Is Your Enterprise ‘Cyber Resilient’? Probably Not. Here’s How Other Boards Fixed That
A strategy that’s been around for 20+ years but only now gaining traction ensures that when (not if) breaches occur, the impact on operations, reputation, and finances is minimized. Here’s why a cyber resilience scorecard is a key tool for any recovery plan.
In the escalating battle against cyberthreats, most businesses pour more security resources into prevention and detection: Keep attackers at bay, and if (er, when) a breach occurs, respond to it faster. While that focus has merit, another strategy is gaining traction.
With attacks becoming all but inevitable, more boards and business leaders want more focus on mitigating the aftermath, to get back up and running with minimal cost or impact.
Sophisticated cyberattacks, from ransomware to phishing expeditions, threaten not only companies’ informational assets but also, crucially, their operational continuity and reputation. And with business leaders under increasing pressure from regulators and investors to implement effective cyber-risk management, many are starting to approach it through the lens of cyber resilience – facing the reality that attacks will happen, and having a plan for recovery when they do.
Dating back at least to the year 2000, the idea of resilience has increasingly become a topic of serious discussion in boardrooms and C-suites in the post-pandemic years of accelerated digitization. It acknowledges the stark reality that no defense is impenetrable.
Instead of just trying to detect and respond to incidents faster, cyber resilience prepares organizations to endure and quickly recover. This ensures that when breaches occur, their impact on operations, reputation, and finances is minimized, allowing businesses to sustain their momentum with minimal disruption.
“The ultimate goal of a cyber-resilient organization would be zero disruption from a cyber breach – no impact on operations, finances, technologies, supply chain or reputation,” says Keri Pearlson, executive director of the research consortium Cybersecurity at MIT Sloan (CAMS). “Board members should ask, ‘What would it take for this to be the case?’”
Getting the board on board with cyber resilience scorecards
Regulatory bodies are increasingly mandating disclosures related to cyber-risk management and the presence of cybersecurity expertise within boards. So boards must deepen their understanding and move beyond delegating to risk management experts, and actively engage in safeguarding their enterprises, Pearlson says. This entails a fiduciary duty to shareholders to mitigate business risks effectively, a responsibility that grows in complexity with the advancing cyber threat landscape.
The ultimate goal of a cyber-resilient organization would be zero disruption from a breach… Board members should ask, ‘What would it take for this to be the case?’
A course designed by Pearlson and her colleagues, called “Cybersecurity Governance for the Board of Directors,” aims to arm board members with the necessary insights to navigate this intricate domain, emphasizing the board’s critical role in cybersecurity oversight and the strategic alignment of cybersecurity measures with broader business objectives.
More broadly, the “cyber resilience scorecard” has emerged in the past few years as a pivotal tool in the shift toward resilience, serving as a comprehensive framework for assessing, monitoring, and enhancing an organization’s ability to withstand cyber incidents.
The multidimensional view of cyber resilience scorecards
Unlike traditional metrics that might focus narrowly on incident counts or response times, a scorecard adopts a holistic view. It evaluates factors across the spectrum of cyber resilience, from the robustness of protective measures and the efficacy of response protocols to the readiness for recovery and the adaptability to emerging threats. This approach provides a multidimensional view of an organization’s cyber resilience, enabling targeted improvements and strategic decision-making.
The board is not in a position to take the right kind of action or make the right kind of decisions… without lots of explanation.
Pearlson and her team at MIT developed a scorecard template based on her experience in board meetings.
“The scorecard idea came from my observation on the boards I’m on that board members don’t really know how to talk about cybersecurity, number one,” explained Pearlson, in an exclusive interview with Focal Point. “Number two, technology people don’t know how to report to the board on cybersecurity. They report technical things, quantitative things that are important to managing cybersecurity, but really, the board is not in a position to take the right kind of action or make the right kind of decisions… without lots of explanation.”
[Read also: CISO success story – how to build trust with the board? Don’t talk cybersecurity (much)]
Top business sectors adopting scorecards in recent years include banking and financial services, healthcare, IT and IT services, manufacturing, and e-commerce, with some companies adopting them because of the increase in regulation or the increase in supply chain attacks, says Malini Rao, CISO of DeepLearnCyber.ai, who developed a scorecard for CISOs.
