“What is cyber resiliency?” is the question that started off HiveWatch’s latest webinar, “Building Cyber Resiliency in a Physical World.”
For panelist Gary Gooden, Former VP of IT for Relativity Space, his answer was simple: “The ability for an organization to continue its operational cadence irrespective of a threat.” That is, whether a company can keep operating despite being under attack.
But there were a lot more key takeaways from the critical discussion around the role that cyber resiliency plays across an organization – and how it can benefit physical security, as well. For the TL;DR, here are four considerations around cyber resiliency for your security program:
It's all security.
Ryan Schonfeld, Founder & CEO of HiveWatch, pointed out that a trend that’s occurring in organizations now involves looking at security not as “physical” or “cyber” but as a singular, holistic frame of reference. “Within the organization, there is a shift in reporting structures,” he said. “Traditionally, security has either reported to facilities, finance, people, or legal, and now it’s shifting toward reporting into the CTO, CISO, or CIO, building a true security organization.”
Jim Rinaldi, Executive Director at Innovate@UCLA and former CIO for NASA Jet Propulsion Laboratories, the Food and Drug Administration, and the Internal Revenue Service, said that an emerging trend that he’s seeing is the combination of physical and cyber leadership into a Chief Security Officer. The CSO sits on the C-suite and the focus is to break down the silos that naturally occur between the two departments.
However, “changing where someone reports doesn’t fully promote the collaboration that needs to happen between the two; it still takes a lot of hard work and collaboration, no matter how the organization is structured,” he said.
Henry Park, Founder & CEO of 3GC Group, agreed, “What I love about talking about cyber resiliency is the goal of breaking down silos between departments that are not collaborating effectively to protect the organization from threats.”
The importance of this shift is toward ensuring that the technology being implemented across the organization is visible, configured properly to keep the network safe, and able to meet the needs of the business.
When businesses view resiliency as a business goal and operate within certain risk factors, the level of collaboration is elevated to include multiple stakeholders at varying levels all with the same goal of protection of both logical and physical assets.
Gary pointed out that culture plays a large role in whether organizations view security as a holistic practice, or in separate silos. “Companies with long-established silos will have a harder time viewing security as a whole. Change is dependent on the company culture and the sector,” he said. “Sectors that are more mature might be less willing to change at a fast rate – such as healthcare – as opposed to sectors that are more nimble.”
Know the risk.
It’s no surprise that risk is a common denominator on both sides of the aisle. Whether you’re on a physical or cyber security team (or a combination of both), the center of the conversation should be around risk tolerance, assessment, and mitigation.
“You have to look at internal threats, as well as the external things that can affect your business,” Jim said. Creating a baseline becomes imperative for an organization to determine risk tolerance and how leaders think of risk from a business perspective. Panelists agreed that so much of addressing risk across an organization is dependent on its “risk appetite”.
“There’s a lot you can do to reduce risk to the organization through simplifying business architecture and reducing complexity,” Jim said. “If you’re a company that has all the technology tools, how can you protect that? Prioritizing is reducing risk.”
While the topic is a big one, the panelists cautioned against communicating the claim to leadership that “we’ve mitigated risk” when in reality, risk is constantly changing. Instead, communicating how data/assets/people are being protected and building trust is the logical way to add value to the conversation. Communicating the most likely consequences of not protecting critical data, while reiterating the preparedness of the organization is one way that security leaders – whether physical or cyber – can convey risk management strategy.
For Gary, talking to leadership about reputational risk to an organization is one way to reiterate the need for robust protection without becoming too technical. For example, in a healthcare setting, when there’s a data breach, it can result in damaged reputation. Similarly, if there’s a workplace violence incident or active shooter event, reputation is damaged. If there’s a compromise of networked infusion pumps (75% of these can have cyber flaws, putting networks at risk of attack), you impact reputation.
“You can draw a direct line from the threat of reputational risk to the viability of the organization,” Gary said.
In non-healthcare settings, such as manufacturing, resilience becomes a critical piece to ensuring timely delivery of goods and any disruption can mean impacting the company’s profitability and bottom line. That’s where taking the holistic view of risk – while taking into account physical intrusion and detection, operational technology (OT) systems integration, and the ability to monitor all of these environments – becomes critical.
Form a steering committee.
It’s not enough to have a single leader spearheading cyber resiliency efforts across an organization. In fact, collaboration is key. Henry recommends assembling a steering committee made up of key stakeholders that discuss the progress of measuring and mitigating the risks to the organization.
“Whether a company looks at something like data as a revenue source or more operational, the risk factors will vary; but what we’ve seen work well is that shared responsibility amongst key players in the organization to keep it safe,” Henry said.
Each department of an organization has a role to play in the protection of the business and the more that’s communicated, the better adoption of policies and processes that meet that goal.
Build a strategic roadmap.
After risk tolerance is established as an organization, there’s a need to establish a strategic roadmap, which is where decisions can be made about technology investments, cost, and prioritization.
The panelists agreed that shifting the conversation will help create more collaboration and buy-in from the top-down. “Gloomy messaging doesn’t work,” Henry said. “We’re never going to be able to be 100% bulletproof and once we’re able to get everyone to realize it’s not a matter of blocking everything, we can focus more on the shift toward limiting the risk and preparing the business to be able to operate continuously despite a threat.”
Henry reiterated that there’s a lot of money wasted trying to get it right and funneling that investment into controlling the risks the company can control is key.
To listen to the full discussion around cyber resiliency in physical security, click here.
"We’re never going to be able to be 100% bulletproof and once we’re able to get everyone to realize it’s not a matter of blocking everything, we can focus more on the shift toward limiting the risk and preparing the business to be able to operate continuously despite a threat."