Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term “resilience” can be difficult to define, and when we define it, we may limit its scope, missing the big picture.
In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant demands on incident response teams, resilience (and, in a narrower scope, cyber resilience) will require significant attention due to the complexity of our systems.
We achieve this by “working outside of our little sandbox” and reducing the fragility that comes with complex systems.
What does “resilience” mean to you?
Resilience includes a wide variety of issues, including but not limited to resilient technology (disaster recovery and backups), attitudes or coping capabilities on an individual or organizational level and the financial bottom line. Moreover, having the management skills to accurately and convincingly communicate financial impacts or impacts on personnel after a technical shock or interruption, are also crucial elements of resilient behavior.
Therefore, let us widen the lens of “resilience” to mean something more closely related to the ability to manage and adapt to rapid changes, regardless of what causes them.
Using this framework, we can focus on three major emergent technology and data-focused issues impacting cyber resilience today:
- Generative AI: a rapid change in technology and industry.
- Breach data: examples of mishaps and misfortunes, regardless of how they occurred (e.g., innocuous yet impactful losses of data versus nefarious acts of fraud and theft).
- Incident response: an event that causes an immediate and impactful shock to business and operations.
Generative AI: A case of rapid change
There are few better current-day examples that demonstrate the impact of an industry innovation than the disruptiveness of gen AI. Its benefits are already employed by actors both good and bad. Good implementation of gen AI (or similarly related AI tools) can result in increased productivity through better response to security events, whereas poor implementation can result in financial loss, operational disruption and reputational damage — at minimum.
But with the most exciting innovations, adoption almost always outpaces adaptation. Visualize two acceleration curves: the top one, accelerating at a greater rate, represents adoption, while the lower one, accelerating at a lesser rate, represents adaptation. That gap between the curves represents the risk, or threat to resilience, being incurred.
In the gen AI space, business pressures demand adoption — almost any technology or service solution today comes with the “we use artificial intelligence” tag somewhere. But security measures are consistently outpaced by adoption, especially when nefarious actors are using that same technology to help give themselves a competitive advantage.
So, what is a method to bridge that gap?
Determining risk tolerance is always the first step to maximizing your organization’s resilience. In the case of gen AI’s high-speed adoption, where there is a “build it while flying it” mantra, frameworks are particularly helpful. For example, IBM’s Framework for Securing Generative AI helps outline key principles, including:
- Securing data
- Securing models
- Securing usage
- Securing infrastructure
- Establishing governance
- Managing the pipeline
So far, this framework looks very much security-focused, and that would be a correct assessment. But to shift the focus back to the bigger picture, start by asking some of these questions:
- Can we secure the data, models, usage and infrastructure in a timely and cost-effective manner?
- Do we have the necessary controls and processes to establish and implement governance and manage the influx of data?
- Is there a business case for adoption?
- Have we considered the consequences of “too early” versus “too late” adoption?
- Can we manage and recover from a gen AI failure, regardless of the source?
- If it does fail, how do we get stronger from that lesson after recovery?
These types of questions can be useful during any type of rapid change. In the course of working towards the answers to your organizational needs, using the rule of “perfect is the enemy of good enough” can help move towards practical solutions. Moreover, in the case of a data breach or other incident, answering these questions in advance can dramatically impact strategic and tactical response and recovery efforts.
Understand cybersecurity and generative AI better
Breach data: A case of mishaps and misfortunes
The amount of data in the wild is concerning. While data has historically been thought of as an asset, it is now becoming a liability. The tendency to “hold on to everything” (e.g., for marketing or longer-term business prospects) can backfire long before the return is ever realized, which is all the more reason to implement better data destruction policies and practices.
To give us a glimpse of the future, let us combine the cases of rapid change (gen AI) with mishaps and misfortune (breach data) to illustrate how your resilience will be tested. Tactics, techniques and procedures (TTPs) are changing because the breached data can be processed through artificial intelligence and machine learning capabilities, allowing the threat actor to create social engineering attacks that prey on emotions.
