The cybersecurity industry is not generally known for the quality of its metrics. In a field where the absence of something happening is the best possible result, it’s been hard to find a meaningful way to communicate how prepared an organization is to withstand a cyber attack, or even to tell if a cyber team is getting better at what it does.
However, according to Wayne Lloyd, Federal CTO at RedSeal, measuring your team’s digital resilience is a tangible way to communicate about risk and your organization’s ability to manage it. “Cybersecurity has been focused on busyness metrics, like how many incidents were responded to and how many were closed out,” shared Lloyd in a recent interview with Government Technology Insider. “But those metrics don’t tell you much about how prepared you are to withstand an incident or recover from a breach; in fact, they don’t tell you much at all.”
For Lloyd, what today’s complex organization needs to know is how resilient it is – how hard its networks are to attack, how well it can detect an intrusion or an attempted intrusion, and how rapidly it can respond to an incident or breach. Quantifying these three factors can provide a score that gives meaningful insight into the organization’s ability to manage risk and uncertainty and withstand attacks.
“The foundation of resilience lies in understanding the cyber terrain,” said Lloyd. “It’s not just getting one snapshot of the network and what’s on it but receiving on-going insight – in near real time – that shows changes in network configuration, which are often the early indicators of an attack.” With this knowledge, plus the right people, processes, and technology, an organization can withstand the constant barrage of attacks and continue to improve its resilience in the face of new tools and tactics.
Many organizations focus only on the external aspects of risk management and resilience, Lloyd explained. “Think of a bank in the bank robbery capital of the world, Los Angeles,” said Lloyd. “If the bank’s security team only considers the external features – like the neighborhood, the number of escape routes, and the hardened exterior — they’re missing a whole lot of risk factors inside — like interior security cameras, number of security guards, interior hardening and man traps — that can radically change the risk and therefore the bank’s resilience.”
Lloyd noted that federal agencies are eager to adopt digital resilience scores to help improve their networks’ resilience, which will enable them to withstand the constant attack cycle that comes with holding petabytes of high-value information from citizen PII to the designs for next-generation military hardware and national intelligence. The idea of a digital resilience score is resonating not only with military and intelligence leaders but also with the security chiefs of the 23 agencies participating in the CDM program. “Digital resilience scoring is right in step with the key parts of the CDM dashboard. In eliminating uncertainty, it enables agencies to move to the next order of security. Digital resilience is truly the foundational metric for building robust cybersecurity,” Lloyd concluded.