Cyber Workforce Benchmark
Achieving Cyber resilience requires a shift in thinking for many organizations.
Traditionally, the ability to address adverse events is a by-product of a well-worn planning process. Potential risks are identified, proposed responses outlined and then filed away for use when the situation arises, along with all the other plans.
Against a dynamic risk, this approach falls short. Plans enshrined on Tuesday fall short when Wednesday’s threat arises out of left field with a whole new set of variables. The further you try to flex existing approaches, the more irrelevant they become. Previously innocuous or unpredictable minutiae set off a chain reaction. Your plan is static. The risk isn’t.
The answer lies not in plans, but capabilities. Developing an organization which has the ability to be open minded, agile and adaptable in the face of change – one which has cognitive agility – is critical.
Against modern all-encompassing threats, this means bringing the abilities of the entire workforce to bear. With risk spreading across the organization, so should mitigation. In this way, cybersecurity teams play a more strategic role – as well as being applied technically – but responsibility is also distributed across everything from the SDLC to executive teams. This brings ownership, encourages a foundational approach to resilience and minimizes resource burn.
By taking into account how all the elements of adverse events interact, organizations can move towards operational resilience. Not only does this enable a more holistic approach to both downstream and upstream risk – everything from supply chains to customers and regulators – but it also allows for impact tolerances to be set and assessed.
This is all said with an understanding that it is not an easy task. For most organizations, having a consolidated picture of something as seemingly intangible as capabilities seems a mammoth task. However, as current events compel organizations to step back and consider a bigger picture of risk and resilience, I believe it is a necessary path to be on. The first step is a better understanding of our capabilities as an industry.
