Resiliency Is Easier Than Cybersecurity?

It’s impossible to overstate the importance of safeguarding critical business operations in today’s digital landscape. In addition to the traditional threats to business operations (like power outages, facility impacts, and data loss events), the increased risk to the business now presented by cyber threats such as ransomware, malware, and phishing attacks mean that businesses face threats on more fronts than they ever have.  Developing Business Continuity (BC) programs and Cybersecurity programs to mitigate those threats is something that all businesses should be doing.  I would contend, however, that developing and maturing a Business Resiliency Program is much simpler than trying to develop a comprehensive Cybersecurity program.

Business Resiliency and Cybersecurity are inherently related, so I don’t think that it’s necessarily a healthy thing for businesses to try and completely separate the two.  Many of the disciplines that make up successful Business Resiliency Programs and successful Cybersecurity Programs complement each other.  In fact, one of the stalwart best Practices of Business Resiliency, the Business Impact Analysis (BIA), is also included in the “Security and Risk Management” domain of the (ISC)² CISSP certification.  Your Resiliency Program will also be a vital part of recovery, should your business be targeted by, or fall victim to, some type of Cybersecurity incident.

I would like to emphasize, however, that in talking about Business Resiliency, I am talking about resiliency overall, not just Disaster Recovery (DR) or Data Recovery.  Most practitioners consider Data Recovery to be a subset of the discipline along with Crisis Communications, Incident Management, Physical Security, Business Continuity Planning, risk identification and management, and training and awareness programs.

“All things are difficult before they are easy.”

Thomas Fuller

That having been said, I believe that Cybersecurity is a more challenging problem for businesses than Business Resiliency.  On the surface, the two may seem equally complex, given that there are a number of aspects to each discipline that need to be addressed.  However, there are a number of differences in the way that the two need to be managed which make Cybersecurity more complex, and I think the first of these is the specificity that Cybersecurity requires.

There are many potential threats that businesses face in the realm of Cybersecurity, and addressing those threats often requires specific responses to dealing with each of those individual threats.  It’s ludicrous to think that you would take the same approach in responding to a phishing email as you would to a Malware infection, because to address either of those potential issues effectively, you would need to have specific responses ready to execute.

Resiliency on the other hand, is more about dealing with categorical threats to the business rather than specific ones.  Experienced practitioners have been making “all hazards” resiliency plans for decades, where they focus on the type and quality of solutions to business interruptions, rather than focusing on the type and variety of potential interruptions.  It’s common in Business Resiliency Programs to focus on planning for how the business will handle a business process interruption, rather than on the many ways that process could potentially be interrupted.  Not needing to delve into the minutiae of all the potential causes of interruption makes planning simultaneously easier, and more comprehensive.

“Everything should be made as simple as possible, but not simpler.”

Albert Einstein

The key difference that adds the most complexity to Cybersecurity, however, is the constant evolution of threats.  Even if a company can develop a program that addresses all commonly known threats, they will find themselves in a constant technological arms race with cyber criminals and bad actors as new threats and vulnerabilities are discovered.  Statistically speaking, the variety and severity of those threats continues to get worse every day too — there are viable AI-integrated threats in the wild today that weren’t even imagined by many security professionals just a year or two ago.

Most of the threats that a Business Resiliency Program faces, by contrast, are more predictable and have even been mitigated in some cases.  Power interruptions are still one of the most common causes of business interruption, and the technology for addressing that threat hasn’t fundamentally changed in decades.  Data Recovery is always an important aspect of resiliency, and while the mass of data that needs to be recovered has grown exponentially for many businesses, the fundamental process of data restoration has only gotten easier over the years as more advanced tools have been developed in the marketplace.  Systems availability is vital, and the advent of cloud services has made it so companies can now set up high-availability, geographically separated failover systems with just a few mouse clicks.  Facility outages used to be a huge concern, but now in this post-COVID business environment, most businesses have the means to let some employees work remotely, reducing or eliminating their dependence on specific facilities.  Even the process of creating BC and DR plans has improved dramatically in recent years, with excellent affordable tools available.

Don’t forget the many benefits that businesses can reap from building Resiliency Programs.  Maturing your Resiliency Program contributes to the overall stability of business operations, reducing the chance of system outages in the face of adverse conditions.  A mature Resiliency Program can also help to mitigate cyber risks, by helping to mitigate the impacts of various cyber threats and reducing the severity of potential breaches or attacks. Demonstrating a commitment to resiliency can enhance customer trust and help with regulatory compliance. Companies with robust Resiliency Programs also report cost savings in the long run by minimizing the impact of disruptions.  

So, while developing and maturing a Resiliency Program isn’t necessarily easy, it is a problem that is quantifiable.  The resiliency problems businesses face are fundamentally similar to what they were a decade ago, and resiliency tools continue to improve.  I’m not a Cybersecurity expert by any means, but I would contend that between the two, resiliency is the easier one to manage.

Still feel like building and managing a Resiliency (or Cybersecurity) program is a bewildering process? Sayers is here to help.  Our team of Resiliency and Cybersecurity engineers is happy to help you build a program that protects your business from all sorts of potential interruptions, cyber or otherwise.