Strategically building breach resilience

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on digital trust, environmental, health, safety, security, and sustainability.

September 28, 2023 - Despite cybercrimes predicted to cost the global economy $10.5 trillion by 2025, 50 percent of UK senior executives in 2022/2023 focused on the recovery from attacks, rather than how to prevent them. This highlights a need to strategically build and maintain breach resilience to prevent 2025 predictions becoming reality.

Regardless of industry, an organization’s approach to breach resilience should be strategic in nature, coupled with proactiveness, transparency, and a multi-tiered defence. If implemented correctly, breach resilience builds confidence in safeguarding an organization against the ever-evolving threat landscape. Fostering a cultural mindset that acknowledges the inevitability of breaches and prioritises effective preparation, detection, and response mechanisms also enhances organizational maturity.

Unlike the flashy appeal of terms like "cybersecurity", breach resilience centres on a framework that reinforces the importance of self-awareness and risk-based targeted security capabilities. Establishing this framework involves several steps that must align with strategic objectives, risk appetite, and regulatory requirements:

1. Alignment with business objectives: To ensure successful defence, breach resilience must align with the overall business strategy. It is essential for security and privacy professionals to understand what the business intends to achieve, then tailoring defence and recovery capabilities in a commensurate and complimentary manner.
2. Understanding the ecosystem: Having a clear understanding of the organization is imperative. This is done through learning about the industry and locations it operates in, the stakeholders at play, and relevant regulatory requirements.
3. Threat landscape: The next step is to identify what needs protection, whether the company poses a systemic risk to the residing industry or country, and the threats most relevant to the organization. Learning these serves as the foundation for proactive defence. Online resources such MITRE ATT&CK® (for tracking cyber threat groups) and the ENISA Threat Landscape 2022 help analyse the landscape.
4. Asset mapping: An asset is anything that provides value to a business, such as its people, processes, technologies, and facilities. Once the organization is in an informed position, the next stage is to conduct a cross-analysis mapping for clarity into which threats are going to impact what part of the business.
5. Security controls: Next, assess the current state of existing security controls and mitigation capabilities to defend each asset against relevant threats and actors. There are a variety of ways to approach this, such as by utilizing established threat mitigation frameworks including National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5 to evaluate controls. Leveraging the NIST Cybersecurity Framework can enable a business to achieve a holistic understanding of an organization’s cyber posture maturity and ability to identify, protect, detect, respond, and recover from threats.
6. Future state determination: Once the current state is understood, collaborate with leadership and stakeholders to discuss, determine, and agree a desired future security posture. The goal post can move during annual posture reviews, so pragmatic ambition here helps guide the direction of resources.
7. Strategic roadmap: After utilizing the output from assessments, an organization can prioritize and assign a leader to achieve the strategic outcome. The roadmap should outline actions, investments, and resource allocations to achieve the business goals.
8. Transparency and communication: It is now critical to ensure leadership, stakeholders, and investors understand where the organization wants to go, and how. This can be done by presenting the current state of maturity to key stakeholders, highlighting how well the organization defends against specific threats, and creating a transparent overview of security posture.
9. Budget determination: This is the fun but critical make or break point. The organization now has the knowledge, but does it have the money or drive to achieve the desired outcome? Stakeholders should consider the discoveries made in the steps above, ensuring these and the budget evolve in line with the organization's desired goals and the growing threat landscape. An insufficient budget can lead to inadequate protection and degradation of cybersecurity posture.
10. Resource allocation: Finally, tactically allocate the resources outlined in the strategic roadmap. Identify where to invest budget to achieve the desired breach resilience level over a predefined timeframe. This should be reviewed periodically in line with the budget and the digital and physical landscape.

By following a strategic framework that aligns together technology, culture, and goals, organizations can successfully manage the challenges of the digital world and keep resilient in the face of security breaches and cyber threats.

Learn how new technologies are impacting cybersecurity in The impact of AI and ML on cybersecurity by Alessandro Magnosi. Find out how to embed privacy protection within your organization in Emerging technologies: Part 1: Embedding privacy by design by Conor Hogan. For more insights on other digital trust, privacy, information security, and environmental, health, and safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.