Strengthening Cyber Resilience

Recent geopolitical events have put IT security departments across the globe on high alert. However, when interacting with colleagues from other departments, does anyone even know what we're talking about?

First Published 15th March 2022 |  Latest Refresh 23rd April 2023

Late February board meetings on cybersecurity across the globe – colourized.

5 min read  |  Reflare Research Team

The rise of cyber resilience

Since the beginning of the Russian invasion of Ukraine and the associated cyber-attacks against a wide range of targets, the concept of strong cyber resilience has become the buzzword of the time. 

While governments, militaries and corporates all proclaim their determination to increase their cyber resilience, what exactly this means is an excellent question. In fact, when the Reflare team sat together to brainstorm this briefing, we realised that the techs and non-techs had wildly different ideas about what “cyber resilience” is supposed to stand for. We spoke to a number of other companies from multiple industries and geographies, and found the same gulf in their internal (mis)conceptions of what people think cyber resilience is meant to be.

Based on our findings, we think there's a more than good chance that it’s the same in your organisation too. 

In this report, we will take a look at the different interpretations of cyber resilience to ensure that you are not talking about different topics when discussing it with your leaders.

Where does the term come from?

The terms cyber resilience and cyber resiliency (the two are used interchangeably) have been around for almost a decade but did not break into the mainstream until the Russian invasion of Ukraine led to seemingly every soft target getting hacked at once.  

At this point, people started looking for ways to frame what was happening and stumbled across “cyber resilience”.  

Unfortunately for anyone trying to have a conversation about the topic, the term “cyber resilience” is very close to “business resilience” with the latter being much more common in business circles than the former is in tech cycles. This has led businesspeople to assume that “cyber resilience” simply means “business resilience but for IT”. To get to the point: It is not. Or at least not quite.  

"I'm from Head Office and I'm here to help"

Business resilience is a concept that broadly describes a business's ability to keep operating during a disruptive incident. Depending on the business, this could be anything from the flooding of a factory to the COO going viral on Twitter for supporting child slavery (hold that thought).  

A resilient business is able to provide either all or some of its services during and after the incident. For example, factories may be built in different risk zones with a fleet of emergency response trucks designated to move goods between factories or an emergency social media plan to redesign a mascot character along culture war lines to distract from the whole child slavery thing. 

The approaches to business resilience are as varied and plentiful as the problem it tries to solve. 

"I'm from HR and I'm here to help"

To further complicate the definition, recent years have seen an astronomical rise in “resilience” as a term used in Human Resources and Talent Management departments, widely popularized by Angela Duckworth's 2017 New York Times bestseller ‘GRIT’. This book translated her work on child psychology in educational practices into occupational psychology for corporate performance, and businesspeople lapped it up. (NB: corporate types love acronyms, and surprise surprise… the R in GRIT stands for "resilience").  So, if you talk about resilience to anyone who works in talent, you should be mindful that they are going to hear something completely different again. 

From here (depending on your perspective), it is reasonable to assume that “cyber resilience” is just the “cyber security aspect” of business resilience, or alternatively, it’s just the “cyber security aspect” of resiliency in occupational behaviour. However, it is neither. 

"I'm from IT and I'm here to help"

The concept of cyber resilience is a relatively well-defined set of operating principles which assumes that breaches will happen one way or another and that it is therefore imperative to design systems so that they are able to quickly recover from attacks and prevent lateral spread. 

By and large, this is achieved by building heterogenous systems with strong segmentation, privilege separation and failover in place. This way even if an attacker gains control of a part of the system, they will have a hard time taking over the rest. Hopefully, the safeguards in place will lead to the attack being detected and eradicated before the attacker can cause significant damage. 

Both the US Cybersecurity & Infrastructure Security Agency and NIST have published detailed guides on how organisations may increase their cyber resilience. Interestingly, most of these guides were last updated more than 5 years ago. As we said, “cyber resilience” was not a particularly common term. 

So, what are we actually talking about?

With this out of the way, think back to the last meeting you attended where cyber resilience was discussed. Which one of these topics do you think you were talking about? And do you think everyone else was talking about the same thing? If not, or even if you’re not certain, this is the time for clarification and fact-finding. “Business resilience but for cyber” and “cyber resilience” are not the same. If your C levels are talking about the former and your techs are talking about the latter and HR is talking about something different yet again, you are about to have a bad quarter, and more importantly, you're about to not improve the security of your organisation in the face of the new threat landscape. 

We ended up getting key decision makers into the same room to describe what they thought cyber resilience meant. This lets us not only identify the gap between techs and non-techs but also a gap between different definitions within the non-tech team.  

It is important to note that there is no “right” answer here. There is a case to be made for “business resilience but cyber” and also one to be made for “cyber resilience”. Of course, there is also a point to be made for focusing on good-old cyber security and finally tackling that training or infrastructure project that’s been “up for review” for the last 26 months instead of chasing the new buzzword. 

Build a commonality of terms, or stay misunderstood

There is a management term called “business resilience”. There is an HR term called “resilience”. There is a tech term called “cyber resilience”. Cyber resilience is not “business resilience but cyber”. If you did not know this and have been talking about “cyber resilience” these past few weeks, get your team together to figure out what everyone thought they were talking about before the semantic differences cause at best lost time and at worst bad strategic decisions. 

To stay abreast with the latest in misadventures from the intersection of business jargon and tech speak, consider subscribing to our newsletter.