Eight years ago I determined to pursue another ambitious goal — to write a book that would strip away the complexity and ambiguity of the cyber security subject and communicate practical guidance to business professionals. I would pour my body and soul into this endeavour.
I realised that without clear guidance on how business leaders can create high-impact, focused cyber security strategies, the idea of cyber resilience would remain a distant dream for many enterprises. Faced with a barrage of high-profile data breaches, some crippling even the most resourced and complex of enterprises, some business leaders harboured deep-seated reservations that cyber threat actors are undeterrable and cyber resilience is unachievable. Inside boardrooms, there is a significant amount of justified frustration. Most leaders feel like passengers on a run-away train that the driver can neither control nor stop.
These were reasonable sentiments, but they also raised important questions. Why were some enterprises able to withstand cyber stresses while other enterprises were hacked into bankruptcy? And why can some companies bounce back as quickly as they are taken down?
The Five Anchors of Cyber Resilience aimed to tackle this vexing question by helping business leaders focus on five strategic aspects of cyber security that, if properly implemented, would significantly reduce any enterprise’s cyber-risk exposure while keeping costs at a minimum.
Six years after publication, the Five Anchors remain as relevant as before — providing cyber leaders with a simplified framework to prioritise limited resources and accelerate their organisations towards cyber resilience. So, what are these ‘five anchors’? What do cyber-resilient enterprises do differently from other enterprises?
They build their cyber security strategy centred on high-value assets
Cyber-resilient enterprises steer away from conventional, one-size-fits-all cyber security investment models and prioritise the protection of their crown jewels — their most critical information assets, which, if compromised, could severely undermine the enterprise’s bottom line, competitive advantage, reputation, or even threaten its survival. They are willing to break down barriers and redefine how cyber security is done. These digital assets represent the heart of the enterprise and underlie business functions that deliver high return on investment for stockholders and product offerings that customers value highly.
They then build security infrastructure that actively supports these priorities. Unlike several enterprises that start with a predefined set of controls and then build security frameworks based on ‘best practice’, cyber-resilient enterprises think differently — they place the customer at the centre of everything they do.
By building customer-centred cyber security models, cyber-resilient enterprises shift the oft-held perception that security (and technology at large) is a cost centre to that of integral force that empowers business growth and buttresses customer trust.
They put people at the centre of their cybersecurity strategies
Cyber-resilient enterprises put people’s hearts and minds, not technology, at the centre of their cybersecurity strategies. They create deeply entrenched beliefs that protecting the enterprise from cyber threats is everyone’s responsibility, from the board of directors through to frontline personnel. Cyber-resilient enterprises transform employee attitudes and behaviours through compelling and contextualised messages; reinforce good deeds; and provide steadfast, clear and frequent messages from the top.
These enterprises know that cyber resilience transcends technology — the real work of defending the enterprise takes place within business teams and is underpinned by shared norms and values. They extend the scope of their cyber-awareness outreach beyond the periphery of the enterprise and empower their customers and business partners with real-time, practical insights. Their people embrace the precepts of cyber security appetite of their own volition and go way beyond their call of duty to protect the enterprise.
They bake cybersecurity into innovative programs
Cyber-resilient enterprises recognise that, if properly governed, emerging technologies — such as big data, cloud, internet of things (IOT), Blockchain, artificial intelligence (AI) and so forth — have strong potential to accelerate innovation, revitalise customer experience and boost competitive advantage.
They actively resist the urge to defer security work, making it an enduring and inescapable facet of all digital transformation programs. They are constantly thoughtful and diligent about the security decisions they make as they embrace disruptive technologies, anticipating major pitfalls early and embedding security deeply into design work. Cyber-resilient enterprises also maintain clear road maps to ensure security capabilities keep up with an ever-changing threat landscape.
They implement a risk-based assurance program over suppliers
Cyber-resilient enterprises acknowledge that in today’s fast-paced business environment, businesses need to partner with external suppliers to access innovative solutions, lower costs or enable them to refocus on their core areas of differentiation. But they don’t enter these alliances blindly — the majority of debilitating cyber-attacks have emanated from poorly secured third-party environments. Cyber-resilient enterprises manage this complexity by implementing risk-based cyber assurance programs over suppliers, enabling the enterprise to adapt quickly to changing market opportunities, stimulate innovation and access unique capabilities, all while minimising exposure to cyberthreats that emanate from poorly secured business partners.
They create highly effective, lean and efficient governance structures
Cyber-resilient enterprises acknowledge that board oversight and C-suite leadership are essential to driving any transformational change, and that cyber security is no exception. Their most senior business officers and the board of directors provide unwavering support for cybersecurity programs.
They role model expected behaviours and uphold the virtues of their cyber risk appetite. They embed cyber-risk governance into the bloodstream of their enterprises, making it an inevitable and inconspicuous part of strategic and operational decision-making, and, as a result, foster transparency and accountability.
Cyber-resilient enterprises reject needlessly complex and rigid decision-making structures that impede prompt strategy execution. Instead, they favour lean and efficient structures that can rapidly and flexibly adapt to reflect changing market needs or business circumstances.
Granted, every enterprise is different — there is no universally right cybersecurity strategy. This is a consistent message throughout this book. Like any risk management framework, The Five Anchors of Cyber Resilience methodology does not claim to eliminate cyber risk completely, but does intend to help business and technology executives across different sectors focus on some of the most pressing challenges they face in the current business landscape.
There is certainly no one-size-fits-all approach to cyber resilience — there are still more controls enterprises can implement — but I believe these five are the most essential. By embracing the practical guidance provided by this book, enterprises can significantly improve their chances of defending against cyberthreats. Thus, the Five Anchors of Cyber Resilience methodology complements good practice frameworks — it doesn’t replace them.