Technology Overload
Cyber Resilience – Managing Cyber Risk Through a Multi-Disciplined Approach
Cyber Resilience Overview
Cyber incidents and data breaches are occurring at an unprecedented rate. Cyber threats continue to evolve in scale and complexity and have led to the loss of intellectual property, customer data, and other sensitive information for many organizations.
Cyber incidents can result in major disruptions to core business services and operations and cause negative impacts including:
- Severe Financial Impact
- Reputational and Brand Damage
- Product and Service Delivery
- Negative Customer Experience
- Investor Confidence
- Regulatory Compliance
Cyber Resilience is multi-disciplined approach to proactively managing cyber risk through a combination of traditionally siloed activities. Integrating these activities through Governance, Risk and Compliance (GRC) provides additional visibility into current risk postures and provides and vehicle for continuous improvement.
CYBER RESILIENCE RISK PLANNING
Cyber resilience goals should be informed by realistic cyber risk scenarios that anticipate likely threats and attack vectors based on current trends and exploits. Multiple threat actors and cyber risk scenarios may affect an organization.
The goal of assessing cyber risk scenarios is to identify the most common threat actors, potential resilience techniques, attack vectors, targets, and impacts to the organization. Specific objectives include:
- Identify and evaluate the potential impacts of cyber threats on digital/informational assets, including loss of availability, integrity, confidentiality; data destruction; and data leakage
- To assist with business impact assessment scoring methods, risk-rank each scenario based on the likelihood of execution and impact on company assets
- Identify areas where additional resilience techniques or advanced recovery strategies may successfully mitigate risks and implications
AN INTEGRATED RESILIENCE NETWORK
Effective resilience programs must include an integrated and coordinated approach among all aspects of the incident management lifecycle, including site-level emergency response, technology and cyber incident response, executive-level crisis management, business or operational continuity and IT resilience and disaster recovery (DR).
GOVERNANCE, RISK AND COMPLIANCE INTEGRATION
Governance, Risk and Compliance (GRC) is the integrated collection of capabilities that enable an organization to monitor risk and regulatory obligations, while providing oversight and governance to provide a sustainable capability that can proactively pivot as required to address an increasingly evolving and complex risk and regulatory landscape.
Your cyber risk appetite defines the amount of cybersecurity risk that’s acceptable to your organization as part of normal business operations. What is your risk appetite?
The goal of the cybersecurity program as well as GRC is resilience and begins at the asset level. Asset visibility is key to ensuring adequate security of information.
Find What Matters - Secure What Matters – Measure What Matters
CYBER RISK MANAGEMENT
Proactive cyber risk management is necessary to stay ahead of the complex threat and risk environment we find ourselves in today. Traditional risk assessment processes can be applied to cyber, while integrating cyber resilience techniques can help companies proactively monitor and mitigate cyber risks.
TRADITIONAL RECOVERY VS CYBER RECOVERY
With increased resilience and replication, the risk of propagating malware or malicious code across primary processing and recovery data centers also increases. Therefore, cyber resilience incorporates advanced recovery strategies including replication technologies and air-gapped cyber data vaults to protect critical data.
Cyber vaulting solutions offer tools that facilitate the backup and storage of critical data sets in a separate (air-gapped) environment to maintain immutable copies of highly important and/or sensitive digital assets. Examples of critical data sets include:
- Golden OS build images
- Proprietary source code for mainframe and distributed applications
- Active Directory and privileged user credentials
- System configuration/virtual machine snapshot running for critical systems
CRISIS MANAGEMENT INTEGRATION
To strengthen overall resilience, it is important to integrate incident management into the crisis management function and the associated program which addresses physical and cyber incidents including:
- Disruption to critical technology or data
- Disruption to critical processes
- Disruption to critical facilities
- Disruptions to communications infrastructure
- Disruptions to power or other critical services
Example Crisis Management Team Structure
A Crisis Management Team (CMT) is comprised of a cross-functional mix of senior leadership and provides strategic direction and management for dealing with a crisis event. The CMT is responsible for high-level decision making while assisting the tactical response teams in determining the event impacts, providing resources to aid in the tactical recovery, and coordinating with the media, regulators, and public authorities, as applicable.
IN SUMMARY
- Increased cyber resilience is achieved through an integration of traditional siloed activities including risk management, cybersecurity, business and technology resilience/recovery and crisis management.
- Proactive techniques such as cyber threat hunting can help organizations increase visibility into potential threats and attack vectors. The MITRE ATT&CK framework can be leveraged to facilitate threat hunting activities.
- Technical techniques should be included in the cyber incident response process to analyze the attack and generate learnings to mitigate vulnerabilities and risk.
- Traditional disaster recovery techniques are often not sufficient to protect critical digital assets against cyberattacks. Strategies to store air-gapped, immutable copies of critical assets should be considered to enhance recovery solutions.
- Crisis management plans should be integrated into overall resilience processes to ensure escalations are appropriately handled and communications are effectively managed.
- Risk and resilience processes should be measured and monitored through an effective Governance, Risk and Compliance (GRC) program.
Contact
Eric Chan- Director, Cybersecurity
Eric is the Director of Strategy and Risk for MorganFranklin Consulting’s Cybersecurity Practice and the Practice Leader for Vaco Risk Advisory Services. Eric has over 15 years of Risk Management leadership experience helping companies navigate complex regulatory environments while providing comprehensive operational, information technology, and information security risk management solutions. He offers extensive experience operating in all three lines of defense, including at several of the country’s largest financial institutions with significant subject matter expertise in IT Governance, Infrastructure, Information Security/Cybersecurity, Data Protection, Enterprise Risk Management and Vendor/Third Party Risk Management, Compliance (including AML/BSA/KYC Compliance), Finance & Accounting, and Capital Planning. Prior to joining Vaco/MorganFranklin, he spent over 10 years within at Fifth Third Bank and served as a Senior Audit Manager II, VP.