From Risks to Resilience
When high-consequence, low-probability events such as global pandemics and war materialises, our risk models governing information security and privacy tend to fail. Why is that? In this article we give an overview of how shifting your thinking from risks to resilience will help build more future-proof businesses, products, and services.
Resilience is the ability to withstand stress, shocks, and uncertainty. In a cyber security context, these abilities are tightly coupled with your ability to detect, respond, and recover from security threats and incidents. Continue to adapt and learn, and you will become resilient over time.
However, classical thinking dictates that we should use a risk-based approach to prioritise and focus our efforts to make systems and businesses more secure. There are many methods and even professions (hello, actuaries) dedicated to this art. In its simplest form you multiply the likelihood of an event with the event’s potential impact to get a risk score. If you fancy yourself more advanced, you can do Monte Carlo simulations and play with Loss Exceedance Curves.
Managing Director, Cyber & Digital Risk
But the magic in the risk-based approach lies not with the method, but the way the result is used. Unfortunately, risk matrixes are often misused; to justify some singular project or effort to reduce risk, or it is used to communicate that risk is “within tolerance levels” – whatever that means.
Here be dragons. First, we humans are good at responding to risks that affect ourselves, but not those that impact the greater good (in this case, our business for instance). There is a risk that we miss the forest for all the trees. Second, the devil is in the details: Simpler risk methods such as the one mentioned above, which are far more popular within cyber, tend to mask nuances that are needed to make accurate predictions. And the more advanced tend to be too time-consuming and confuse those of us that do not have a Ph.D. in statistics.
And some risks need not be assessed at all. Even the most risk-tolerant of us will glance out the window and grab an umbrella before heading out in the morning if there are dark skies on the horizon. Likewise, if you are doing business online, glance out the window: What you will see is a wild west of threats, nation-state hackers and unreliable supply chains. You do not have to risk assess using two factor authentication or not. Basic cyber security is the cost of doing business in 2023.
Another problem is that the digital space moves too fast for risk assessments alone to keep up. Threats adapt to new protection mechanisms every day and develop new tactics, techniques, and procedures. Software and hardware are deployed at break-neck speeds. New tech is improving rapidly, for instance AI exemplified by large language models such as ChatGPT. The digital world “moves fast and breaks things”, your security approach should too.
Finally, risk assessments are often focused on preventing bad things from happening. A resilience-focused approach, on the other hand, encompasses not only risk management but also the ability to recover and adapt from incidents. It is about ensuring continuity and rapid recovery post-incident. Building resilient systems involves incorporating security and privacy measures that take into account today's threats.
So, what makes a resilient cyber security approach? We find that the organisations that stress-test their systems, learn from failures, adopt a continuous monitoring approach and deploy efficient security measures using a barbell strategy are the ones that are ahead of the pack.
Antifragile systems improve under stress. Think of your body, with each virus it fights off, the immune system grows stronger. Resilient systems can be designed to improve through continuous testing and exposure to simulated or real cyber threats. This can include red teaming, penetration testing, and other forms of ethical hacking to uncover vulnerabilities and improve defenses. Do not test for vulnerabilities only, but also for privacy leaks and for your ability to detect and respond to breaches.
Learn from failures
By adopting a culture that learns from failures and adapts, organisations can become more antifragile. This includes conducting thorough post-mortem analyses after security incidents to understand what went wrong and how to prevent similar incidents in the future. Our best clients also perform root cause analysis on near-breaches and close calls.
Monitor and adapt
Antifragile systems continuously monitor their environment and adapt to changes. In cybersecurity, this can involve real-time monitoring, anomaly detection, and automated response mechanisms that adapt to evolving threat landscapes. By deploying tools such as Endpoint Detection and Response (EDR) on endpoints, which are the ones experiencing the broadest range of threats, the organisation can monitor, catch and adapt to threats more rapidly.
Maintaining a strong, conservative security posture for critical systems while exploring innovative, high-risk/high-reward security solutions for less critical systems is an example of using a barbell strategy to reap the benefits of rapid technological innovation, while still not risking “it all”. This approach can help organisations benefit from technological advancements while minimizing risks to core operations. Notice that this is not a risk assessment where we think that we can predict what is going to happen, but rather a strategy to hedge risk and reward.
There is a caveat here: Some organisations are better advised to take a conservative and less agile resilience approach than what we outline above. National security and defense are one such example. They create secure, but very slow systems and organisations. But spending big on security is not for all. So if you are in charge of a tech startup or scale-up, you should not attempt to align with these organisations. You need to tailor your approach to your available resources, your business, and your threats.
And do not scrap your risk-based approach just yet, it still has its place. But often, our clients need to create a strategy and get things done rather than spending time and money on risk assessments that – by themselves – have little real resilience value.
Finally, many regulatory frameworks are moving towards requiring organisations to demonstrate resilience, not just risk management. One such example is the Digital Operational Resilience Act (DORA) targeting the financial sector. Adopting a resilience-focused approach can thereby help achieve and maintain compliance.
For more information, please contact: