Cyber ResilienceCybersecuritySecurity

Enterprise Cyber Resilience: A Leadership Mindset, Business Model, and GRC Framework


By Nick Janka, Chief Cyber Architect, Lockheed Martin
I. CYBERSECURITY VS. CYBER RESILIENCE

Cyber resilience, when implemented correctly, enables the business. Reliance on cyberspace has become paramount for missions, business functions, organizations, and nations in today’s increasingly interconnected world. However, this dependence also exposes them to persistent and sophisticated cyber threats that can disrupt critical information and communications systems. Recognizing the urgent need for cyber resiliency, the discipline of cyber resiliency engineering has emerged. As a sub-discipline of mission assurance engineering, it focuses on engineering cyber-resource resilience by implementing evolving practices and strategies. This article explores the application of cyber resilience practices in the context of a mindset, business model, and cybersecurity posture.

Cybersecurity and cyber resilience are two related but distinct concepts in cybersecurity. Cybersecurity is the measures and practices to protect computer systems, networks, and data from unauthorized access, attacks, and damage. It focuses on preventing and detecting cyber threats like malware, hacking attempts, and data breaches and aims to maintain information and systems’ confidentiality, integrity, and availability.

On the other hand, cyber resilience goes beyond just preventing and detecting cyber threats. It refers to the ability of an organization or system to withstand and recover from cyber-attacks or other adverse events. Cyber resilience involves preventing and preparing for attacks, withstanding their impact, recovering from damage, and adapting to improve future capabilities. It focuses on ensuring the continuity of critical functions and minimizing the impact of cyber incidents. While cybersecurity focuses on preventing and detecting cyber threats, cyber resilience encompasses a broader set of practices and strategies to ensure the continuity and adaptability of systems and organizations while embroiled in persistent and sophisticated cyber-attacks and other adverse events.

Cyber Resilience Objectives: Anticipate, Withstand, Recover, and Evolve
Anticipate

This goal involves maintaining a state of informed preparedness to forestall compromises of mission/business functions from adversary attacks. By predicting and understanding potential threats, organizations can proactively implement measures to prevent attacks and minimize their impact.

Withstand

The goal of Withstand is to continue essential mission/business functions despite the successful execution of an attack by an adversary. It focuses on building systems and processes that can absorb and withstand cyber-attack impacts, ensuring the continuity of critical operations.

Recover

After a successful attack, the Recover goal aims to restore mission/business functions to the maximum extent possible. It involves implementing strategies and processes to recover from the damage caused by cyber incidents, including restoring systems, data, and services.

Evolve

The Evolve goal emphasizes adapting and improving capabilities to actual or predicted adversary attacks. It involves changing missions/business functions and supporting cyber capabilities to minimize the adverse impacts of cyber threats. This goal ensures that organizations stay ahead of evolving threats and enhance their resilience.

The enterprise cyber resilience framework is the critical foundation for achieving a robust cybersecurity posture. It is the first and last cyber defense to prevent and withstand cyber-attacks, enable early detection and response, protect critical assets, ensure business continuity, build trust, manifest compliance, and support continuous improvement.

II. ENTERPRISE CYBER RESILIENCE AS AN EXECUTIVE MINDSET

Enterprise cyber resilience as an executive mindset refers to the recognition and prioritization of cyber resilience at the highest levels of an organization. It involves instilling a proactive and strategic approach to cyber resilience throughout the enterprise, with executives leading the charge. This mindset emphasizes that cyber threats are inevitable and that organizations must be prepared to anticipate, withstand, recover from, and evolve. As an executive mindset, enterprise cyber resilience involves leadership, risk management, collaboration, continuous improvement, and resilience by design.

Leadership Mindset

Executives must take an active role in promoting and championing cyber resilience within the organization. They set the tone for the entire enterprise, ensuring that cyber resilience is a top priority and integrated into the overall business strategy.

Risk Management Mindset

Executives must understand their organization’s business and cyber risks and make informed decisions about its risk appetite, tolerance, and mitigation strategies. They should work closely with risk management teams to identify vulnerabilities, assess potential impacts, and allocate resources effectively.

Collaboration Mindset

Executives should foster collaboration and communication across different departments and stakeholders. This includes IT, security, legal, finance, and other relevant teams, as well as external partners and vendors. By breaking down silos and promoting cross-functional collaboration, executives can ensure a holistic and coordinated approach to cyber resilience.

Continuous Improvement Mindset

Executives should promote a culture of continuous improvement in cyber resilience. This involves regularly assessing and updating cyber resilience strategies, staying informed about emerging threats and best practices, and investing in employee training and education at all levels.

Resilience by Design Mindset

Executives should embed cyber resilience into designing and developing systems, processes, and infrastructure. By considering resilience from the outset, organizations can build robust and adaptable systems that can withstand and recover from cyber incidents more effectively. By adopting an executive mindset that prioritizes enterprise cyber resilience, organizations can better protect their critical assets, maintain business continuity, and minimize the impact of cyber-attacks. It requires a proactive and strategic approach, with executives leading the way in fostering a resilient and secure digital environment.

III. ENTERPRISE CYBER RESILIENCE AS A BUSINESS MODEL

Enterprise cyber resilience as a business model integrates cybersecurity practices and strategies into an organization’s overall business strategy and operations. A business model is a framework that outlines how an organization creates, delivers, and captures value. Implementing cyber resilience as a business model focuses on how organizations can effectively manage and mitigate cyber risks to protect their assets, reputation, and overall business continuity. Below are some key elements of an enterprise cyber resilience business model.

Governance and Leadership

A resilient cybersecurity posture requires strong governance and leadership commitment. This involves establishing clear roles and responsibilities, defining cybersecurity policies and standards, and ensuring compliance with relevant regulations and industry best practices. Leadership support is crucial in allocating resources, promoting a culture of cybersecurity awareness, and fostering collaboration between different business units to achieve cyber resilience goals.

Risk Assessment and Management

The business model starts with a comprehensive risk assessment to identify and prioritize potential cyber risks and vulnerabilities. This includes assessing the potential impact of cyber threats on the organization’s operations, financials, and reputation. Based on the risk assessment, a risk management strategy is developed to mitigate and manage these risks effectively.

Cyber Resilience Investments

Investing in cyber resilience is crucial for organizations in today’s digital landscape. Cyberattacks and data breaches are becoming more frequent and sophisticated, posing significant business risks. Building a strong business case for investing in cyber resilience involves considering the potential benefits and costs associated with implementing robust cybersecurity measures. The business model must include a clear investment strategy for implementing cyber resilience. This involves allocating financial, human, and technical resources to implement robust cybersecurity measures. Investments may include acquiring and implementing security technologies, hiring skilled cybersecurity professionals, and providing ongoing employee training and awareness programs.

Collaboration and Partnerships

The business model recognizes the need for collaboration and partnerships with internal and external stakeholders, such as business areas, industry peers, government agencies, and cybersecurity vendors. Collaboration allows for sharing threat intelligence, best practices, and resources to enhance cyber resilience across the ecosystem.

Incident Response and Business Continuity

The business model includes a well-defined incident response plan and business continuity strategy. This ensures that the organization can effectively respond to and recover from cyber incidents, minimizing the impact on operations and customers. Regular testing and updating of these plans are essential to ensure their effectiveness. Maintaining operational resilience minimizes downtime, quickly recovers the business from cyber incidents, and delivers essential customer service.

Compliance and Regulatory Considerations

The business model considers compliance with relevant cybersecurity regulations and industry standards. This includes staying current with evolving regulatory requirements and implementing necessary controls to meet compliance obligations.

Continuous Improvement and Adaptability

The business model emphasizes the need for continuous improvement and adaptability in the face of evolving cyber threats. This involves regularly reviewing and updating cybersecurity measures, staying informed about emerging threats and best practices, and conducting post-incident reviews to learn from past experiences.

Competitive Advantage and Market Differentiation

Demonstrating a strong commitment to cybersecurity can provide a competitive advantage in the marketplace. Customers and partners are increasingly prioritizing security when choosing vendors and business partners. By investing in cyber resilience, organizations can differentiate themselves from competitors and attract security-conscious customers.

Foster a Cybersecurity Culture

Create a culture of cybersecurity awareness and accountability throughout the organization. This involves providing regular training and education to employees on cybersecurity best practices, promoting a sense of responsibility for protecting data and systems and encouraging reporting of potential security incidents or vulnerabilities.

IV. ENTERPRISE CYBER RESILIENCE AS A GRC FRAMEWORK

Enterprise cyber resilience can be seen as a comprehensive cybersecurity posture that focuses on building the organization’s ability to anticipate, withstand, recover from, and evolve in the face of cyber threats. It goes beyond traditional cybersecurity measures by incorporating a holistic approach encompassing people, processes, technology, leadership, and governance.

