Resilience can mean many things to different people, but for this blog, we will focus on cyber resilience. Cyber resilience is about accepting the reality of cyberattacks and minimizing damage when they occur. It involves organizations preventing, withstanding, and recovering from these attacks—it's how an organization deals with an incident and gets back on its feet.

We've seen cyber resilience become a popular mindset and playbook within the cybersecurity community. It has been a topic of discussion here, at RSAC, for some time. So, let's examine what cyber resilience is and how it plays a crucial role in this community.

Resilience for SMEs

Small to medium-sized enterprises (SMEs) face distinct challenges when dealing with cyberattacks compared to larger enterprises. This difference stems from SMEs' limited budgets, knowledge, and technical expertise compared to their larger counterparts. Additionally, SMEs often mistakenly believe their smaller size makes them less likely targets. However, as Praise Ayodele, Graduate Researcher, University of Central Missouri, emphasized in his RSAC 2024 podcast, "We are all targets of attacks." Fortunately, SMEs can build resilience against cyberattacks.

SMEs must prioritize continuous learning to understand current threats and develop effective response and recovery strategies. Ayodele highlighted the importance of fostering a strong culture of security awareness among both employers and employees, recognizing our interconnectedness. For SMEs lacking the budget for dedicated cybersecurity personnel, investing in employee training is crucial. This training should cover cyberattack trends, such as phishing and social engineering, and equip employees to identify and prevent fraudulent activity.

Furthermore, SMEs can enhance their resilience by seeking mentorship or partnerships with larger companies. These collaborations provide invaluable guidance and insights for improving security posture, as Ayodele noted. Building resilience is not solely about having the budget or tools for mitigation and recovery; it's fundamentally about a willingness to learn and collaborate.

Resilience for Healthcare

Healthcare organizations are prime targets for cybercriminals, facing a surge in ransomware attacks, data breaches, phishing scams, and other malicious activities. Healthcare organizations must unite to build clinical resilience, as Christian Dameff, Emergency Physician and Clinical Informatics Fellow, University of California San Diego, stated in his RSAC 2024 podcast, "At the heart of patient safety is the desire to create better systems that are safer for patients, so when they engage with healthcare systems, we can give them the best chance at healing, recovery, and reduced anxiety." Similar to SMEs, healthcare organizations often lack the budget to hire dedicated cybersecurity teams or acquire sophisticated tools to prevent or recover from cyberattacks. Therefore, it is crucial for healthcare organizations to cultivate clinical resilience within their ranks for the safety of their patients. Dameff emphasized that the most efficient and effective way to build clinical resilience is to engage with business continuity and emergency managers—every hospital has one, and their role is to prepare the hospital for disasters. Ask important questions like, 'What is our plan for ransomware? How can we still care for patients?'" Dameff advised. And if they don't have one, create one. A critical step is not to rely solely on emergency managers, but to collaborate and figure it out together. Then, include a nurse in the conversation to advocate for patients. Ultimately, collaborative effort is the cornerstone of building robust clinical resilience in the face of escalating cyberthreats.

Resilience for Cybersecurity

Cyber resilience is essential within any organization, but it requires a unified approach. Unfortunately, a common misconception is that cybersecurity is solely the responsibility of technical teams. True cyber resilience involves everyone in the company, regardless of their position. However, it's critical that resilience initiatives begin at the top, setting the tone for the entire organization. Therefore, CEOs must actively cultivate a cyber resilience mindset, rather than solely relying on CISOs. For instance, in an RSAC 2023 Conference presentation, Rashmy Chaterjee, CEO, ISTARI, and Dr. Manuel Hepfer, Head of Knowledge an Insights & Cybersecurity Researcher, ISTARI and Oxford University, stated that when they interviewed CEOs about cybersecurity, many felt uncomfortable discussing it without their CISO, citing their non-technical backgrounds. But when the conversation shifted to resilience, they engaged readily. This is because resilience, in a broader sense, is a concept they understand and prioritize, even from a non-cybersecurity perspective.

So maybe, instead of talking about only cybersecurity, organizations need to talk about how to prepare for an attack rather than focusing on how to prevent it. Hepfer and Chaterjee found out that the CEO’s mindset is to talk about building cyber resilience rather than cybersecurity, and how to do it can be found in Figure 1.

Figure 1. Source: RSAC Presentations

Based off the interviews with 40 CEOs, Hepfer and Chaterjee gathered four mindsets needed in an organization to build cyber resilience:

• Be co-responsible
• Embrace the preparedness paradox
• Move from blind trust to informed trust
• Adapt your communication styles to regulate stakeholder pressure

Alex Sharpe, Managing Director, Sharpe42, also provided guiding principles for cyber resilience in his RSAC 2024 Conference presentation.

Five guiding principles:

• Incidents Happen: Recognizing that incidents are inevitable means focusing on three key aspects: minimizing impact, reducing the blast radius (likelihood and impact, faster detection), and ensuring rapid recovery.
• Protect, Detect, Recover: This fundamental triad—protect, detect, and recover—remains paramount.
• People, Process, Technology, and Organization: Resilience has evolved beyond technology; it now encompasses people, processes, technology, and the organization as a whole. Understanding the interconnectedness of these elements is crucial for effective prevention and recovery.
• Minimal Acceptable Levels (Priorities): Business continuity and disaster recovery require prioritizing critical functions. Instead of rigid statements like "we can't be offline for more than 4 hours," organizations should adopt a more granular approach, such as "Service A must be 80% viable within 2 hours." This allows for flexible prioritization.
• Multidisciplinary: Cyber resilience is no longer confined to IT departments; it involves everyone across the organization, each with distinct roles and responsibilities.

Why is cyber resilience important? It is crucial for all organizations, regardless of size, and even for individual users. In today's interconnected world, a single vulnerability can have widespread consequences. By embracing a resilience mindset, organizations can minimize the impact of attacks, recover quickly, and maintain business continuity. This is especially important as cyberattacks become more sophisticated and frequent. Building resilient systems protects data, reputation, and customer trust.

To learn more about how to be resilient and build resilient systems, tune in to our RSAC virtual seminar, Building Resilient Systems.