Cyber resilience, the new buzz term?

 

Recently, you have most likely heard or read articles about “cyber resilience”. This term that comes up regularly in the media is presented as the future of cybersecurity. According to Accenture, cyber resilience is “the ability of a company to identify, prevent, detect and respond to technological or process failures and to recover by minimizing negative impacts on its customers, reputational damage and financial losses.”

However, this concept is nothing new, since it was notably defined by the CDSE in 2014 and has been regularly highlighted since the massive attacks on international organizations took place.

In short, the new goal for companies is to move from reactive to preventive mode in the face of increasing security risks. Because, on the one hand, companies are constantly changing, evolving, and reorganizing and, on the other hand, digitization is exploding, with more and more applications and data being needed for the growth of companies. Increasingly, we are seeing businesses taking over information systems by directly subscribing to new services without going through their ISD and sometimes even without informing them.

New practices such as BYOD (Bring Your Own Device) are also on the rise, giving access to the company’s assets via terminals that the ISD may not always be aware of.

How can we maintain control through cyber resilience?

 

In this context a holistic and transversal approach in the company is necessary, involving “the individuals, processes, and technologies” as specified by the CDSE. This is what cyber resilience advocates, and that’s what’s new. Companies are reorganizing themselves to master this new concept via a risk-based approach. Cyber security topics, once confined to the chief information security officer alone, are, along with the concept of cyber resilience, in the process of becoming the concern of other teams in the company, including risk management functions.

 

How to put cyber resilience into practice within companies?

 

For the CDSE, the implementation of this concept within companies requires the establishment of several essential pillars, which are also described in the NIS Directive: identifying, protecting, detecting, responding to the incident, and recovering systems to ensure continuity of service. While systems and processes are often already in place on the last four pillars, the first “identifying” is a real challenge for companies.

In fact, it requires a better knowledge of the IS, mapping of all assets, identification of the most sensitive to better protect them, and management of the risks. On this first point, the new GDPR regulation, with its processing register and the obligation to carry out data protection impact assessments (PIAs), enables companies to get a foothold.

 

Access to corporate assets: an axis of analysis that should not be overlooked

 

Next, still within the “identifying” pillar, one axis should not be neglected: access to the IS. Indeed, the establishment of identity and access governance is essential, in order to identify which people as well as which systems can access these assets, and to verify the legitimacy of such access. These controls must be carried out on an ongoing basis to take account of the movements of the company and of people, as well as changes in the IS. Brainwave GRC also allows the implementation of this governance by mapping access to your critical assets within a few weeks and thus switching to pro-active access analysis.

On the other hand, the automation of the review processes, involving the different teams within the company in a transversal manner, is an important facilitator. By implementing it within your organization, you get validation by managers of the access of persons for whom they are responsible, for example, or validation of access to accounts with privileges by the managers of applications etc… and you can thus detect anomalies upstream with the help of teams, before they are exploited by malicious individuals. To be truly effective, such reviews must be scheduled frequently (once a quarter, or even monthly, depending on the context). They also need to take up as little time as possible in order to gain the support of teams, hence the need to be equipped to optimize and automate them.

 

This also allows you to respond more efficiently and easily to auditors and thus to comply with the numerous standards and regulations in force (ISO27001, GDPR, SOC etc.).