Compliance Through Resilience

A robust cyber resilience framework ensures compliance with relevant regulations, industry standards, and best practices. Compliance helps organizations meet legal and regulatory requirements, avoid penalties, and demonstrate due diligence in protecting sensitive information. However, manifesting  “compliance” alone does not guarantee security or resilience. Cyber resilience is not a checkbox, but rather a holistic, strategic framework for implementing effective security controls and risk management practices appropriate to the organization’s level of risk appetite and tolerance of the enterprise. As such, cyber resilience, when implemented correctly, creates a natural state of compliance.  Here’s how an enterprise cyber resilience framework creates that natural state of compliance:

Anticipate

A cyber resilience framework requires proactive measures to anticipate potential cyber threats and vulnerabilities, including conducting risk assessments, gathering threat intelligence, and staying updated on emerging cyber threats and trends. By anticipating potential risks, organizations can implement preventive measures and develop strategies to mitigate the impact of cyber incidents. Regular cyber tabletop (CTT) exercises are crucial for identifying vulnerabilities, enhancing preparedness, improving communication and collaboration, testing incident response plans, testing decision-making and leadership, learning from mistakes, and building confidence.

Withstand

A resilient cybersecurity framework focuses on building robust defenses to withstand cyber-attacks, such as implementing strong security controls, firewalls, intrusion detection systems, and access controls, to protect critical data, assets, and networks. Regular security testing, vulnerability assessments, and penetration testing help identify and address weaknesses in the organization’s security infrastructure.

Recover

Despite preventive measures, organizations may still experience cyber incidents. A resilient cybersecurity framework includes well-defined business continuity, incident response, and disaster recovery plans and processes to ensure a swift and effective recovery. This involves having incident response teams, clear communication protocols, backup and recovery mechanisms, and forensic capabilities to investigate and remediate cyber incidents promptly.

Evolve

Cyber threats constantly evolve, and organizations must adapt their cybersecurity posture accordingly. Enterprise cyber resilience emphasizes continuous improvement and adaptation to changing threat landscapes. This involves regularly reviewing and updating security policies, procedures, and controls and investing in emerging technologies and threat intelligence capabilities. It also includes ongoing training and awareness programs to inform employees about the latest cyber threats and best practices.

V. CONCLUSION

The enterprise cyber resilience framework is the critical foundation for achieving a robust cybersecurity posture. It is the first and last cyber defense to prevent and withstand cyber-attacks, enable early detection and response, protect critical assets, ensure business continuity, build trust, manifest compliance, and support continuous improvement. By investing in a strong cybersecurity posture, organizations can enhance their ability to withstand and recover from cyber incidents, minimize the impact of attacks, and maintain their operations and reputation in the face of evolving cyber threats.

Maintaining and improving the enterprise’s cybersecurity posture is crucial in surviving and thriving in today’s digital landscape. By implementing a proactive and comprehensive approach, organizations can enhance their resilience to cyber threats and protect their critical data and assets. Key strategies include regular risk assessments, security awareness training, robust access controls, patch management, network segmentation, incident response planning, regular security audits, continuous monitoring, encryption and data protection, incident reporting and information sharing, vendor risk management, regular security updates and patches, and continuous improvement.

These strategies work together to anticipate, withstand, recover from, and evolve in the face of persistent and sophisticated cyber-attacks. By prioritizing cyber resilience as a leadership mindset, business model, and GRC framework combined with implementing these measures, organizations can minimize the risk of breaches, protect sensitive data, and ensure the continuity of operations. It is important to approach cyber resilience as an ongoing process, regularly assessing and updating security measures to adapt to evolving threats. By doing so, organizations can confidently navigate the digital landscape and safeguard their valuable assets with a strong cybersecurity framework.


Bio
Nick Janka is a Chief Cyber Architect at Lockheed Martin, a global aerospace, defense, and technology leader. With over 20 years of experience in the field, he has a proven track record of aligning the cybers resilience strategy with the business strategy, delivering reliable, scalable, and cost-effective solutions that protect the enterprise, customers, and end-users from evolving threats and risks. He holds an MBA, CCISO, CISSP, CISM, and SSGB credentials, demonstrating his expertise in information security, risk management, and process improvement. As the head of the line-of-business and market segment cyber resilience strategies, roadmaps, operations, and team, Nick Janka leads the design, implementation, and evaluation of visionary and holistic cybersecurity initiatives across the global IT ecosystem. He leverages industry-leading best practices, frameworks, and standards to ensure compliance, governance, and resilience, such as NIST, JSIG/RMF, CMMC, FedRAMP, FIPS, and CNSSI. He also fosters a security-aware culture and executive-level security champions through educational and mentoring programs. His leadership has contributed to the company’s revenue growth, market position, and customer satisfaction.