No Magic, No Shortcuts: Resilience is a Journey

As any Harry Potter fan will tell you, Vernon Dursley was sorely mistaken when he said, “There’s no such thing as magic.” It’s tempting for those of us in cybersecurity to fantasize about what would be possible with the help of a magic wand (banishing threat actors to another dimension, anyone?). But maybe it’s not such a bad thing to live in a world without one.

You’ve probably heard the “magic wand” question countless times before. Sometimes it’s an executive asking, “If I gave you a blank check for your security budget, how would you spend it?” Or it’s a panel moderator asking, “If I gave you a magic wand to make one change in your organization’s security posture, what would you do?” Regardless of who’s asking, the root behind the question is the same: “What is your top priority from a security perspective?”

We posed a similar question to some of our customers as part of a panel we hosted during our team's annual on-site meeting this summer. It was one of the only questions they balked at. Not only is there no one quick fix they’d tackle if money was no object — they didn’t even really want the wand. 

“There’s not one thing or one tool,” a panelist shared. “It’s a growth journey. It’s a constant evolution.”

Another customer agreed, saying, “I also think that takes the fun out of it. It’s a journey.”

No Magic? The Resilience Journey 

That journey is becoming increasingly important amid today’s cybersecurity challenges. “The big shift at the moment for us is really focusing on resilience and recovery,” explained one of our panelists. “There’s a shift away from just securing the perimeter. We understand that it’s not if we get attacked, it’s when.” 

This change in philosophy will feel on-topic for those who have been following our series on cyber resilience. Without any prompting on our part, the cybersecurity professionals on our panel quickly turned the conversation there. They referred to the holistic approach required for security efforts to be effective, the importance of embedding security into the company's culture, and how security and resilience aren’t boxes to check off of a to-do list: The constantly evolving security landscape requires steadfast attention and commitment to improvement; to staying on top of the latest developments. 

And the end goal isn’t to be “secure.” The goal is to increase resilience, which is a continuous process by which organizations become more capable and strategic with prevention, detection, containment and recovery. More about top qualities of resilient organizations here.

What’s On CISO’s Minds? The Necessary Cultural Shift

As we’ve discussed throughout this series, resilience also requires a cultural shift in the organization: Employees and executives at all levels are engaged in security and empowered to speak up, report concerns or mistakes and contribute to the overarching goal of improving resilience. 

Our panelists all underscored this point, emphasizing the importance of the “security culture,” or “security mindset” within their respective organizations. They mentioned that even when it comes to testing and other regulatory or compliance requirements, the goal should be to make real, thoughtful improvements over time  — a mindset that security and resilience go past having lists of requirements and boxes to check off. 

One panelist, who switched companies this year and took us with him as a partner, said his “focus right now is building the security culture at this new role. I felt like we made an impact on building that kind of security culture in my previous role.”

How Can I Build a Culture Around Resilience? 

We asked our panelists what’s worked in increasing awareness and alignment in the pursuit of a culture built around resilience, and this is what they said:

• “We leveraged a tabletop exercise to bring in the C-level and leadership team. The real-world scenario made it more impactful for the team.” This gave the panelist insight into which of his executives and leaders were connecting with which parts of the exercise, allowing him to create clear next steps around what things landed and what elements he needed to dive deeper into with them.

• Another mentioned purple team exercises as being helpful in developing his team’s awareness: “Our team was able to see that it’s more than a vulnerability we need to patch — they could see exactly how a real attacker would get into our environment… and suddenly it clicks with what we need to prioritize. It helps when folks get to see it in real time, and that it’s not just a story we made up.”

• On building the awareness of his fellow employees, one customer said that “phishing simulations can only go so far. There needs to be more comprehensive training of your staff to understand security as a whole and think about their own impact on the organization.” 

Where to Start? 

If you want to learn more about cyber resilience, we have some resources to help you understand what it means, where you are in your resilience journey, and some key steps you can take to improve your resilience. 

• Cyber Resilience: Strengthening Your Company's Immune System | NetWorks Group
• High-Quality Penetration Testing: The Foundation of Cyber Resilience | NetWorks Group
• Top 6 Qualities of Resilient Organizations | NetWorks Group
• Resilience Check-Up: How to Assess Areas of Opportunity | NetWorks Group

A strong cyber resilience strategy requires the right expertise, planning and execution. You don’t have to navigate it alone. Still wishing you could just have that magic wand? Contact us today to discuss your company’s security needs and explore how we can help you build a more resilient and secure future.

‍