Cyber Resilience: How security, safety and resilience ensure cyber stability09 July 2020 | Enrique Pena
Security, safety and resilience are difficult concepts to define in simple ways because they are highly context-dependent. Their definitions are seldom objective or neutral as they come with certain biases, and always represent the interests of particular individuals, organisations or groups. In this blog, I will explain how Digital14 defines each and provide context for why.
Security can not take place without understanding the meaning of safety. Both terms have been treated as synonyms even though they are not. The difference between them is to consider, for instance, a severe natural disaster, such as a tsunami wave, an earthquake or a massive tornado. Here, safety-related concerns focus on the immediate consequences of the disaster, the physical threat to lives or the environmental destruction that may endanger human life and property. Safety, therefore, is related to whether the people who are exposed to an event-at-hand will be safe, or free from harm as the disaster is taking place.
Safety refers to the protection from accidents or hazards in the context of the health and well-being of people at work or business operations. Security concerns, on the other hand, focus on the longer-term effects such as the economic or financial security of people or organisations subjected by the disaster event. In other words, how the disaster's consequences affect people's or an organisation's abilities to continue existing or establish new existences. For instance, people who lose their house or job due to a disaster, lose economic security, or a company their financial security, and possibly their ability to withstand future problems. Insufficient security means that the system in question is vulnerable or that it is susceptible to internal or external threats.
The essential difference of safety and security is that in terms of security, something happens because it is intended to happen because someone, an individual or an organisation, wants it to happen and has taken steps to ensure that it does. Safety is a condition where people and organisations are protected from danger, and security refers to protection against planned consequences of malicious and criminal acts.
So, security can be achieved and designed by creating a system that delays, prevents and protects against external or internal hazards and actions by criminals and other individuals that threaten an organisation's state. You can now probably imagine how challenging and difficult security-first design can be. Designing for security is brutally difficult; while it may be possible to design for security in the case of regular threats, is it not practically impossible to do so for irregular unparallel events and threats?
The focus of security concerns is on irregular and extraordinary events. This means that no matter what, there are events that we can not imagine and hence even secure by design principles can not fully protect us or be enough. Enter resilience. Resilience looks at how something may go wrong and how things should function under various conditions, including abnormal conditions. Instead of focusing on how to avoid organisational disruption, resilience focuses on how to ensure that these functions are sustained.
Resilience refers to an entity’s ability to continuously deliver an intended outcome or value, despite adverse events. It's the ability of a business not just to survive, but also to thrive in a rapidly changing environment. In all things cyber this would mean a state of an organisation whose employees have access to the tools, communications means, information and data delivered to the right place when they need it as if nothing had happened. Cyber resilience has emerged over the past few years because traditional cybersecurity measures are not enough to protect organisations from persistent attacks. Cyber resilience is hence much more than the typical view of cybersecurity. It is all about making an organisation tougher yet agile so it can withstand unexpected changes.
Confusing security with resilience can be risky, though. When done right, both are strongly interconnected. Security is an indispensable accessory to business, but resilience should be a fundamental value of a business. According to the current definition, “the performance of a system is resilient if it can function as required under expected and unexpected conditions alike, where the unexpected conditions are disturbances but also changes and opportunities”. Resilience is an expression of how people and organisations cope with everyday situations and how they adjust to the new conditions. Safety and security focus on possible threats/hazards, while resilience focuses on what is required to sustain acceptable operations under varying and unexpected conditions.
So, when coming back to cyber security and cyber safety, organisations should look into cyber resilience too, and at what is needed to keep an organisation going in as many situations as possible. In his book, Masys1 proposes that a system must have four potentials to be able to perform in a resilient manner: the potential to respond, monitor, learn, and anticipate.
Being digitally resilient never makes the false assumption that cybersecurity will stop all attacks and breaches. Resilience is about surviving inevitable attacks, despite having robust cybersecurity, and about continuing to do business even under attack. Resilience is about responding to discovered breaches, and while containing them, ultimately prevailing despite them. Resilience is about being prepared for the unexpected.
At Digital14, we see resilience as a core component in our security-first approach of service and solutions development. We design for our clients’ resilient performance by developing and maintaining an organisation’s potentials to respond, monitor, learn, and anticipate. We see security by design as to how to improve the ways in which an organisation functions, rather than just preventing or eliminating threats and disruptions.
We consider security as one of the intrinsic aspects of any solution we develop and build, like the foundations of a house. But as discussed above, security is just not enough and never will be. We design and integrate security needs from the outset, including aspects of resilience and agility. We know things change and organisations need the ability to adapt quickly, patch, update or otherwise refactor systems when required. Secure by design is also about assessing risks, creating plans, developing resilience strategies, training response teams and executives, and conducting realistic drills and exercises to evaluate readiness and provide practical solutions to improve an organisation’s resilience.
Discover how we can help you advance your mission and bring security, safety and resilience to ensure your organisation’s cyber stability.
1 Masys 2019: Security by Design - Innovative perspectives on complex problems
Connect with us