Building a Culture of Cyber Resilience

Cyber resilience is more than just a buzzword – it’s a critical component of business strategy. So says Rosa Kariger, a leading expert in cybersecurity, who recently joined Commvault President and CEO Sanjay Mirchandani on the Resilience Uncompromised podcast. Rosa reflects on her experience as CISO at Iberdrola and in cybersecurity at the World Economic Forum and shares valuable insights on how organizations can build a culture of cyber resilience.

Understanding Cyber Resilience as an Operational Risk

Cyber resilience isn’t just about having robust disaster recovery and backup systems. It’s about enabling your business to continue to function and provide essential services even when your IT infrastructure is compromised. Rosa emphasizes that cyber resilience should be integrated into your overall risk management strategy. This means treating cybersecurity as a strategic business enabler, not just a technical challenge.

The Importance of Preparedness

Preparedness is a cornerstone of cyber resilience. Rosa stresses the need for scenario planning, particularly for situations where you might lose complete connectivity. Having a Plan B in place for critical business functions is essential. This allows your organization to maintain operations and continue to serve your customers during a cyber incident.

Clear Responsibilities and Accountability

Building a culture of cyber resilience requires clear responsibilities and accountability. Rosa points out that every employee, especially those deploying technology, should be held accountable for the cybersecurity of their processes. Cybersecurity should not be the sole responsibility of the CISO or IT teams. Instead, it should be a shared responsibility across the organization.

Technical professionals should be incentivized to uphold cybersecurity, as they are responsible for the quality, efficiency, and cost of the technology they work on. This approach integrates cybersecurity into the core of business operations and makes sure it is not treated as an afterthought.

The Role of the Cybersecurity Function

The cybersecurity function should act as a consultant and second line of defense. This means providing guidance and intelligence to the organization while specific cybersecurity responsibilities are embedded within technical and operational teams. By doing so, the cybersecurity function can offer strategic insights and support, helping to create a more resilient and secure organization.

Practical Steps for Building Cyber Resilience

Building a culture of cyber resilience is not just about implementing advanced security technologies; it’s about fostering a mindset where every employee understands and takes responsibility for cybersecurity. Here are some practical steps and real-world examples to help organizations achieve this:

1. Integrate cyber risk into overall risk management: This means that risks associated with technology use are identified, accepted, and managed at all levels. By doing so, employees are better prepared to handle cyber incidents, maintaining continuous business continuity even when technology fails.
2. Increase preparedness: Conduct regular scenarios of complete loss of connectivity or other major disruptions. This helps in increasing the organization’s tolerance to failure. For example, a financial institution might simulate a scenario where all digital transactions are halted, and employees must rely on manual processes to continue operations.
3. Define clear roles and responsibilities: Confirm that every team, including technical and operational roles, has clear cybersecurity responsibilities. This distributed accountability makes everyone incentivized to maintain security. For instance, in an industrial setting, an engineer working on the digitalization of a process should be accountable for the cybersecurity of that process, not just the CISO.
4. Provide proper training: Training is crucial to enable employees to manage cybersecurity risks effectively. Technical professionals should be trained to understand and mitigate cybersecurity risks in their specific roles. This verifies that they are knowledgeable and capable of implementing necessary safeguards.
5. Implement a “sustain” strategy: Develop a Plan B to maintain continuous business during IT infrastructure disruptions. This could involve having backup systems, manual processes, or alternative communication channels. For example, a healthcare provider might have a plan to use paper records and manual check-ins if their electronic health records system goes down.

By following these steps, organizations can build a robust culture of cyber resilience. This approach helps prepare everyone to handle cyber incidents, maintain continuous business, and protect sensitive information.

Cyber resilience is a journey, not a destination. By integrating cybersecurity into your risk management practices, fostering a culture of accountability, and maintaining a well-prepared and informed workforce, you can help create a resilient organization that is ready to face any challenge. Stay proactive, stay informed, and stay resilient.