Thursday, February 9, 2017

Commentary on Cyber Resilience

At the upcoming HackMiami5 conference I will be speaking on "Cyber Resilience".  I have been looking at this term over the last several months.  As an infosec/cybersecurity professional, I wanted to better understand what this "cyber resilience" is and how it fits in.

Now, at my talk at HM2017 I will be going into several "models" for cyber resilience and other resources, and I will NOT be posting that information here on my blog until sometime later.  So this posting, which maybe part of a series, is more my thoughts on what cyber resilience is.

Now, the more or less standard definition I hear for cyber resilience is "the ability to recover from attacks quicker and keep losses to a minimum."

Hmmmm.  Ok.

Taking this a little further is what I also hear is that cyber resilience goes "beyond" cybersecurity, and that its almost a next step.  Further that certain organizations (government, military, commercial) are now focusing more on cyber resilience then cybersecurity.

So, more "hmmmmmm" from me.

For me, I have a problem with this view.  My problem is that, FOR ME, what is being described as cyber resilience IS cybersecurity.  And that what these people are putting forth as "cybersecurity" is TOO NARROW a use or definition of it.

These people seem to think that cybersecurity is solely PREVENTION.  For me, it's not and never should be.  IF some are thinking cybersecurity is solely PREVENTION, that's the problem.  RESPONSE and RECOVERY,  which is said to be cyber resilience IS part of cybersecurity.

This may help:

So, these are the 5 "Functions" that comprise the Core of the NIST Cybersecurity Framework.  ALL 5 are needed for the Framework, and for me, all 5 are needed to have cybersecurity.

The people pushing cyber resilience seem to be pushing the idea that cyber security is just PROTECT (and maybe also DETECT).  And that we need cyber resilience (RESPOND and RECOVERY).

I think that's wrong.  BUT, I think part of it is that OTHERS are at fault here, not necessarily the cyber resilience folk.  I think TOO MANY people in our field seem focused on PROTECT and DETECT.  They ignore IDENTIFY (that's all inventory work, that's just IT stuff, us cybersecurity folk don't care).  They ignore RESPOND (by and large, other then maybe incident handling, blue teaming) and RECOVER (that's all disaster recovery, business continuity stuff, that's just IT stuff, us cybersecurity folk don't care).

The attitude being pushed is that "we" cybersecurity folks are all ethical hackers, pentesting.  We are all about PROTECT/DETECT.  That's all that's important.

And sometimes it's not helped when I see people talking about getting people into infosec/cybersecurity, but ALL they talk about is ethical hacking, pentesting.  NOT all the other stuff.

I'll be revisiting this.  If others have ideas, please post comments.

No comments:

Post a Comment