Architecture and Design /

Cyber Resilience: Real New Practice or Just a Coat of Paint on Some Old Concepts?

new coat of paint cyber security

Implying that cyber resilience is some new elevated concept encompassing preventative, mitigative and reactive measures is somewhat misleading.

 

Once again, the definition of cyber resilience comes across my desk.

I first wrote about it in 2019 in the context of some reflexions we were having with the Security Transformation Research Foundation: In the end, we decided to focus our attention elsewhere as the concept of cyber resilience did not appear to have a great deal of traction with cybersecurity practitioners in the field at the time.

I spoke about it again in 2023 in Series 4 (Episode 22) of the Cybersecurity Transformation Podcast, this time in the context of two distinct role descriptions I had come across, clearly using the term to mean very different things.

In both cases, and many others across my field practice, at the centre of my concerns lied the meaning behind cyber resilience and the absence of an accurate and commonly accepted definition for it.

This time, it is this piece in the HBR that has caught my attention (When Cyberattacks Are Inevitable, Focus on Cyber Resilience, Keri Pearlson, July 18 2024).

The article does offer a clear definition of cyber resilience, but to me it appears to conflict, in a way, with several decades of cybersecurity good practice.

Defence-in-depth is truly what’s at the heart of cyber resilience in my opinion. On that point, I think we can all agree, and that’s clearly the sense of direction I was articulating in my two earlier pieces on the theme.

But reducing the concept of defence-in-depth, and cybersecurity at large, to sole preventative measures (the “old fortress” metaphor in the HBR article) is clearly restrictive.

And implying that cyber resilience is some new elevated concept encompassing preventative, mitigative and reactive measures is somewhat misleading.

Cybersecurity good practice has always been articulated, since its inception, around a concept of defence-in-depth combining preventative, mitigative and reactive measures.

The first iteration of the NIST framework over 10 years ago, without going much further, already had “identify-protect-detect-respond-recover” as its backbone.

The article also states that cybersecurity investments over the years have been massively orientated towards preventative measures to the detriment of the others: Without detailed access to the underlying research, it is difficult to argue further but the statement feels, in itself, slightly confusing: The SIEM market alone – clearly mitigative and reactive – is broadly estimated in the region of $10bn at time of writing, and steadily growing.

In the end, it feels like we are still grappling with a fairly clear language issue, as we felt already 5 years ago with the Security Transformation Research Foundation: Whether you call it cybersecurity or cyber resilience, it’s only the true implementation of security good practice, across all its dimensions – protective, mitigative and reactive – that can protect the enterprise.

Presenting cyber resilience as a new concept, while it is simply the repackaging of good practice elements that have been around – in some cases – for more than two decades, may appear attractive to some CISOs trying to rebadge their practice in an attempt to make it look more “modern”, but in the end, I doubt all this will move the needle.

Top executives are used to this constant re-invention of themselves by technologists and their consultants; they’ll probably see through this one, like they did with previous attempts: During the first decade of this century, for example, nobody was talking about cybersecurity; the terms “information security” or “IT security” or “infosec” were largely dominant ; the rebadging of those concepts under “cybersecurity” started to happen around the second decade of the century, in a context and with justifications largely similar to the ones we are describing here.

I have argued for years that cybersecurity governance is an essential element in the business protection jigsaw, and not a useless piece of consultant jargon.

It feels more and more like cyber resilience may be just that: A piece of useless consultant jargon. A new coat of paint and some smart window-dressing over the same old concepts that large firms have struggled to implement for decades.

Whether, and how, this approach can be successful at engineering different dynamics remains to be seen.

 

JC Gaillard

Founder & CEO

Corix Partners


Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.