attacks. Cybersecurity has traditionally equaled protection. We assume something bad is going to happen, and we know we need to put the controls in place to allow the enterprise to stop that bad thing from happening.

The pandemic and ransomware demonstrated the limits of that kind of thinking. It galvanized a new awareness of the need to protect the organization against a wider spectrum of threat types, including a new category that has attracted a great deal of attention: the unknown unknown threat.

What does this mean? It comes down to an understanding, attributed to former U.S. Defense Secretary Donald Rumsfeld, that there are three types of threats: known knowns, known unknowns, and unknown unknowns.

If you knew you were running out of milk, for example, you would know you needed to go out and get some more. That would be an instance of a known known threat.

Please read: How do we trust the untrustable?

The concept of the known unknown threat takes that idea a little further: You know something is going to happen, but you're not quite sure what it could be. So, for example, if you leave a window open, there's a chance that several things could happen: A bird could fly in, an intruder could gain access to your home, or it could rain and soak your carpet.

The third idea is the unknown unknown threat. This is a threat where you have no idea what's going to happen at all. You know it might be bad when it happens, but you don't how it's going to happen. You don't know how it's going to impact you. You don't know what the end result is going to be. You could invest millions of dollars in making a movie, and then a pandemic hits and suddenly nobody is going to theaters.

It's when it comes to dealing with these unknown unknown threats that we move out of the realm of traditional cybersecurity and into the new paradigm of cyber resilience. It's trying to provide a model where you've got the sustainability to help deal with the unknown unknowns, like a zero-day vulnerability exploited to attack you. If your enterprise gets hit by something catastrophic, whether it's security-specific like a ransomware attack or it's an organizational change brought on by something like the COVID pandemic, you have to find a way to keep the business up and running, whatever the impact.

The whole point of cyber resilience is to provide the enterprise with that sustainability—both on the level of its IT functioning and on a system-wide basis that encompasses the whole length and breadth of the enterprise.

Confronting the unthinkable

So, how does an enterprise become cyber resilient? The process begins with a self-examination of everything that goes into what the organization does or that can be disrupted. It's an interrogation that needs to include everything that touches the enterprise and its ability to prevent loss of function and data compromise: power, cooling, equipment, people, highways, buildings, and environmental factors. Enterprises need to stress test them all and logically follow the sequence of events and everything that might follow—no matter where that may take them, because things that no one ever thought would happen are happening today. This can include looking at man-made (intentional and unintentional), environmental, geopolitical, and other threats, no matter how implausible they may seem.

Please read: How to test your backup and restore plan—the right way

There are more challenges to achieving cyber resilience beyond the process of interrogating the enterprise. There is the basic challenge of transforming security controls that may not work effectively anymore. There is the issue and cost of planning to recover from worst-case to best-case scenarios. There are also data sovereignty issues posed by national or other geographical boundaries, as well as challenges presented by legal and regulatory barriers, particularly over data residency concerns; even in an emergency, data may have to stay within a geographic region.

The bottom line is that cyber resilience is like any other enterprise program. How it is addressed comes down to cost and priorities. Some organizations will take a high-risk and high-reward approach. Others will run more conservatively. There is never going to be foolproof security. There is always going to be a weak link somewhere to exploit.

Road maps and best practices

There are several tools available to help enterprises assess and improve their cyber resilience. On a federal level, the U.S. Department of Homeland Security offers the Cyber Resilience Review (CRR), a free self-assessment tool that allows organizations to evaluate their capabilities and measure their cyber-resilience readiness. The CRR's list of capabilities aligns with the categories of NIST's Cybersecurity Framework, which consists of standards, guidelines, and best practices to manage cybersecurity.

The CRR outlines 42 goals and 141 specific practices for enterprises across 10 aspects, or in the language of the CRR, domains of enterprise functioning. These domains include areas such as asset control, configuration and change, risk management, and training and situational awareness. Among CRR's features is a list of best practices enterprises can engage with to improve their cyber resilience.

These recommendations range from the very broad, such as encouraging more heterogeneity in the IT environment, to the very granular and specific, such as recommending microsegmentation techniques for isolating the attack in successful data center breaches.

With new unknown unknown threats always a possibility, the time is now for enterprises to improve their cyber resilience. COVID and ransomware were a real wake-up call to acknowledging that the old ways of doing enterprise security are just not good enough. It's time to do your own risk assessment. Does your enterprise have the cyber resilience to take a licking and keep on ticking?

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.