A CISO’s guide to creating a cyber resilience toolkit

Every chief information security officer (CISO) knows it isn’t a matter of “if” but “when” the systems that run their business will be disrupted in some way. Unfortunately, it’s an aphorism that security leaders continue to live by even as network environments are increasingly difficult to protect for two primary reasons: complexity and the increasing volume and velocity of attacks. 

COVID-19 accelerated the unleashing of the genie, and now every business is connected, aka network-enabled. But every time assets and devices are exposed to the internet, an organization’s dependency on the network increases, their investment increases, and network complexity increases. Network security and reliability are paramount to business success. So, security leaders need to find a way to see how these changes impact their cyber risk and where to focus to build resilience. 

Additionally, the industrialization of hacking has made it cheaper, faster and easier for threat actors to inflict damage. Ransomware-as-a-service is a recent example, but security leaders began seeing this shift years ago when spam emerged. Anyone could go to the dark web and, with a budget of a few hundred dollars, find a dozen “spray and pray” tools to start launching attacks and infiltrating networks — no technical background required. This asymmetry has created an economic problem, not a technology problem. With few barriers standing in their way, the bad guys are thriving, while the good guys constantly strive to stay ahead of threats while having to comply with guidelines and regulations.

As a CISO, making cyber resilience part of daily vocabulary is critical to leveling the playing field. Thinking programmatically about cyber resilience and adequately arming security teams are vital to keeping a business up and running in today’s complex and asymmetric attack environment. 

So the question becomes, have security leaders prepared their cyber resilience toolkit? 

The yin and yang of cyber resilience

There are two complementary sides to the cyber resilience toolkit. There’s the prevention side, being aware of something coming so there’s time to stop it. And there’s the recovery side, being able to quickly and thoroughly clean it up. Incorporating a programmatic approach into a daily routine will help security leaders work smarter to mitigate risk and minimize downtime. 

Here is some important guidance when creating a cyber resilience toolkit. 

Prevention

  • Understand the network infrastructure: Prevention starts with thoroughly understanding the network and security devices, including the manufacturer, the type, the version and the firmware version across multivendor network environments.
  • Mitigate configuration drift: Research on over 900 ransomware incidents from 2023 indicated that 28% of organizations had issues related to network segmentation or improperly configured firewalls. Detailed knowledge about a network infrastructure will allow security leaders to quickly see which devices are configured properly and patched and which need to be brought into compliance. Tools that do the mapping and automatically groom devices back into compliance allow teams to do this as part of a routine.
  • Employ risk-based vulnerability management: Network devices are getting smarter, which makes them highly attractive targets, but they don’t all present the same level of risk. It’s important to address known vulnerabilities based on the devices and versions within an environment and their critical role within operations. This allows security leaders to focus resources on patching vulnerabilities that pose genuine risks.
  • Automate OS updates: When a critical vulnerability patch involves updating a firewall OS, security leaders can’t wait until regularly scheduled monthly or quarterly maintenance windows when updates are done manually. Updates can be automated as part of their cyber resilience regimen and incorporated into existing daily workflows. 

Recovery

  • Document scenarios: Understand and document which scenarios security leaders will be equipped for and which will be out of scope so they can focus their resources on where they think they will drive the greatest value to the business.   
  • Establish playbooks. With the scenarios outlined, document the corresponding playbooks to apply in an emergency. Playbooks should include roles and responsibilities, timelines and specific steps so that teams can confidently respond when a breach or other disruption happens. Keep physical copies of playbooks in case digital systems are compromised. Review the playbooks as their business and infrastructure evolve to ensure they are still applicable.
  • Shrink time to recover to a known and trusted state. It’s not enough to have backups. Security leaders need to test their backups and their ability to quickly restore to a trusted state in an emergency. Validating and automating backup and recovery accelerates the return to “business as usual.”

Driving to success

Even the best toolkits will fall flat without the right people involved in the cyber resilience program and proactive communication with executive leadership. These tips can help:

  • Appoint a leader to oversee the planning process who has an IT background to understand the challenges, solid project management skills and strong business acumen. 
  • Include members from your IT, security and network teams as well as key stakeholders from critical business units in the planning process.
  • Make cyber resilience program updates a standard part of their quarterly review and board discussions.
  • Have reliable data-driven reporting in place and a dashboard that makes it easy to understand the current state of the business’s cybersecurity risk posture and plans moving forward. 

A final word

As a business continues to grow and, with it, their dependency on the network, it’s essential to make the time to determine what will reduce the frequency of disruptions and accelerate recovery. In addition to these recommendations, there are plenty of resources from NIST and CIS that can help. Determine what will work best for a security team, given the size of their organization and team, and keep evolving their program as their business evolves. Even if they start small, the point is to get started now.