• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Red Sift Blog

Red Sift Blog
  • redsift.com
  • Featured
  • Who are we?
  • Get in touch
You are here: Home / Cybersecurity / Inherent Risks: from security to resilience

Inherent Risks: from security to resilience

by Rois Ni Thuama
October 6, 2022October 5, 2022Filed under:
  • Cybersecurity
  • DORA

Years before I studied law, I had trained as a climbing instructor. Last week I traveled to Scotland. I could not sit in the shadows of her mountain ranges to discuss resilience without acknowledging that as long as humans endeavored to undertake anything worthwhile, it has always been a balancing act between making progress and protecting your people and your assets.

It is not the case that we simply do not undertake these challenges, of course, we do. This is how 47 years ago in September 1975 a British team successfully scaled the South West face of Everest.

Chris Bonington’s team succeeded not because they were immune to the dangers. They’d had an unsuccessful attempt three years earlier. They succeeded because the leader and his team had carefully assessed a myriad of factors, including the conditions they were facing, the team he had assembled, what assets and skills those individuals brought to the team, the equipment & supplies they would need to give them a reasonable prospect of success. The weather turned inclement, and the team’s best ice-climber Tut Braithwaite laid the route for the five that eventually summited. It was a win for the whole team.

“Resilience is born in the preparation phase.”

Their ability to endure and withstand testing conditions wasn’t born from ignoring what they might face, adopting a devil-may-care attitude, and throwing caution to the wind. Their success rested on being completely honest about what they might face. They knew the risks, they prepared, and then they struck off. Resilience is born in the preparation phase.

Inherent risks

The starting point for any undertaking whether it’s climbing Ben Nevis, or operating in a digital landscape replete with bad actors poised to hold you to ransom or steal your commercially sensitive data, requires leaders that can fully appreciate the inherent risks associated with it. In order to lead, it requires optimism. But optimism is not blind faith, optimism is what is left after a realistic risk assessment.

Being prepared for the expected conditions, whilst also making plans to address and cope with changing circumstances should those conditions change or deteriorate, are material to withstanding and enduring shocks. This is resilience. We have been assessing risks and calculating our prospects for success since time immemorial. It should give us enormous confidence that none of this is new, we are simply applying what we have learned to a digital threat landscape that is becoming more dangerous for businesses of all sizes.

In order to prepare to meet the conditions, every mountain leader will keep an eye on credible sources to keep up to date with the latest weather report and mountain conditions. Every leader in business should be looking to credible, trusted, independent sources to cut through the noise.

Not only are independent sources like the National Cyber Security Centre (NCSC) and the National Institute of Standards in Technology (NIST) the best sources of information otherwise unavailable in the private sector, but relying on institutions offers a safe haven. In the unlikely event that the guidance or information turns out to be imprecise, relying on credible sources offers a shield, a mechanism for defensibility in the face of litigation.

From security to resilience

In recent years the cybersecurity sector has seen a shift in the language, moving away from the concept of security to resilience. There is good reason for this and broadly the sector welcomes this move.

In the past, we have all been guilty of over-simplifying our language to land a message to a broader audience. But this drive to simplify means that many non-technical stakeholders expect that a firm that has implemented sound cybersecurity measures will, in fact, be cyber secure. Of course, that is not the case. Because that omits the painful truth: Motivated actors can always find a way to breach even the most robust cyber security measures.

In the aftermath of an event, meaningful conversations are more challenging as non-technical stakeholders who have suffered losses struggle to understand how a business that had implemented sound security measures was simultaneously vulnerable to an attack and was not, as they believed, cyber-secure.

“The mountains are unforgiving of those who are ill-prepared and rely on excessive optimism as a strategy, as are businesses.”

Transparency

Discussing the concept of resilience up front rather than security is a more transparent way to describe what it is that businesses do. Putting resilience front and foremost as the overarching business imperative puts all stakeholders on notice of what it is that the leadership values. In this way, leaders set out their vision for the firm, not one of excessive optimism relying on the notion of security. Instead, it is a vision firmly rooted in reality and it acknowledges that conditions can change. It sets out the firm’s position, that it can withstand and endure the shocks because it has considered them and it is prepared.

Value preservation

Making progress – or to put it in corporate terms value creation – is one thing, but in today’s world, defending and protecting those gains is a necessary part of any business’ resilience discussion.

If we consider the legal obligation on directors ‘to promote the success of the company’ then it is clear that value preservation becomes elevated to a corporate imperative. A company cannot succeed if it cannot endure conditions that it ought reasonably to have prepared for.

This is a case for preparation, not pessimism

The mountains are unforgiving of those who are ill-prepared and rely on excessive optimism as a strategy, as are businesses. This is not a case for pessimism. This is a case for preparation, where resilience is born.

Find out more about how Red Sift helps businesses become digitally resilient in an expanding threat landscape here.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Tagged:
  • compliance
  • corporate
  • Cybersecurity
  • DMARC
  • DORA
  • email security
  • resilience

Post navigation

Previous Post 5 key things to know about modern brand abuse
Next Post “That’s not my domain!” Whose problem is brand protection?

Primary Sidebar

Subscribe to our blog and be the first to get updates!

Categories

  • AI
  • BEC
  • BIMI
  • Brand Protection
  • Coronavirus
  • Cybersecurity
  • Deliverability
  • DMARC
  • DORA
  • Email
  • Finance
  • Labs
  • News
  • OnINBOX
  • Partner Program
  • Red Sift Tools
  • Work at Red Sift
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • October 2016

Copyright © 2023 · Red Sift