The art of failing gracefully – Cyber resilience’s next challenge?

In recent years the cyber industry has moved away from siloed protective strategies to wider approaches that promote resilience and the need to understand and mitigate threats holistically. The need for improved cyber resilience also reflects the growing acceptance that organisations of all sizes are likely to be exposed to malicious cyber events and will be required to confront difficult crisis decisions and organisational dilemmas. There remains however a key gap in how many organisations approach this issue. 

Cyber resilience regularly focuses on statis processes, policies and procedures, and theoretical assumptions, which assume incidents will perfectly match playbooks and escalation structures. This does not reflect the messy, chaotic and adversarial nature of information security threats, as well as cascading failures that can occur across personnel, physical, supply chain and cyber hazards.

In practice complex cyber events result in organisations confronting dilemmas that go outside the boundaries of written pre-existing plans, and the conform level of internal subject matter experts and support providers. For this reason triage and response strategies will often be based on incomplete information, and can fail to achieve desired outcomes unless they are refined or amended.

The inherent risk of failure is an innate component of modern cyber breaches, which is often ignored. By acknowledge, accounting for and responding to these failures, organisations can obtain materially better incident response outcomes, and provide more effective support to key internal and externals stakeholders.

This session will look at some of the common “failures” and challenges that organisations struggle to deal with during incident response and cyber security risk management. Issues that will be explored include steps to maintain operational continuity, the ability to learn from and challenge factual issues as they arise, creating safe environments to encourage open information sharing, and how to contextualise the legal and regulatory exposures that can arise from information security system breakdowns. The session will also give guidance on how risk and compliance processes can best be refined to address these elements and to improve overall resilience.