Dream big, start small, act now.
Robin Sharma
Cyber resiliency is a key emergent competency area
Our team has implemented cyber resilience programs from 2019, when the first 800-160 NIST publication went out.
We submitted a proposal in April 2023 to the NIST NICE Framework team, which endorsed the Cyber Resilience Officer role and all the knowledge / skills it entails.
In June 2023 NIST released a Request for Comments to the community which was well accepted. Link to NIST document.
An SME-invite only workshop was hosted by NIST in March 2024 with nominated representatives from NIST, MITRE, High Value Target and The Chertoff Group to align on a final proposal to define what the key cyber resiliency are.
Download the FREE Cyber Resilience Officer job description at the bottom of the page.
The Cyber Resilience Officer is an experienced professional who masters cyber resilience skills:
NIST 800-160 v1 & v2 | NIST 800-172 | MITRE Cyber Resilience Engineering | |
---|---|---|---|
|
|
|
On top of Cyber Resilience skills, the Cyber Resilience Officer understands and drives value from these areas:
Cyber threat management & incident response |
Defensible enterprise security architecture |
Security frameworks, controls, risk & compliance |
|
---|---|---|---|
|
|
|
with solid knowledge of: business continuity, Disaster recovery, backup and storage, crisis management
- Ability to understand the differences between operational resilience, cyber security and cyber resilience.
- Well versed in traditional "recover" and "reconstitute" capabilities.
Explore cyber resilience trainings
Learn about the Cyber Resilience Academy best-in-class program. Learn from who's been there, done that.
Cyber Resilience Officer - Job Description
- The Cyber Resilience Officer is accountable for the organization’s ability to manage cyber resilience and for implementing cyber resilience goals. The role should have regular Board access, sufficient authority, command of the subject matter, experience and resources to fulfil these duties.
The organization has mechanisms in place for providing the Cyber Resilience Officer ready access to each of the following: communication with the Board of Directors; empowerment over cyber resilience strategy, management and enforcement actions; cyber resilience expertise and executive training; the acquisition of personnel, financial and technology resources.
The role seeks to:
• Continuously understand and uplift the organization's cyber resilience posture.
• Answer the question – Could we be the next victim of extreme but plausible cyber threats?
• Shape the reporting of cyber resilience risk at risk forums across the organization in order to drive awareness and change.
This requires an individual who can work across the various lines of defence and bring expertise and analysis in the area of cyber resilience:
• Understand current cyber threats and the technical aspects of the attacks used.
• Provide oversight and influence of the organization’s cyber assessment capabilities.
• Participate within threat action groups targeting cyber resilience related threats.
• Work with reporting and analytics teams to produce innovative risk reports related to cyber resilience.
• Mix quantitative and qualitative metrics to measure cyber resilience exposure in a non-technical way.
• Identify and collate cyber resilience requirements in support of enterprise security architecture engagements.
• Lead through influence and collaboration supporting constructive input and challenge.
• Collaborate and influence colleagues across various lines of defence including CISO and CIO teams.
• Continuously identify critical third parties and ensure a thorough understanding of the organization's important business services.
• Set impact and risk tolerances, monitor threshold levels and contingency plans for important business services (including third parties).
Qualifications:
• Proficiency in the main cyber resilience frameworks like NIST 800-160, MITRE CREF and NIST 800-172.
• Have significant experience working in cybersecurity threat management.
• Experience of the tactics, techniques and procedures used by advanced cyber adversaries.
• Experience of cyber resilience strategies, design, engineering and architecture.
• Significant technical expertise and able to communicate in depth with colleagues from blue teams, purple teams and red teams.
• Ability to focus on extreme but plausible threats as well as other possible threats.
• Experience in third party risk management and mapping of services to assets (people, assets, technology, vendors etc).
• Able to communicate to technical and non-technical audiences, able to explain complex topics with simplicity.
• Able to articulate requirements clearly to non-cyber experts spanning data analytics, reporting and risk to ensure resultant cyber resilience reports are consumable and relevant.