Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 12 submissions in the queue.
posted by Fnord666 on Sunday October 06, @01:39AM   Printer-friendly
from the the-world-ended-what-do-we-do-now dept.

The Harvard Business Review ran a piece back in July 2024 on the future of computer security,
https://hbr.org/2024/07/when-cyberattacks-are-inevitable-focus-on-cyber-resilience

Well written (imo) in straightforward language, the gist is:

What is cyber resiliency? And why is it different than cyber protection?
A prevention mindset means doing all you can to keep the bad guys out. A resilience mindset adds a layer: while you do all you can to prevent an attack, you also work with the expectation that they still might break through your defenses and invest heavily preparing to respond and recover when the worst happens. Resilient organizations specifically devote significant resources to drawing up plans for what they will do if an attack happens, designing processes to execute them when the time comes, and practicing how to put these plans into action. Prevention is critical — but it's not enough.
[...]
Yet in my work as a researcher in conversation with chief information security officers and other cyber experts, I have noticed that many leaders focus most, if not all, of their security resources on prevention and leave recovery to business continuity plans that aren't usually designed with cyber incidents in mind. Instead, leaders need to embrace a mindset of cyber-resilience.

The HBR readership is (I believe) tilted toward C-class executives, so this may well filter down into IT departments. Anyone here seen any signs of a push toward "resilience" recently?

Paywalled? Try https://archive.is/CSFA3


Original Submission

 
This discussion was created by Fnord666 (652) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by zocalo on Sunday October 06, @08:03AM

    by zocalo (302) on Sunday October 06, @08:03AM (#1375937)
    This has all been a concept for at least two decades, so I guess it's nice that Harvard has finally arrived in the 21st Century? "Anyone here seen any signs of a push toward "resilience" recently?" Define "recent". At least in critical infrastructure we were starting to really get to grips with all this a decade or more ago (with varying levels of success) and it's now pretty much BAU where it counts (again, with varying levels of success). I can only assume that this article was actually aimed at all the clueless MBAs who think the only thing that matters is cutting costs that Harvard et al are busy churning out, because anyone with a clue should already know - and do - all this.

    Most of what they are saying is, as you note, embedded in certifications like CISSP, but it's also been in things like CIS Core Controls, Defence in Depth strategies, and other similar best practice guides from multiple government advisory bodies and regulators for ages - certainly back to the late 1990s/early 2000s because I can remember working on ensuring compliance of a system being put in place as part of Y2K upgrades. In many countries, it's also already backed by a legal requirement to have all this in place, especially for owners and operators of critical infrastructure or other heavily regulated sectors, e.g. the UK's NIS Regulations of 2018, and there are a number of well established corporate accreditations that require you have this kind of resilience as well.

    Better late than never, I suppose, and if it mops up a few more of the laggards then that's good news for everyone as there's less chance of their compromised systems being leveraged to launch further attacks or even more of our personal data being leaked. Quite frankly though, if this is news to anyone, I'd like to know who that is so I can ensure they're not anyone my clients and I are doing business with.
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3