Business resilience is an outcome of well-executed information security, operational resilience, and cyber resilience.
Cyber Resilience Manifesto
who is accountable for cyber resilience
A robust cyber resilience strategy requires skillsets across operational resilience, information security, and cyber resilience. Therefore, successful cyber resilience programs are built by accountable cyber resilience practitioners who acknowledge the inevitability of breaches and focus on removing the adversary's tactical advantage. This process involves constant analysis, planning, and execution of cyber resilience techniques to improve architectural resiliency against advanced cyber threats.
As such, a first step for any cyber resilience officer [1] should be to advocate for ensuring the organization’s most critical assets are properly identified, protected, continuously assessed, and governed.
Cyber resilience as a competency: a set of abilities related to architecting, designing, developing, implementing, maintaining, and sustaining the trustworthiness of systems that use or are enabled by cyber resources to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and attacks.
While accountability for cyber resilience may span various roles depending on an organization’s structure, a cyber resilience officer who is accountable for the organization’s ability to manage cyber resilience and implement cyber resilience goals is a sound way forward.
As such, a first step for any cyber resilience officer [1] should be to advocate for ensuring the organization’s most critical assets are properly identified, protected, continuously assessed, and governed.
References:
[1] https://www.weforum.org/agenda/2021/11/3-principles-to-help-build-a-cyber-resilient-organization/
The Cyber resilience officer
"Cyber resilience must be governed from the top. Too many leaders who are not technical experts delegate cyber defence because they think it is too complex. In addition to taking responsibility, a dedicated Cyber Resilience Officer needs to report directly to the Board. In fact, boards should focus on which systems support critical activities, rather than approaching the problem through the lens of software vulnerabilities."
what does The role entail
The Cyber Resilience Officer is accountable for the organization’s ability to manage cyber resilience and for implementing cyber-resilience goals. The Cyber Resilience Officer should have regular Board access, sufficient authority, command of the subject matter, experience and resources to fulfil these duties. The role should be formally defined and documented with clearly understood expectations and obligations. The organization has clear mechanisms for providing the Cyber Resilience Officer ready access to each of the following: communication with the Board of Directors; empowerment over cyber-resilience strategy, management and enforcement actions; cyber-resilience expertise and executive training; the acquisition of personnel, financial and technology resources.
The Cyber Resilience Officer is an experienced professional who masters cyber resilience skills:
NIST 800-160 v1 & v2 | NIST 800-172 | MITRE Cyber Resilience Engineering | |
---|---|---|---|
|
|
|
On top of Cyber Resilience skills, the Cyber Resilience Officer understands and drives value from these areas:
Cyber threat management & incident response |
Defensible enterprise security architecture |
Security frameworks, controls, risk & compliance |
|
---|---|---|---|
|
|
|
with solid knowledge of: business continuity, Disaster recovery, backup and storage, crisis management
- Ability to understand the differences between operational resilience, cyber security and cyber resilience.
- Well versed in traditional "recover" and "reconstitute" capabilities.