- Frauds such as phishing, malware and ransomware attacks pose a threat to entire economies, governments, and our way of life.
- Cyber security focuses on protecting data, but it is no longer sufficient; businesses need cyber resilience.
- To help businesses implement greater cyber resilience a framework is needed to measure it.
Today, we work from anywhere, on more devices, more networks, facing more risk than ever before. Widespread phishing, malware, ransomware attacks, and other frauds pose a risk not just to individuals or platforms, but to entire economies, governments, and our way of life.
Yet the way we think about securing our businesses and our data hasn’t really kept up. Business resources are often still allocated to defensive cyber security, which is focused on protecting the confidentiality and integrity of data. But these defenses are proving insufficient in the face of attacks that grow more sophisticated by the day. We need cyber resilience in addition to cyber security, and it’s important to understand the difference.
Why Cyber resilience over cyber security
Cyber resilience starts with nailing the cyber security basics; at Salesforce, we call it “doing the common uncommonly well.” This includes patching vulnerabilities, detecting and mitigating threats, and educating employees on how to defend company security. But we need to be doing these things continuously, not just once a year.
Beyond that, businesses need to build resilience into every part of the business, from business process mapping to engineering service availability to critical vendor dependency. They need to limit the impact of cybercrime to a company’s brand, finance, legal, and customer trust obligations. While these areas typically receive limited attention, resources, or executive focus, they are significant elements in the case of a real threat.
The aim of cyber resilience is clear enough: to ensure operational and business continuity with minimal impact. But the reality can be harder to pin down, because there’s currently no good way to measure cyber resilience. As leaders, we need to have a certain level of confidence in our ability to respond to an attack, to maintain our customers’ trust, to absorb the financial, legal, and brand impact and get back to business. But there is no widely-accepted cyber resilience framework, no maturity model, and I think there should be.
After all, there are countless other maturity models, which allow businesses to measure capabilities, digital transformation, supply chain, cyber security, and data management to name just a few. What might cyber resilience maturity look like? This is not just about the ability to respond and recover; it’s how quickly we recover and what we prioritize.