“These scorecards provide a comprehensive view of potential vulnerabilities,” she told Focal Point. “They can help quantify the likelihood and potential impact of different threats, allowing organizations to prioritize resources and efforts accordingly.”
Not a ‘one size fits all’
There is no “official” cyber resilience scorecard and no defined “right way” to do it. Pearlson developed the concept as a framework or template, but implementation is somewhat subjective. Organizations need to define for themselves what matters and what metrics are valuable to track and monitor.
These scorecards… can help quantify the likelihood and potential impact of different threats, allowing organizations to prioritize resources and efforts accordingly.
Here are a few examples of cyber resilience scorecards developed by various entities:
- Lockheed Martin: Lockheed Martin introduced its Cyber Resiliency Level (CRL) Framework and corresponding Scoreboard in 2018, illustrating a more formalized approach to measuring cyber resilience during this period. The company’s Cyber Resiliency Scoreboard includes tools like a questionnaire and dashboard for measuring the maturity levels of six categories, including Cyber Hygiene and Architecture.
- MIT: The Balanced Scorecard for Cyber Resilience (BSCR) provides insight into financial and operational performance by combining information about core activities that might otherwise be isolated from each other.
- USDA: The USDA Cybersecurity Scorecard created with the Farm Service Agency emphasizes a balanced scorecard approach aligned with the NIST framework, focusing on areas like compliance, vulnerability management, and incident response. Aligning with the NIST framework ensures that the USDA adopts a comprehensive, standardized approach to cybersecurity that is recognized and utilized across various industries. This alignment enhances the organization’s ability to manage and mitigate risks effectively while ensuring that all aspects of cybersecurity, from prevention to response, are systematically addressed.
- Malini Rao: Rao’s CISO Operational Balanced Scorecard distinguishes between transformational and operational aspects, offering a dual approach to align cybersecurity with strategic business objectives. She champions scorecards for helping CISOs “gain trust by proactively reporting metrics… that can identify weaknesses and prioritize areas for improvement.”
[Read also: What is cyber hygiene? Why does it matter?]
While there is no “one-size-fits-all” approach to a cyber resilience scorecard, there are certain elements that they typically have in common. Whether you’re considering an existing cyber resilience scorecard or designing your own, look for this basic framework:
- Risk assessment: Evaluating potential cyber risks and their impact on the organization.
- Security controls: Reviewing the effectiveness of implemented security measures.
- Incident response: Assessing the readiness and response strategies for potential cyber incidents.
- Recovery capabilities: Measuring the ability to recover from a cyberattack with minimal disruption.
Build your own cyber resilience scorecard
Follow these key steps to make a cyber resilience scorecard that’s effective for your particular situation:
- Assessment and goal-setting: Begin by assessing your current cybersecurity posture and defining what cyber resilience means for your organization. This could involve setting goals for recovery times, reducing the impact of breaches, or enhancing system redundancies.
- Framework development: Develop a scorecard that aligns with your cyber resilience goals. This should include a blend of quantitative and qualitative metrics, such as recovery time objectives, employee training levels, system backup frequency, and the integration of cybersecurity in business continuity planning.
[Read also: Employee training should cover social engineering – here’s your comprehensive guide]
- Regular monitoring and reporting: Establish a routine for monitoring performance against the scorecard metrics. This monitoring should be an integral part of the cybersecurity governance process, with regular reporting to key stakeholders, including the board of directors.
- Continuous improvement: Use insights gained from the scorecard to drive continuous improvement in your cyber resilience strategies. This could involve adjusting cybersecurity policies, investing in new technologies, or enhancing employee training programs.
- Board involvement and oversight: Ensure that the board of directors is actively involved in overseeing the implementation of the scorecard. Their strategic insight and oversight will be crucial in aligning cyber resilience efforts with broader business objectives.
By prioritizing cyber resilience and adopting tools like a scorecard, organizations can not only mitigate the impacts of cyber incidents but also bolster their competitiveness and sustainability. Rao recommends using AI and automation to enhance cyber resiliency reporting, like generating weekly and monthly scorecards. And don’t forget your supply chain, she stresses: Businesses should align their third-party partners to report scorecard metrics too.