Best practices for developing an actionable cyberresilience road map
Pandemic-era ransomware attacks have highlighted the need for robust cybersecurity safeguards. Now, leading organizations are going further, embracing a cyberresilience paradigm designed to bring agility to incident response while ensuring sustainable business operations, whatever the event or impact.
Cyberresilience, as defined by the Ponemon Institute, is an enterprise’s capacity for maintaining its core business in the face of cyberattacks. NIST defines cyberresilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
The practice brings together formerly separate disciplines of information security, business continuity, and disaster response (BC/DR) deployed to meet common goals. Although traditional cybersecurity practices were designed to keep cybercriminals out and BC/DR focused on recoverability, cyberresilience aligns the strategies, tactics, and planning of these traditionally siloed disciplines. The goal: a more holistic approach than what’s possible by addressing each individually.
At the same time, improving cyberresilience challenges organizations to think differently about their approach to cybersecurity. Instead of focusing efforts solely on protection, enterprises must assume that cyberevents will occur. Adopting practices and frameworks designed to sustain IT capabilities as well as system-wide business operations is essential.
“The traditional approach to cybersecurity was about having a good lock on the front door and locks on all the windows, with the idea that if my security controls were strong enough, it would keep hackers out,” says Simon Leech, HPE’s deputy director, Global Security Center of Excellence. Pandemic-era changes, including the shift to remote work and accelerated use of cloud, coupled with new and evolving threat vectors, mean that traditional approaches are no longer sufficient.
“Cyberresilience is about being able to anticipate an unforeseen event, withstand that event, recover, and adapt to what we’ve learned,” Leech says. “What cyberresilience really focuses us on is protecting critical services so we can deal with business risks in the most effective way. It’s about making sure there are regular test exercises that ensure that the data backup is going to be useful if worse comes to worst.”
A Cyberresilience Road Map
With a risk-based approach to cyberresilience, organizations evolve practices and design security to be business-aware. The first step is to perform a holistic risk assessment across the IT estate to understand where risk exists and to identify and prioritize the most critical systems based on business intelligence. “The only way to ensure 100% security is to give business users the confidence they can perform business securely and allow them to take risks, but do so in a secure manner,” Leech explains.
Adopting a cybersecurity architecture that embraces modern constructs such as zero trust and that incorporates agile concepts such as continuous improvement is another requisite. It is also necessary to formulate and institute time-tested incident response plans that detail the roles and responsibilities of all stakeholders, so they are adequately prepared to respond to a cyberincident.
Leech outlines several other recommended actions:
- Be a partner to the business. IT needs to fully understand business requirements and work in conjunction with key business stakeholders, not serve primarily as a cybersecurity enforcer. “Enable the business to take risk; don’t prevent them from being efficient,” he advises.
- Remember that preparation is everything. Cyberresilience teams need to evaluate existing architecture documentation and assess the environment, either by scanning the environment for vulnerabilities, performing penetration tests, or running tabletop exercises. This checks that systems have the appropriate levels of protections to remain operational in the event of a cyberincident. As part of this exercise, organizations need to prepare adequate response plans and enforce the requisite best practices to bring the business back online.
- Shore up a data protection strategy. Different applications have different recovery-time-objective (RTO) and recovery-point-objective (RPO) requirements, both of which will impact backup and cyberresilience strategies. “It’s not a one-size-fits-all approach,” Leech says. “Organizations can’t just think about backup but [also about] how to do recovery as well. It’s about making sure you have the right strategy for the right application.”
The HPE GreenLake Advantage
The HPE GreenLake edge-to-cloud platform is designed with zero-trust principles and scalable security as a cornerstone of its architecture. The platform leverages common security building blocks, from silicon to the cloud, to continuously protect infrastructure, workloads, and data while adapting to increasingly complex threats.
HPE GreenLake for Data Protection delivers a family of services that reduces cybersecurity risks across distributed multicloud environments, helping prevent ransomware attacks, ensure recovery from disruption, and protect data and virtual machine (VM) workloads across on-premises and hybrid cloud environments. As part of the HPE GreenLake for Data Protection portfolio, HPE offers access to next-generation as-a-service data protection cloud services, including a disaster recovery service based on Zerto and HPE Backup and Recovery Service. This offering enables customers to easily manage hybrid cloud backup through a SaaS console along with providing policy-based orchestration and automation functionality.
To help organizations transition from traditional cybersecurity to more robust and holistic cyberresilience practices, HPE’s cybersecurity consulting team offers a variety of advisory and professional services. Among them are access to workshops, road maps, and architectural design advisory services, all focused on promoting organizational resilience and delivering on zero-trust security practices.
HPE GreenLake for Data Protection also aids in the cyberresilience journey because it removes up-front costs and overprovisioning risks. “Because you’re paying for use, HPE GreenLake for Data Protection will scale with the business and you don’t have to worry [about whether] you have enough backup capacity to deal with an application that is growing at a rate that wasn’t forecasted,” Leech says.
For more information, visit https://www.hpe.com/us/en/solutions/security.html