In today's rapidly evolving threat landscape, cyber resilience is crucial for organizations to defend against and thwart modern cyber-attacks effectively.
However, cyber resilience is hugely conceptual and theoretical; the industry is far behind in demonstrating cyber resilience capabilities. These capabilities have the potential to frustrate, degrade and ultimately stop attacks while ensuring minimum impact on business operations.
The concepts of cyber security and cyber resilience are differentiated in this first part of the article. Afterwards, the notion of practical cyber resilience is evaluated through the lens of the People, Process and Technology framework.
One immediate observation is that technological aspects of cyber resilience are the least mature. A huge emphasis has been put on the processes and people. While these are important, striking the right balance is key to progress. Cyber resilience engineering is the centrepiece of the technological aspects. It involves several facets, and the National Institute of Standards and Technology (NIST) Cyber Resiliency Engineering Framework comprehensively presents these facets.
But within the people and process pillars, some aspects of cyber resilience are not yet adopted. The most emphasised concepts are those that overlap with cyber security (which is more of a course than a blessing to understanding and implementing cyber resilience). These hidden champions of cyber resilience include the cyber resilience goals, design principles and culture.