Building Cyber Resilience in a VUCA World

essidsolutions

As cyber attacks becoming evermore sophisticated and frequent, production environments are in constant flux and a level of resilience is crucial to withstand the onslaught. The article illustrates how companies can achieve this by applying VUCA—Volatility, Uncertainty, Complexity, and Ambiguity, a strategic leadership concept Initially introduced by the US army.

The acronym VUCA—Volatility, Uncertainty, Complexity, and Ambiguity—was introduced by the U.S. Army War CollegeOpens a new window at the end of the Cold WarOpens a new window . It also happens to be a perfect descriptor for today’s cyberthreat landscape. When it comes to cybersecurity, understanding VUCA principles is an important step in evolving an organization’s security culture and continuously improving its security posture. This article offers a way to apply VUCA principles to cybersecurity and strengthen defenses based on VUCA thinking.

Volatility: What’s Changing and How?

Cyber environments change quickly and sometimes extremely. Adversaries continually change their tactics and evolve their techniques, creating a dynamic cyber threat landscape. For example, whereas Business Email Compromise (BEC) attacks and spoofing tactics might have targeted corporate executives one year, the next year might have seen a significant increase in sophisticated phishing emails targeting low-level staff.

Volatility also comes from normal day-to-day business operations. Business models evolve, changing the attack surface that must be defended. For example, a consumer goods company might significantly reduce print advertising and launch a social media-based marketing strategy to reach customers directly. Now it must ensure that its consumer-facing social channels are secure and that integration between lead management and CRM systems do not introduce new vulnerabilities. Digital transformation initiatives can create new process vulnerabilities. Mergers and acquisitions introduce new unknowns, and systems that were once considered “safe” can become vulnerable. Worst case, if breached, the business is disrupted, which creates new demands on internal security teams.

Uncertainty: What Don’t You Know?

In spite of layered security measures and significant infrastructure investment, security teams still worry about what they don’t know. For example, they don’t know how much an attacker already knows about their organization or which tactics they will deploy. It’s also difficult to know at any given moment exactly the state of company assets. More frustrating, security teams don’t know for certain who the bad guys are, and they can’t assume that employees are good guys.

Complexity: Where Do You Start?

Enterprise infrastructures are incredibly complex, often spanning multiple countries, cultures, and regulatory environments. Individual security controls themselves are also complex—a simple configuration error or lack of a current patch can open the door to a breach. The sheer interconnectedness of devices, services, applications, processes, and people can be overwhelming when trying to configure a policy. What’s more, attackers’ Tactics, Techniques, and Processes (TTPs) are complex by design, slowing a team’s ability to identify, investigate, and remediate any issue. To top it off, there is a global shortage of skilled, knowledgeable security professionals to manage it all.

Learn More: 3 Hard Truths About Getting to the CloudOpens a new window

Ambiguity: What’s Real?

Ambiguity is high in an enterprise security environment. It’s difficult to have immediate, clear, and prescriptive insight to security events. Overwhelming amounts of event and alarm data make it impossible to parse logs quickly or thoroughly enough. Teams often must attempt to manually correlate events from across the infrastructure to piece together context for their response. When teams continually operate at a heightened level of vigilance, there also is more potential for fatigue, misreads, and error.

Living in a VUCA World

The key to operating effectively in a VUCA environment is to cultivate resilience—building a cybersecurity approach and practices around continuous flexibility and proactivity. Resilience starts with acknowledging that as long as there is an adversary intent on doing damage, there are many factors that are out of your team’s control.

This is why simply “locking down” a security infrastructure can’t work. Instead, you need to develop a security team with a resilient culture. Team members must be able to fluidly anticipate and have the flexibility to choose the best response from a wide range of possible responses. They must proactively identify key assets, maintain an awareness of current threats, and plan in advance for multiple eventualities.

In other words, you can identify your intent—who are adversaries, who are your defenders, what constitutes an event, when and where an event occurs, and why you must respond—but “how” to respond correctly is not clear until the event occurs, because the adversary’s tactics are not known until they are used. Resilient teams can identify their options for incident response in light of both best-case and worst-case scenarios depending on the value of the specific corporate assets under attack.

Learn More: Is 5G The Catalyst Needed To Spark An IoT Blockchain Revolution?Opens a new window

Building Infrastructure Resilience is Critical

A resilient cybersecurity posture requires optimization of the effectiveness of your defenses at any given point in time. You need clear visibility into security controls, interconnected capabilities, and defenses across the entire kill chain. Security teams need to be enabled to continually assess their controls across all vectors based on immediate threats. There are security solutions that simulate attacks and measure the effectiveness of each control against specific attacker TTPs and APT groups, as well as provide specific remediation guidance to improve effectiveness.

By testing continually, teams can reliably measure improvement after taking the necessary remediation steps and over time. Risk assessment metrics and prescriptive mitigation guidance deliver clarity about controls’ effectiveness. If specific areas do not improve—or even deteriorate—the team can demonstrate why. Perhaps improvement is hindered by a lack of resources, outdated controls, or other factors. Finally, an executive report can provide executive teams and board members with a comparison of how the organization measures up against other companies in the same industry.

Although you still can’t predict an attacker’s mindset or goals, teams can significantly increase their cyber resilience in a VUCA world. And at the same time, they can measure improvements and document their steps—increasing confidence in security decisions and optimizing the overall security posture.

Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA