When you’re playing a contact sport, it’s safe to assume that at some point, you will come into violent physical contact with an opponent. If you’re playing football or rugby, you learn how to be tackled. If you’re a boxer, you learn how to take a punch.
If basketball is your game, you learn how to ignore the elbows and drive toward the hoop. If you play ice hockey, sooner or later you will be knocked down by an opposing skater; so you learn how to get back on your skates quickly and gracefully.
In IT, we need to acquire similar skills. If we’ve learned anything from the past five years of data breaches, it’s that no perimeter can completely withstand attacks from cyber criminals. I’m not saying to abandon the perimeter defense entirely. I’m saying that you cannot count on it to safeguard your data and your systems from all attackers.
Instead of pouring more resources into cybersecurity, we need to begin focusing on cyber resilience. What’s the difference? Security assumes we can keep our systems and our data secure. Resilience, on the other hand, acknowledges the practical limits of security, and prepares your organization for the worst.
Frankly, there’s nothing wrong with being prepared for the worst. Airline pilots train continuously for every kind of conceivable disaster, and that’s precisely why the airlines have great safety records. Captain Chesley “Sully” Sullenberger didn’t land his damaged plane in the Hudson River safely because he was lucky. Sully’s passengers survived because he’d spent his aviation career practicing for worst-case scenarios.
So, why don’t we spend more effort focusing on resilience in our industry? One reason is that it’s expensive. Being resilient means having backup systems and mirroring data. It means spending money on systems that you might only have to use once or twice. It means dedicating resources to continuously backing up data. Cyber resilience is like eating your vegetables. You might not like them, but they’re good for you.
Like it or not, we’ll all be hearing more about cyber resilience, especially in the wake of the Equifax data breach. At the risk of stating the obvious, we’ve learned that cyber defense isn’t enough in a world where attacks can come from anywhere, at any time.
That’s the key to being resilient: Knowing how to recover quickly and effectively. Ask athletes who play contact sports and they’ll tell you it’s impossible to avoid being hit. How well you respond, however, is entirely up to you.