Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Impact
Culture
Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Global Shifts
Empowered consumers
Healthier humans
Future organisations
Business for better
Safer societies
Sustainable world
Industries
Consumer and manufacturing
Defence and security
Energy and utilities
Financial services
Government and public sector
Health
Life sciences
Transport
Services
Set growth strategy
Build brands, products, and services
Reimagine AI, digital, and data
Improve organisational performance
Deliver complex programmes
Empower your people
Impact
Culture
In the media

Security Think Tank: 2022 changed how we thought about resilience

Computer Weekly

09 December 2022

Tags

This article was first published in computer weekly

2022 saw the cyber security landscape continue to evolve and become ever more challenging for businesses and governments.

A post-Covid new normal has been in full force this year, with companies embracing hybrid and remote work arrangements, while sustaining (or bracing for) large-scale data breaches and destructive ransomware attacks. Government infrastructure has also been targeted, and state-sponsored cyber warfare has opened new frontiers in the Russia-Ukraine conflict.

Throughout this global mayhem, we have witnessed a noticeable shift in what it means to “do” cyber security within organisations, especially those which are more cyber mature. From a mindset of “secure everything” to try to prevent attacks, there has been a transition to a real acceptance of the notion that suffering a cyber attack is not a question of if, but when.

Developing cyber resilience has become the driving force and a key objective of cyber security efforts. That means understanding how to roll with the punches and how to continue to operate (or indeed, survive) during an attack, and, ideally, come back stronger.

Becoming resilient is at the heart of the people-processes-technology triangle and there have been shifts in all three aspects in 2022.

Technology: playing catch-up versus security by design

While the rush to consume numerous tools and technologies to bulletproof organisations against breaches by securing the network’s perimeter and its many endpoints continued, there is clear and growing disillusionment with these products and the false sense of security they create. How, for example, will purchasing the latest threat intelligence software protect you if you have no way of deploying protection against a new threat fast enough?

Similarly, there is a growing understanding that addressing identified vulnerabilities has turned into a futile exercise of playing catch-up with extremely sophisticated threat actors. This is further reinforced by the realisation that the growing risk of insider threat cannot be addressed by a traditional security mindset.

The conceptual shifts required to address these challenges emphasise the need to develop resilience bottom-up from the get-go of any business operation. Implementing security by design, which seeks to make systems as free of vulnerabilities and impermeable to attacks as possible by building security into products from conception, and zero trust, a fundamental building block of resilience, have therefore moved to the top of the agenda for big organisations.

People: security teams versus organisation-wide resilience

Recruiting cyber security staff who are close matches to the roles and requirements needed remained a significant challenge in 2022 due to severe workforce shortages. This lack of skilled staff has become most apparent during and after major attacks, when the crucial need to recover services could not be met.

Under the resilience paradigm, organisations should be prepared to grow cyber security subject matter experts by training individuals with transferable skillsets. This will allow for more dynamic hiring and broader, more resilient cross-organisational teams.

Another trend this year was the shift from cyber security awareness training, which is no longer sufficient, to essential C-suite and board-level cyber security exercises. This focuses on decision-making, chain of command and skills enhancement to enable smooth and effective cyber incident management, response and recovery.

Introducing “cyber nudges” – design features engineered into digital environments to indirectly encourage good cyber habits – can also be effective. Building individual and corporate muscle memory to mitigate the effects of an attack can stop a bad situation from turning worse, while crucially identifying what effective recovery, or survival, looks like and what needs to be in place to make it happen.

Processes: business as usual versus rigorous testing

A key question this year has been: does the organisation have a mature development and operational lifecycle, is it actually being used, and is it used effectively? Too often, the lifecycles did not close the loop and resilience failed to evolve. As a result, continuous integration/development pipelines and improved DevSecOps have begun to emerge as concepts that must be embraced.

Resilience develops not only from understanding your environment and the threats to it, but also from codifying what precisely can go wrong and how to effectively respond when it does.

Rigorous testing of business processes can help ensure that when an attack occurs, the right actions can be, and are, taken. Developing processes, exercising them and training the individuals who can carry them out, at varying and increasing levels of complexity, validates and helps to improve them. This enables the organisation to keep up with the latest threats and attack trends not only by securing against them, but also by preparing for them to happen.

Overall, the most important cyber security lesson we learned in 2022 is that cyber resilience is more important than a narrow security focus in organisations and governments’ preparedness for attacks. That does not mean the value of security should now be dismissed and that there should be an exclusive focus on resilience. Rather, that organisations which change their mindset from attempting to prevent cyber attacks, to becoming more resilient to them, are the ones most likely to survive and potentially even thrive when attacks inevitably occur.

Explore more

Shanghai Pudong International Airport
In the media

How to build resilience in an airport

PA's Global Head of Aviation Kata Cserep and aviation strategy expert James Healey outline the three key steps operators should take to improve resilience at airports.
Shanghai Pudong International Airport
Global Innovation and Technology Centre in Cambridge, UK
Press release

PA Consulting appoints former energy industry operating partner and NED Siobhan Clarke as Executive Advisor

Read about our new appointment.
Global Innovation and Technology Centre in Cambridge, UK
A young Asian woman checking in at subway station, making a quick and easy contactless payment for subway ticket via smartphone.
In the media

Tackling fare evasion in account-based ticketing schemes

How to analyse real-time fare evasion risks in open-loop transport systems, proposing enhanced detection strategies.
A young Asian woman checking in at subway station, making a quick and easy contactless payment for subway ticket via smartphone.
Press release

PA Consulting and Kemira collaborate to develop new renewable barrier coatings for sustainable food packaging

Read about our strategic partnership.

Contact the team

We look forward to hearing from you.
Get in touch

Get actionable insight straight to your inbox via our monthly newsletter.