Ready to Start Your Career?

Keeping Score with Digital Resilience

By: Jessica

July 10, 2018

What is Digital Resilience, and Why is it a Business Priority?

As much as everyone hates to think about this, it is a reality that we all must face: cyberattacks are not going to stop, and everyone is a target. It may even be safe to say that any person who has even briefly gone on the Internet has been exposed to some cyber threat, whether it be a phishing email or malware download. Hackers attack organizations just as much if not more than individuals. Large-scale attacks like data breaches are especially appealing to cyber thieves because they can steal way more information in less time by infiltrating centralized locations like corporate databases than they would targeting individuals one by one. News of such mass attacks not only make headlines but strike chords with many, as household names Target and Chase Bank were victimized by cyber attacks. Retail giant Target suffered a breach in 2013 that compromised the credit and debit card information of 70 million customers. The Chase Bank breach in 2014 impacted over 83 million accounts that included 76 million households and 7 million small businesses.

The Inevitability of Cyberattacks

With the rash of cyber attacks that never seem to end and the crippling damage they can cause to business profits and consumer trust, enterprises have to start thinking, “It’s not a matter of planning for if we get attacked, but it’s a matter of planning for when we get attacked.” Cybersecurity professionals like RedSeal CEO Ray Rothrock share similar thoughts on this issue. In his book, Digital Resilience: Is Your Company Ready for the Next Cyber Threat?, Rothrock states that the nature of a security threat against the digital network of a business is summed up by two facts: Breaches are so highly probable that, in the long run, they can be considered inevitable, and these breaches come at the great expense of time, worry, and reputation.Adopting this type of perspective means that businesses have to expect the worst and that if any cyber attack were to happen, they would have to have designated measures and tools in place to realistically react to and counter the attack, to protect their information and livelihood. What this means is that the answer to defeating cyberattacks is not staying offline or having a flawless, fool-proof cybersecurity system that is impenetrable to attacks in place.

The Myth of “Bullet-Proof” Cybersecurity

The answer, instead, is to have a security program that keeps a business or organization resilient in the event of an attack. Let’s face it; between the myriad of security weaknesses that exist on devices and software, the rapid rate at which cyber threats are adapting to security improvements, and the nature of probability, it’s not realistic to say that a cyber attack will never happen to a business, or that there’s a perfect security program that can defeat attacks with 100% certainty.Again, in his book, Rothrock explains that “no means of protection is bullet-proof,” since all security strategies are “inherently and inevitably flawed because the vulnerabilities of digital connection are inherent and inevitable.” Cyberattack risks come with having an online presence, which has become a necessity today for business and personal purposes.Businesses need to minimize the risk of attack and know how to effectively recover if a breach or loss occurs. Resilience is a quality that is necessary for a company, to perform well but also to survive, period. This statement could not be more accurate than in the world of cybersecurity, in which digital resilience is a must-have. Rothrock asserts in his book that “Once we accept the risk-reward trade-off of digital connectivity, our next step is to survive—and even thrive—under attack. Digital security is an incomplete answer. Digital resilience completes the answer.”

Understanding Digital Resilience

The first step in helping an organization establish strong digital resilience is recognizing that managing cybersecurity risks is not a responsibility that solely belongs to an IT department. Because these risks pose dangers that can infiltrate a company through any number of ways or departments and impact the entire business, especially its bottom line, these cybersecurity risks should be considered business risks that every employee and department need to be aware of and work to fight against, especially the top management of a company. Reinforcing this point in Digital Resilience: Is Your Company Ready for the Next Cyber Threat?, security expert Rothrock explains that “Whereas digital security is about security, digital resilience is about how you do business in today’s intensively interconnected environment. It is not confined to the realm of IT specialists, but is a whole-business strategy.”

Keeping Score

Once all the team members understand what digital resilience is and what it is not, the next step is to implement a system or method that enables a company to measure and evaluate its level of digital resilience. It is also imperative that this system is one that all involved parties can use and understand to gain insight about cybersecurity for the company and the role they play in it. It would need to close any communication gaps between the IT department and other departments, particularly the C-suite, on digital resilience matters. One tool that many companies are utilizing to meet this need is a digital resilience score. Similar to the way a credit score is determined, a digital resilience score is calculated by compiling information about different aspects of a company’s cybersecurity, such as server configurations and software vulnerabilities, and quantifying the levels of those factors to calculate a single score that gives an overall gauge of the organization’s digital resilience, or ability to withstand and recover from a cyber attack. A good example of a digital resilience score system is the one developed by cybersecurity company RedSeal.

RedSeal Digital Resilience Score

According to RedSeal, a company should concentrate on three areas for strong cyberattack resilience: how easy it is to attack the company, the company’s preparedness for an attack, and how well it is able to rebound from an attack. The RedSeal Digital Resilience Score focuses on three factors:

Weaknesses – RedSeal assesses any defects present in improperly configured devices or third-party software that are easy for hackers to exploit.
Structure – RedSeal also looks at how well an organization’s network is structured to see it if has pathways that are easy entry points through which attackers can steal valuable assets.
Thorough Understanding – Lastly, RedSeal examines how well a company knows its digital infrastructure to help it better manage its network assets and be aware of accessible points for attackers. It does this by looking for previously unknown areas of the network.

The higher the score, the more digitally resilient the company is, and the higher the chance that it can take a hit from an attack and keep going. The highest score is 850, and point deductions are made for things like blind spots in awareness and vulnerabilities identified from attack simulations.

The Digital Resilience Book and Why Businesses Need It

No organization can afford to operate without knowing its digital resilience level and how to improve it to help guard against cyber threats. Ray Rothrock’s book, Digital Resilience: Is Your Company Ready for the Next Cyber Threat?, provides a detailed overview on how effective digital resilience works, what it takes to achieve it, and a top-down, step-by-step guide on how to make it happen in your own organization.Sharing with Rothrock the common goal of educating individuals and organizations about cybersecurity and digital resilience, Cybrary stands behind this book that enterprises can use to be ready to respond to cyber attacks. Aimed at the top management audience, this book, as affirmed by Rothrock, “offers ideas and actions for those who want to improve their security world with some new, more effective thinking.”