The Harvard Business Review ran a piece back in July 2024 on the future of computer security,
https://hbr.org/2024/07/when-cyberattacks-are-inevitable-focus-on-cyber-resilience
Well written (imo) in straightforward language, the gist is:
What is cyber resiliency? And why is it different than cyber protection?
A prevention mindset means doing all you can to keep the bad guys out. A resilience mindset adds a layer: while you do all you can to prevent an attack, you also work with the expectation that they still might break through your defenses and invest heavily preparing to respond and recover when the worst happens. Resilient organizations specifically devote significant resources to drawing up plans for what they will do if an attack happens, designing processes to execute them when the time comes, and practicing how to put these plans into action. Prevention is critical — but it's not enough.
[...]
Yet in my work as a researcher in conversation with chief information security officers and other cyber experts, I have noticed that many leaders focus most, if not all, of their security resources on prevention and leave recovery to business continuity plans that aren't usually designed with cyber incidents in mind. Instead, leaders need to embrace a mindset of cyber-resilience.
The HBR readership is (I believe) tilted toward C-class executives, so this may well filter down into IT departments. Anyone here seen any signs of a push toward "resilience" recently?
Paywalled? Try https://archive.is/CSFA3
(Score: 2) by krishnoid on Sunday October 06, @01:56AM (1 child)
If they're already familiar with the concept of business continuity plans, then add cyber recovery -- computing resources, data, services -- into the plan. Some of these things need to be interleaved among the other business continuity recovery steps anyway -- e.g., a third-party chat mechanism, then restoring cloud services from a backup if needed, then the local network, then Active Directory while other things like natural disaster recovery is coming up, etc. It's already part of the CISSP certification [infosecinstitute.com] requirements.
(Score: 3, Informative) by zocalo on Sunday October 06, @08:03AM
Most of what they are saying is, as you note, embedded in certifications like CISSP, but it's also been in things like CIS Core Controls, Defence in Depth strategies, and other similar best practice guides from multiple government advisory bodies and regulators for ages - certainly back to the late 1990s/early 2000s because I can remember working on ensuring compliance of a system being put in place as part of Y2K upgrades. In many countries, it's also already backed by a legal requirement to have all this in place, especially for owners and operators of critical infrastructure or other heavily regulated sectors, e.g. the UK's NIS Regulations of 2018, and there are a number of well established corporate accreditations that require you have this kind of resilience as well.
Better late than never, I suppose, and if it mops up a few more of the laggards then that's good news for everyone as there's less chance of their compromised systems being leveraged to launch further attacks or even more of our personal data being leaked. Quite frankly though, if this is news to anyone, I'd like to know who that is so I can ensure they're not anyone my clients and I are doing business with.
UNIX? They're not even circumcised! Savages!
(Score: 5, Insightful) by stormwyrm on Sunday October 06, @05:00AM (3 children)
Numquam ponenda est pluralitas sine necessitate.
(Score: 4, Interesting) by driverless on Sunday October 06, @08:29AM (1 child)
It's also just a re-buzzwording of an existing term, "intrustion-tolerant systems", which date back around 25 years.
(Score: 2, Informative) by RTJunkie on Monday October 07, @09:15AM
Please be patient with our pointy-haired business types. They're a little slow.
(Score: 3, Interesting) by canopic jug on Sunday October 06, @10:53AM
Bruce Schneier, arguably the most famous security guru of them all, has the famous dictum: security is a process, not a product.
Yet, conversely, snake oil is a product and not a process, and that has started to misdirect lots of money [bastiat.org] in the last two decades. That misappropriation of money in turn helps buy congressmen to (re-)write legislation according to the wishes of lobbyists, who often even supply the very text brought to the floor for a vote. The lobbyists work towards laws eliminating secure development and design, instead work for a world view where 'security' is a box-ticking exercise as well as an after-market add-on and not part of the very design process. Thus you end up with situations where Linux, OpenBSD, and FreeBSD systems are banned due to not fitting into the m$ marketing sales stream because of a lack of such aftermarket add-ons and boxes to tick.
Money is not free speech. Elections should not be auctions.