The third Innovation Roundtable at the 13th Billington Summit focused on cyber resiliency. A mix of Private Sector, Federal Government, and academic experts discussed various views of what this entails, suggested what to consider when building and practicing effective resilient efforts, and highlighted key areas of focus to help prioritize important resilient actions both proactively and when bad things invariably happen. The group differed in what they viewed as cyber resiliency offering up multiple but useful ways to describe it to include:
- The preparation for, response to, and recovery from cyber incidents impacting your organization.
- Leveraging the knowledge of what you have, identifying risks and vulnerabilities that could impact what you have, and continually identifying ways to improve your security posture to best protect it. What you have includes the data, system, and operational mission that you are assigned to protect.
- Building a system that can survive events that could negatively impact it.
The group highlighted some useful considerations when thinking about building and ensuring a robust resilient cyber program.
- Visibility and awareness are the two most important ingredients to link and prioritize business mission imperatives with an effective cyber incident plan.
- Think about the concept of “Operational Resiliency” as opposed to “System Resiliency.” This better aligns how you construct a program to ensure that the business mission of your organization can endure even during major incidents and in recovery of the most prioritized functions in relevant order.
- Think about resiliency holistically. Ensure that you think about risk beyond cyber to include natural disaster or inadvertent events such as power outages to best prepare for the unexpected.
- The best thing to do when building a resiliency program is to start the journey. The group highlighted that usually the hardest part of the effort is simply ignoring the complexity and get started by brainstorming ideas.
The group also discussed some specific considerations when building and maintaining an effective cyber incident program both proactively and when actually responding. They included:
- A focus on taking care of business: Linking your incident planning to mission and knowing where affected operations could have the greatest impact on getting mission done is key to building an effective program.
- Building an effective communication plan along with your incident plan will be key to managing expectations and ensuring primary operations are least impacted.
- Identifying lines of authority and decision-making to help provide clarity during the response itself. This would include getting decision-makers to participate in proactive exercises.
- Building flexibility into the cyber resiliency program to take into consideration multiple ways that your cyber program can be impacted while allowing time to match the scope, severity, and specifics of the incident and its impact on your business.
- Continual vulnerability testing and fixing and incident response gaming are key.