Business Continuity Depends on the Intersection of Security and Resilience

Resilience goes beyond risk reduction to prepare for and respond to breaches, by acknowledging that incidents are inevitable. While the thought of security and resilience tend to be synonymous, there are stark distinctions and interrelationships among security, resilience, and business continuity in cybersecurity.

Understanding the nuances of these concepts separately is vital to effectively secure modern enterprises. That knowledge allows organizations to develop a response plan when security measures fail to ensure business continuity.

In this archived keynote session, Tia Hopkins, chief cyber resilience officer and field CTO of eSentire, explains how cyber hygiene enables organizations to know and adapt to the differences between security and resiliency to sustain business continuity.

This segment was part of our live virtual event titled, “A Handbook for Infrastructure Security & Resiliency.” The event was presented by Network Computing and Data Center Knowledge on November 7, 2024.

A transcript of the video follows below. Minor edits have been made for clarity.

Tia Hopkins: So, I'm excited to talk about this topic today, and it's not because I'm a chief cyber resilience officer. I think it's important to run successful security programs and to successfully secure the enterprise.

It's also important to understand the difference between these topics in terms of the value that they bring to an organization, where they have gaps, and how they all work together. Brandon mentioned that I'm a women’s tackle football coach, and I tell my players all the time that football is a game of inches.

I think the major difference between good teams and championship teams is attention to detail. And in a similar fashion, attention to detail is important when it comes to how effectively you're able to secure security programs. So, let's jump into this thing. They're not all the same thing, right?

I mean, if the answer was yes, this would be a short keynote here. We're going to talk about the differences between them, the similarities between them, and really get into the weeds and split the hairs around these things. Because you could argue that all three of these are part of each other, or that one overlaps another, and all those things are true.

But it's important to understand in isolation what the intended outcome is of that subject. Because something else I think we tend to do in this industry is unconsciously use the same word to mean different things, right? We might be talking about security when we say resilience. We might be talking about business continuity when we say resilience.

But the reality is, when we dig into the details of driving these outcomes, it's important to understand where they fit and the appropriate use case. So, let's dig into these separately. We'll start with security. I'm an academic, Brandon mentioned I'm a professor of cybersecurity, so I like to start with definitions to make sure we're all on the same page.

And so, in preparing this presentation, I found two definitions that you're probably familiar with, because we're still having the conversation around information security as well as cyber security. So, from an information security perspective, it's essentially protecting information and information systems to ensure confidentiality, integrity and availability.

When we get to the cyber security definition, it's kind of the same thing, right? We're ensuring integrity, confidentiality and availability. They added authentication and non-repudiation, but it's still preventing damage to something, or protecting something. I wanted to highlight the key words here from these definitions to really drive home the point.

The focus of security, or the goal of security, or the intended purpose of security in its most natural and traditional form, right before we start to apply it to other things, is to prevent bad things from happening, or protect the organization or protect assets. It doesn't necessarily have to be technology that does it.

This is where your policies and procedures come into place. Letting users know what acceptable use policies are or what things are accepted when leveraging corporate resources. From a technology perspective, it's your firewalls, antivirus, intrusion detection systems and things of that nature.

So, this is where we focus on good cyber hygiene. We're controlling the controllables and making sure that we're taking care of the things that are within our control. What about resilience? This one is near and dear to my heart. That's because I've been in tech and security for almost 25 years, and I've kind of gone through this evolution of what I think is important.

We're trained as practitioners in this industry to believe that the goal is to reduce risk. We must reduce or mitigate cyber risk, or we can make other risk decisions. We can avoid it, we can accept it, or we can transfer it. But practically speaking, when we show up to work every day and we're doing something active, we're reducing risk.

My argument is that reducing risk doesn't necessarily ensure that the business is going to continue to operate when something happens. So, if we take a step back and go back to security, we are protecting the business. We're trying to reduce risk and do our best to make sure nothing happens.

We say all the time in today's world that it's no longer a matter of if we are breached or if we have an incident, it's a matter of when. When we get to resilience, that's when we start to think about it. What do we do if everything we did to secure the enterprise or the data to keep our users secure fails? What do we do then?

Watch the archived “Handbook for Infrastructure Security & Resiliency” live virtual event on-demand today.