Mitigating Evolving Cyber Threats: Building Resilience Through Preparedness and Continuous Management

Evolving cyber threats have become a top business risk for U.S. executives, demanding active oversight from both management and boards of directors. Companies can be held liable when customer data is hacked, even if they were the victim of a crime, due to their responsibility to secure the information. Board members and executives are increasingly being held accountable for cyber attacks and data privacy abuses. Boards recognize cybersecurity as a business risk, not just a technology risk. Relying solely on cyber protection is insufficient because new threats and vulnerabilities constantly emerge. Instead, organizations must focus on building cyber resilience, ensuring they have robust plans to respond and recover quickly to continue operating even in the face of a cyber attack. This resilience is achieved through a combination of preparedness and continuous management.

Preparedness: Laying the Foundation Before the Storm

Preparedness involves establishing the necessary capabilities and plans before an incident occurs to minimize its impact and enable a swift recovery. Key aspects highlighted in the sources include:

• Understanding Risks and Assets: Boards and management need to understand the specific cyber risks the organization faces and their potential impact on business functions. A critical early step is for the board and senior leadership to agree on the organization's most valuable data and assets, often referred to as "crown jewels," that require the highest level of protection. Risk assessments help identify threats, vulnerabilities, and consequences.
• Developing Incident Response and Recovery Plans: Organizations must have a comprehensive, written plan for responding to and recovering from cyber incidents, formally approved by senior leadership. These plans should clearly define roles and responsibilities for all key internal and external stakeholders. Having pre-prepared communication templates for external stakeholders, like the media, is also a crucial part of this planning. Incident response plans should be easily accessible, even during an outage, and include business continuity measures.
• Testing and Rehearsing Plans: Regularly testing incident response capabilities through attack simulations, tabletop exercises (TTX), or wargaming is crucial for building muscle memory and identifying gaps. These exercises should ideally involve both management and board representatives. Results of simulations should be used to correct weaknesses.
• Building Necessary Capabilities: Preparedness requires investment in capabilities such as event monitoring, technical redundancy, and disaster recovery solutions. It also includes having third-party technical resources or firms identified in advance to assist with investigations. Ensuring the company is adequately insured and understanding the conditions of coverage is also important.
• Training and Awareness: Educating staff at all levels about cybersecurity is fundamental. This includes training employees on how to report suspicious events. Developing employees' skills to handle potential organizational vulnerabilities is also important for assessing organizational risk. Building a culture of security, where reporting is encouraged and valued, is key.
• Engaging Stakeholders and Translating Risk: Effectively communicating cyber risks to the board and senior leaders is vital. This communication should translate technical risks into a business context, using the language of business risk rather than purely technical terms. Building trust with leadership takes time and transparency, even about organizational weaknesses. Boards may also benefit from engaging with cybersecurity subject matter experts. Storytelling and using scenarios or personas can help make the risks real and relatable to leadership.
• Collaboration: Sharing information and collaborating with peers in the industry and across different sectors, as well as government agencies like CISA and law enforcement, can enhance preparedness. Leaders are interested in how the security team collaborates within the ecosystem.

Continuous Management: Adapting to the Dynamic Landscape

The "management" part of cyber risk management is all-important because the IT environment and the threat landscape are dynamic and constantly changing. Continuous management ensures that the organization's security posture and resilience capabilities evolve alongside these changes. This involves:

• Ongoing Monitoring and Assessment: Active management of cyber risk is not a "set and forget" activity; it requires continuous monitoring of assets and security controls. Maintaining a high-fidelity inventory of all assets (including IT, OT, hardware, software, data, people, physical locations, and financial capital), understanding their configuration, desired state, and the complex web of dependencies between them, is foundational for effective monitoring. Automated processes are often necessary to keep pace with the constant changes ("drift") in the IT environment. Continuous monitoring and management protects assets from being vulnerable in the first place.
• Adapting Strategy and Plans: Because cyber risk is dynamic, strategies and plans must be living documents that are regularly reviewed and updated. Lessons learned from exercises and real incidents should lead to updates in policies and procedures. Organizations must continually improve capabilities as threats evolve in scope and sophistication. The board should confirm that the organization can evolve as cyberattacks do.
• Threat-Informed Defense: Leveraging cyber threat intelligence helps organizations understand the specific threats targeting them and prioritize security measures and remediations accordingly. This threat-centric approach, often combined with an asset-centric view, allows for focusing resources on the most impactful risks. Changes in the threat landscape significantly impact the probability of suffering a cyber incident.
• Metrics and Reporting: Using metrics and analytics to measure performance and risk posture over time provides valuable trending data that helps boards and management understand what is working and where resources are needed. Boards need information about the business impact of cyber risks. Qualitative assessments made by knowledgeable cybersecurity leaders about the biggest risks are also important. A balanced scorecard approach combining qualitative and quantitative indicators can provide directors with easily understood information to spark deeper conversations. Metrics should be used to quantify risks, elevate discussions in dollar terms, and connect back to the business mission and functions.
• Maintaining Skills and Knowledge: Given the rapid evolution of cyber issues, directors and staff need ongoing education to stay current. Organizations should regularly assess future talent needs and develop strategies, potentially including non-traditional talent recruitment and on-the-job training, to attract and retain skilled cybersecurity professionals who can translate technical information into business terms.
• Navigating the Regulatory Environment: Staying informed about evolving regulations is a continuous challenge for executives. New regulations increasingly require organizations to fully embrace cyber risk management and incident reporting.

Building Cyber Resilience: The Synergy

By combining robust preparedness measures with diligent continuous management, organizations can move beyond simply trying to protect against every possible threat and instead build a resilient posture. This integrated approach prepares them for inevitable incidents and allows them to effectively manage risks as they evolve. Cyber risk management centers on the active management of business risk; if you're largely "setting and forgetting" your cybersecurity posture, you're not managing it. The board plays a crucial role in this by providing oversight, challenging management, ensuring plans are tested and effective, and confirming the organization can evolve with the threats. This focus on both planning/readiness and active, continuous oversight and adaptation is key to mitigating evolving cyber threats and ensuring long-term business continuity and success.