In the last couple of years “cyber resilience” has become a buzz expression. While exploring my own understanding of what cyber resilience means and my frustration with the industry rehashing old concepts under a new name, I found myself surprised to find “resilience” to be much more relatable and easier to communicate as concept to wider set of stakeholders (compared to let say “business continuity”).

Why is this the case?

“Resilience” as a term has been used in other disciplines such as human psychology for years with definitions that many people have come across addressing their own life challenges. The American Psychological Association (2014) defines resilience as “the process of adapting well in the face of adversity, trauma, tragedy, threats or even significant sources of stress ”. While this definition is not ideal, I find it useful to draw parallels in discussions around cybersecurity resilience. Similarly to hardships in our life (loss of love ones, illness etc.), cybersecurity incidents are part of our digital lives and every digital organisation’s life. Using this analogy it becomes easier to articulate the goals of cyber security resilience program, shifting the focus from avoiding security events to: 1) embracing the idea that such events would materialise and 2) develop ability to adapt, recover, and flourish in the face of major cyber security incidents.

Other key psychology resilience principles could also come handy when drawing a picture to your stakeholders and highlighting why components of your programme are important.

1. Knowledge Empowers

In the context of psychological resilience, individuals who possess knowledge about the nature of stressors, coping strategies, and resources available to them are more likely to navigate challenges effectively. Similarly, when it comes to building cybersecurity resilience, organisations that prioritise education and awareness empower their employees to recognise potential threats, understand the tactics employed by adversaries, and to make informed decisions when taking preventative or response actions to mitigate risks.

2. Solidarity in Defence

Human psychology recognises social support as a vital factor in enhancing resilience. Having a strong support system and a sense of belonging can provide individuals with emotional support, practical assistance, and a shared sense of purpose during challenging times.

Just as individuals draw strength from their social support networks during adversity, organisations that prioritise solidarity in defence build a resilient cybersecurity culture. Such culture encourages open communication, knowledge sharing, and mutual assistance among employees, enabling them to respond effectively to cyber incidents and work together to prevent future breaches. By fostering a sense of unity, shared vision and shared responsibility, organisations strengthen their cyber resilience by leveraging the power of collaboration, similar to how psychological resilience is bolstered through social support.

3. Agility and Adaptation

Psychologically resilient individuals embrace change, remain flexible, and adjust their coping strategies as needed. Similarly, organisations with a strong cyber resilience posture exhibit agility and adaptability by continuously assessing their security measures, learning effectively from past incidents, and staying abreast of the evolving threat landscape. They cultivate a mindset that embraces change, enables quick response to emerging threats, and fosters a culture of continuous improvement. This is usually achieved by utilising fail fast and learn fast approach, continuous monitoring of key cybersecurity parameters with immediate feedback loops (as opposed to point in time checks) and relying on automation and engineering effectiveness.

4. The Power of Communication

In human psychology, open and clear communication is essential for fostering resilience. It allows individuals to express their thoughts and emotions, seek support, and collaborate with others in problem-solving.

Similarly, in the context of cyber resilience, communication plays a pivotal role. By establishing clear communication channels, organisation’s facilitate the rapid dissemination of cybersecurity-related information, ensuring that employees are well-informed and equipped to respond to threats. This includes sharing threat intelligence, reporting suspicious activities, and collaborating on incident response efforts. Timely and transparent communication enhances situational awareness, facilitates a coordinated response, and fosters a collective understanding of the organisation’s cyber risk profile.

Moreover, effective communication extends beyond the organisation’s boundaries, involving external stakeholders such as partners, vendors, and customers. By establishing strong lines of communication with these entities, organisations can foster collaborative relationships, share best practices, and collectively address cybersecurity challenges.

5. A slip and not a slide

The “slip and not slide” concept refers to the idea that setbacks or failures are inevitable in life, but the goal is to prevent those setbacks from turning into a downward spiral.

It emphasises the need to leverage setbacks as opportunities for growth, apply lessons learned to prevent future incidents, and maintain a proactive and forward-thinking approach to ensure that minor slips do not result in catastrophic consequences. By adopting this mindset, organisations can strengthen their cyber resilience and maintain a strong defence against evolving threats, much like individuals who demonstrate psychological resilience by effectively navigating setbacks and avoiding a downward spiral.

Conclusion

Building cyber resilience is often perceived as cyber security function and cyber security teams are left alone to deal with it all. Using the parallels above, one could support the message that building cyber resilience means going beyond implementing technological solutions and recognising the importance of human factors. It is ultimately the organisaitonal culture and approach to change that would play the most important role in such endevour.