Zscaler is a Business Reporter client
As organisations face up to the inevitability of cyber-attacks, they need to shift their approach from piecemeal measures to developing a culture of resilience by design.
Security and risk management (SRM) professionals are at the frontline when it comes to defending organisations from cyber-threats, and many understand that it will be a case of when rather than if their business becomes a target. The World Economic Forum’s Global Risks Report 2024 ranks cyber-insecurity as the fourth biggest risk facing organisations, up from eighth place the previous year.
This calls for a different approach to that traditionally taken by IT teams; one where organisations look to become truly resilient, able to protect themselves against the risk of cyber-attacks as much as possible but also to recover should one occur.
“Resilience is all about looking at the challenge holistically,” says Marc Lueck, CISO in Residence at cloud-based cyber-security platform Zscaler. “It requires looking at this as a philosophical challenge, rather than a technical one, so businesses can ensure they’re prepared and can respond quickly to any attack. We need to move away from the old-school thinking of controls as isolated measures that are applied to a business and look at how to achieve overall resilience.”
Research by Gartner, however, suggests that many SRM professionals are uncertain how resilience can help strengthen their security programme, and instead rely on stale, fragmented approaches at an operational level rather than as part of a wider enterprise-wide initiative.
Rather than merely tackling technical issues and reacting to events that happen, organisations need to implement a “resilient by design” approach, says Lueck. This means taking a step back to ensure the business architecture is set up to prevent interruptions and can protect itself against threats, with an IT infrastructure that is designed to reduce risk, and where there’s a strong focus – led by IT – on building teams and cultures that are resilient in nature.
“The ability to prevent an attack, withstand an attack as it’s going on and recover from an attack after it’s happened is not something that can be done by one group or one technology in one area of the business,” explains Lueck. “Businesses need to look holistically across their organisation and ensure they have this deep ability to prevent, withstand and recover from these attacks.”
This means ensuring that resilience is factored into any decision-making process, including building and extending business capability, before it is already established. “It can enhance business agility, because changes in architecture can actually speed things up,” says Leuck. “It’s about thinking about the challenge before you enact business changes.”
He uses the analogy of preparing for a storm, using a mixture of monitoring forecasts, deploying tools such as umbrellas and making building enhancements to help mitigate the impact, and then ensuring essential services such as roads and ambulances are on hand to cope with any damage. “The storm is a perfect example,” he says.
“By managing your external attack surface and looking at consuming threat intelligence, you’re starting to predict the storm. By ensuring that you have appropriate controls and connectivity, you are starting to work out how to clear up afterwards.” Carrying out testing through tabletop exercises is an important element of this, he adds, so businesses can predict what might happen in a time of crisis.
It’s essential, though, that this is not left entirely to SRM professionals. “We need board members making the case for resilience, and that’s why resilience is such a handy title, because it’s not mired in the jargon of cyber-security,” he says. The same approach can be applied to other risks organisations face, he adds, such as coping with disruption as a result of global conflict. Through this, business leaders can also improve their own personal resilience, helping them to become better leaders in the process.
Organisations that can adopt a resilient-by-design approach can expect to gain significant competitive advantages, as well as being more resistant to incidents. Gartner’s research suggests organisations that adopt the principles of resilience outperform their less resilient peers, building stronger, more adaptable cyber-security programmes and having a clear plan for when something goes wrong.
“Attacks are becoming more common and if we’re all going to experience this in some form, resilience can be the competitive advantage to get your business going quicker, with more profit or just to keep your business going at all,” says Leuck. “Investing in resilience can not only protect a business but ensure that it is successful. That is a first for security, and it’s only in this past couple of years it has become the enabler we always dreamed it might.”
To find out more about how Zscaler can help your business become resilient by design, visit zscaler.com
