The Importance Of Resiliency

May 2017

Adversaries constantly adapt and learn from failures. The complexity of their tactics is ever increasing, creating unpredictable outcomes after an attack. Adaptability and resilience in the face of this unpredictability, then, becomes the key to a successful security posture and business continuity.

Today's digital, physical and social landscapes are complex. This complexity hides untested and unchecked security holes. Having a security program that is fixed, doesn't take into account the evolution of attacks and attackers, and continues to carry over legacy ideas, will most likely crumble under the pressure of a real security incident. It would probably provide a good immediate response, however unless the plans and procedures are flexible and resilient enough, chances are the plan will not survive first contact with the enemy. Having the ability to design programs, business processes, technology architectures, and digital security with the protection of critical assets in mind, while maintaining and integrating business continuity across all aspects of this will create resiliency.

"In complex environments, resilience often spells success, while even the most brilliantly engineered fixed solutions are often insufficient or counterproductive."

— Gen. McChrystal, Team of Teams.

Not only efficiency, attention to details and building on experience, but adaptability and resilience must become our central focus for a good security program to be successful. Organizations must build digital resilience to protect their most valuable data. Agile and resilient must be the way security teams develop their techniques and act.

Resilience thinking is the opposite of predictive security, where things like perimeter security technology lives. Resilience, adaptability and the ability to think like an adversary is a better way to know what we don’t know, expect the unexpected, and explore other options. In other words, apply the Red Team Mindset and create a more resilient program.

It's nearly impossible to have a good overview of how well a security program performs without first understanding its risk. When organizations fail to do so, they may end up with a program that doesn't suit their organization or architecture, or a plan that will not stand a real world attack.

Understanding the adversary will help create this resiliency. Testing, stress-testing and adapting the plan and response measures will ensure the survival of your business. Start thinking like an adversary, adopt the mindset of an open system that can adapt to the environment, and be ready for the next attack. It will happen.

Bringing in an advanced Red Team will jumpstart the process. Red Teams act like a real attacker, truly identifying where the controls break, providing a realistic view of how resilient an organization is. To help this process, the mindset of the organization needs to shift from having a single point of failure, network dictates access rights for example, to identifying a collection or system of interconnected defenses spanning different types of controls and monitoring capabilities. An attacker will have a much harder time defeating this.

Don't neglect to evaluate your controls in a realistic way.



Note: Originally written in the Advanced Capabilities Group’s blog.