EXPERT OPINION: Resilient by design is the way forward

Recent events have demonstrated that technical infrastructure is very reliant on not just suppliers but your internal processes, frameworks and quality of implementation. Being able to cope with continual business and technical change, as well as identifying and responding to incidents in a timely manner are also key considerations. Security practitioners have long campaigned for the default stance of ‘secure by design’, starting with software development, but more recently the need to expand beyond this has become increasingly urgent. In this interconnected world we now need to design everything with security in mind. Let’s now take things a step further and consider the concept of ‘resilient by design’.

Having the foundations for resiliency

Designing a cyber resilient organisation is a complex task but it can be made easier by building consistently, and on solid foundations. The cyber security basics that we have been talking about for years are the starting point for this.

• Accurate and up to date asset inventory
  • including criticality to the business, helping to highlight your organisational ‘Crown Jewels’.
• Implement joiners, movers and leavers (JML) processes
  • augmenting your identity controls
• Security technologies to both protect the IT infrastructure and detect anomalies.

However, having the best technical solutions and controls alone will not protect an organisation. Setting up these solutions in an effective way and then monitoring them for their effectiveness through their entire serviceable life is a vital element in continual success. The continuous management of assets throughout their implemented lifecycle is an important part of becoming a cyber resilient organisation.

Risk assessment supports the foundations

When looking at either secure by design or resilient by design we should identify the risks and threats posed, allowing us to design appropriate controls to mitigate and manage them. Then use control frameworks, which are an excellent method for ensuring the organisation’s interests remain aligned to good practice and are operating as designated, all the time, from implementation to decommission. For ISF Members a great place to start is the Standard of Good Practice (SOGP).  Combine the Standard with our research into Protecting the Crown Jewels (PCJ) and this helps you to take a pragmatic risk-based approach to improving your organisation’s security posture and start the journey to proper cyber resilience. By leveraging the PCJ report to understand what needs protecting, you can then use the SOGP to build your internal control framework as part of your resilient by design ethos.

Creating a comprehensive implementation of security arrangements, controls, processes and procedures will put an organisation on the front foot when it comes to cyber security, being able to reduce the risks of incidents occurring but when the worst does happen the response actions are already planned, and the infrastructure will have been designed with this response in mind as well.

Preparing for resilient by design

Preparedness is a key part of survival for organisations and for the cyber security teams within those organisations. Having a methodology that allows security teams to understand, reference and then implement good practices will make life easier for those involved, both in terms of understanding, speed and longevity. The SOGP provides a comprehensive reference library of controls, which are also mapped to many well recognised international frameworks and regulations (e.g. ISO27000, NIST CSF and CSA) to assist organisations who may already have started with other options or have additional compliance requirements to satisfy.

Resilient by design should now be the target for all organisations, and doing this starts with a robust security framework, creating a structure that enables effective measurement of the programme. Using a security healthcheck or  ISF Benchmark can allow the security team to evidence the success of their work to senior executives and build confidence that the organisation can be resilient by design.

For further guidance  on how to improve your business’ resiliency  against future threats to your business please visit :ISF: Your first line of defence in incident response management