The 10-second version is this: Cyber resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been. And the cybersecurity industry, for what it’s worth, has generally avoided this concept because it goes against the narrative that their respective offerings — whether it’s a firewall, IDS, monitoring tool, or otherwise — would be the one-size-fits-all silver bullet that can keep businesses safe.
But reality tells a different story: Worldwide cybersecurity spending has increased every year since the word was invented. And so have data breaches and their severity. One would assume that pouring billions into solving a specific problem would eventually yield some sort of indicator of improvement. Clearly, the status quo is wrong.
Cyber resilience is a fundamental change in understanding and accepting the true relationship between technology and risk.
Fortunately, businesses and governments are waking up and understanding that cyber risk is a far more nuanced problem than any single product could tackle. They are realizing that achieving a resilient state requires more than technology — it requires information, awareness, people, and processes in place so each organization can understand their unique risk posture.
To get a sense of the scale of the problem, think about the cyber risks that exist for the very smallest of businesses. Even the simplest of mom-and-pop operations are subject to many of the same types of threats — let’s consider the barest minimum of business computing: a spreadsheet on a workstation containing customer records. An entire small business can live in that file, but that file must be stored somewhere secure, must be backed up, and must have appropriate permissions. And that file faces a number of ongoing risks — its host machine contracting malware, hardware failure, weak passwords, malicious actors, and so on. Now extrapolate that out to the size of an enterprise — countless sensitive files spread among thousands of employees and thousands of servers with an ever-changing infrastructure — and it is easy to see one way in which understanding cyber risk can become very complicated, very quickly.
The first instinct when realizing the vastness of potential risks to your business is to lock everything down as much as possible. And that’s prudent to a degree, but if you go too far, you run the risk of grinding business operations and innovation to a halt — which is another type of risk in itself. As is the case so often in life, neither polar extreme is ideal and the appropriate balance must be found. That is the challenge — and really, the art — of cyber resilience — recognizing and understanding cyber risk as business risk, and making the most appropriate decisions going forward. Denying cyber resilience by marginalizing cyber risk as “an IT problem” or “something for the CISO to worry about” is a critical error which actively harms the entire organization.
That is one of the core reasons we built UpGuard — the realization that every device, every configuration item, every process implemented makes an adjustment to an organization’s overall risk potential, either positive or negative. And no traditional or manual way of attempting to understand that risk could hope to keep up with the explosive rate of change now happening within organizations.
That is the challenge — and really, the art — of cyber resilience — recognizing and understanding cyber risk as business risk, and making the most appropriate decisions going forward.
That’s why we built UpGuard, the world’s first cyber resilience platform.
Mike Baukes and Alan Sharp-Paul
> What is UpGuard?
UpGuard is the company behind CSTAR (Cyber Security Threat Assessment Report), the world’s only comprehensive and actionable cybersecurity preparedness score for enterprises. The score allows businesses to understand the risk of breaches and unplanned outages due to misconfigurations and software vulnerabilities. It also offers insurance carriers a new standard by which to effectively assess client risk and compliance profiles. Both are critical solutions in an age when breaches have become an inevitability for organizations.
Just as credit scores aggregate financial risk factors into one easy-to-understand number, CSTAR provides a single measure of risk for information security to customers including Rackspace, Ulta, Citrix, Amadeus, PGI and ADP. Based on information about an organization’s actual configuration state and testing habits, CSTAR has established itself as one of the most comprehensive assessments of internal and external systems available, representing the collective vulnerability of every server, network device, and cloud service to the risk of breaches. With the help of CSTAR, customers are able to trace changes down to the smallest building blocks of information technology, and can then use the full report to remediate risks internally, as well as potentially negotiate better cyber insurance policies.