Why go through the difficult technical challenge of trying to break into a network when the easier route of duping an unsuspecting user can be even more effective? As IBM’s 2024 X-Force Threat Intelligence Index identified, stolen credentials are the top threat for this year, which are being facilitated through the rise of infostealers.
If steps are not taken to clean up an individual’s and organization’s digital footprint, successful attacks can result in possible personal loss, privacy violations, financial costs, reputational costs, regulatory penalties and loss of confidence. In short, breach data in the wild becomes death by a thousand paper cuts. Can you recover from that?
The real resilience lesson in the case of a data breach is simple: How do you bounce back? One of the best tactics is to work backward from a worst-case scenario to identify gaps and consider the unthinkable. Questions worth asking:
- If all valuable data – personal information, intellectual property, trade secrets, sales information, strategy documents, etc. – made it out of their safe spaces for any reason, what would the immediate response look like?
- What would the near-term and longer-term responses look like? Would a fundamental change in business be required?
The reason to plan for a worst-case scenario is not to spread doom and gloom, nor is it worth obsessing over. Instead, working backward from a worst-case scenario challenges assumptions. There are many historical cases where organizations faced a “near death” situation (e.g., reputational damage, product recalls, customer confidence shattered, etc.). Still, these organizations turned the crisis into an opportunity to bounce back. Would you be able to survive a “near death” data situation? Ask that hard question.
Incident response: A case of shock
Even during the “quiet times,” incident responders do not have an easy work day. And even the best of them will not be able to push through the fatigue that can come with a significant shock, which worsens over time. That is the key, over time.
Unless faced with a catastrophic scenario that does not permit any bounce back at all, there will be a period when responders can attempt to respond, remediate and recover, even with minimal impact. But an organization cannot do that if it is already stretched thin, fatigued and unprepared for difficult disruptions. Do not underestimate fatigue and its impacts on operations and mental health, especially when a security operations center (SOC) sometimes spends up to a third of its time on incidents that pose no threat.
Effectively, even in the worst-case scenarios, the plan should be to survive the day, take it one step at a time and, if applicable, outlast the competition. Therefore, in the people, process and technology trifecta, remaining resilient is very much part of the people and processes domains.
2025 and beyond
Moving into the future, it is not unreasonable to assume that technological dependency on others will increase. What that dependency looks like though will drive your resilience strategy. For example, will your organization invest in reasonable redundancies to quickly absorb disruptions? Or will the investment choice be focused on innovation, hoping that there is a greater return?
Ultimately, effectively practicing resilience strategies comes down to the ability to master the probable and manage the unpredictable.
It will always circle back to risk tolerance. Moreover, risk tolerance will be driven by business decisions that no longer can be made in isolation. If the executive, management, finance, delivery and technology teams are not talking to each other, along with any other vital stakeholders, any resilience strategy planned is doomed to failure.
In closing, here are a few key considerations if you and your organization wish to employ an effective resilience strategy:
- Think big picture. If the “resilience strategy” is to make one area of the business resilient (e.g., high availability of information technology systems), that will not cut it for the future.
- Just like cybersecurity, resilience planning will be driven by culture.
- Which way are you going? Will your strategy move away from risk inheritance strategies (e.g., depending on others to facilitate delivery of mission-critical services), or will you ramp up the adoption of technologies designed to increase efficiency (e.g., higher dependency on third parties and services)? There is a trade-off. Choose wisely.
Resources for your cyber resilience strategy
For more resources on how to improve your resilience strategy, the 2021 series covered:
- The human factor
- Business continuity
- Disaster recovery
- Crisis management
- Governance
- Testing and training
- Privacy
- Security By design
- Supply chain and third parties
- The data lifecycle
- Insider threats
- Socio-economic trends and threats
Do not get caught up in minutia until you miss the big picture. Start asking the tough questions about your organization’s overall resilience and cyber resilience strategies now, and you will be on the right path to a safer, stronger and more secure future.
The post What does resilience in the cyber world look like in 2025 and beyond? appeared first on Security Intelligence.