‘Cyber resilience’ seems to be discussed everywhere these days, in light of continuing cyberattacks, and recent concerns that organizations may not be ready to meet the requirements of the Digital Operations Resilience Act (DORA) from January 2025.
In essence, cyber resilience (and by extension operational resilience) is just the same as business resilience. It’s about enabling your organization to adapt quickly and recover fast in the face of adversity. You can’t have a strong business continuity approach today without that including a carefully thought-out and tested cyber resilience plan. Cyber resilience is a key aspect of providing the continuous protection your people and systems require, maintaining a hardened security stance. In a world where most data breaches result from hackers exploiting different attack vectors, from lost or stolen devices, and insiders with malicious intent, we need to constantly evolve and adapt our approaches.
First and foremost, this means developing a robust strategy to provide the resiliency we need; to better secure our mainframe systems and data, and be in a position to resume operations quickly and effectively if an attack breaches our defenses or another event – from flood or fire to human error – impacts on operations. Could you do that right now? To paraphrase the late, great Jimi Hendrix, “If you can get your mind together / Then come on across to me / Oh, but are you resilienced? / Have you ever been cyber resilienced?”
‘Anticipate, withstand, recover, learn, and adapt’
Describing cyber resilience as a discipline that extends beyond protecting against deliberate attack, IBM has described it as concept that “brings business continuity, information systems security and organizational resilience together… the ability to continue delivering intended outcomes despite experiencing challenging cyber events, such as cyberattacks, natural disasters or economic slumps.” The US National Institute of Standards and Technology (NIST) has defined cyber resilience as “The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
While one line of thinking holds that resilience ultimately comes from recovery, it’s really a combination of planning and prevention plus recovery that underpin true resiliency. Because the attacks will come, and some may succeed: the bad actors are getting smarter, combining existing attack methods with AI and new opportunities presented by quantum computers to wreak havoc. The very best defense may not, in fact, be a guarantee against attack – which is why building-in cyber resilience is so important. And this isn’t a new thing, of course. A couple of years ago, for example, it was reported that the UK Ministry of Defence was working with a specialist third party to bolster its cyber resilience. This included running cyber drills and addressing a “security talent gap” through a specialist platform, simulator, and software products.
Meanwhile, the European Union’s Cyber Resilience Act (CRA) has been touted as “the first horizontal regulation to introduce security requirements for connected devices and related services.” Sanctioned by the European Parliament in March 2024, the law introduces EU-wide cybersecurity requirements for the design, development, production and availability of hardware and software products – extending to home cameras, fridges, TVs and toys. Indeed, the regulation applies to all products connected either directly or indirectly to another device or to a network, applying to “manufacturers, software developers, distributors, importers and other economic actors (such as resellers) who supply digital products to the European market.” Cyber resiliency is everywhere, it seems. Including your own organization?
Developing a Cyber Resilience Strategy
At Vertali, we’re seeing rising demand from mainframe organizations who want advice and practical support to help them to prepare, protect, detect, respond and recover from cyber threats – internal or external, whether intended or accidental. And DORA is, clearly, a major driver at the moment. But of course, achieving a high degree of operational/cyber resiliency simply makes sense, quite apart from any compliance requirements.
We recommend a two-pronged approach: first, developing the right Cyber Resilience Strategy for you; and second, using this to build, execute and regularly update a robust Cyber Resilience Plan. No two Cyber Resilience Strategies are the same. Creating a viable strategy depends on collaboration between several preventative, detective, and responsive plans. You may already have some or perhaps even all of these elements. Creating your own tailored strategy will typically draw on existing operational disciplines such as Business Continuity (BC), Disaster Recovery (DR), Incident Response (IR), and Cybersecurity Planning/Plans. These elements already exist in most organizations but tend to be siloed. We need to bring them together: a successful approach to cyber resilience depends on understanding the interrelationships between all these elements, how each one complements and informs the functioning of the others.
Getting started
Your strategy defines how and what you will develop, and the priorities of your Cyber Resilience Plan. Bringing together a balanced program of activities will typically include cybersecurity planning, business continuity and disaster recovery (BCDR) plans, incident response plans, periodic Business Impact Analysis (BIA) and Risk Analysis, regular testing, and stakeholder engagement. It’s also important to have buy-in and support from senior leaders for your strategy, not least because additional investment may be needed. You may need to educate and update your leaders on the threat landscape, based on the assumption that a breach will take place, and explain the risks and possible impacts of not having a Cyber Resilience Strategy and Plan – quantifying the benefits wherever possible in pounds, dollars or euros, making it clear that cyber resilience can help to significantly reduce operational impacts, financial loss, and reputational damage.
Building, executing and updating your Cyber Resilience Plan
With your strategy and the resulting plan based on identifying and understanding the various components that underpin cyber resilience, these components should then be assembled, managed, maintained and continuously improved in line with the strategy. Each organization and its requirements will be different, calling for a flexible approach that can include:
- Regular input from diverse stakeholders, and ideally an ongoing dialogue.
- Identifying and documenting the elements most critical to the business.
- A risk analysis and risk rating of systems, applications and data – Penetration Testing and Security Assessments can be valuable in this.
- Selecting and deploying the right tools and processes that work for your specific environment.
- Ensuring your plan aligns with/reflects wider cyber requirements such as e.g. GDPR and the Security of Network and Information Systems (NIS) Directive.
- Documenting, testing, refining and updating – and ensuring you continue testing and updating your plans, and revisiting your strategy as needed.
Tools are also readily available to support your cyber resiliency, and some may work better for you than others. Options might include IBM z Cyber Vault, Dell’s Data Protector for z Systems (zDP), Vertali’s zTrust, as well as products from Rocket Software, Maintegrity, Action Software, New Era, Vanguard, BMC, and others. Talk to the experts, and decide what works best for you. This short article is not, of course, intended as an exhaustive account of cyber resilience and what you need to do. But I hope it’s provided a flavour of the opportunity, and some of the approaches and methods available. And remember, when it comes to a damaging attack or another event that threatens your cyber security (and operational resilience), it’s probably a matter of “when” not “if”. But you have the power to predict, plan, and be ready – to be resilienced.
A global thought leader and international speaker in mainframe security and technology, and passionate advocate of all things Z, Mark Wilson is Vertali’s Technical Director. He has more than 40 years ’experience across numerous industries and diverse mainframe environments. Mark is also Region Manager for Guide Share Europe (GSE) UK. For more information email: info@vertali.com
Mark has been awarded IBM Champion status for the last four years.