To meet the requirements, most public companies take proactive measures to ensure they have systems in place to assess, evaluate, and respond to incidents.
“Unfortunately, in many cases, these processes are established outside of the operational resilience framework, and as a result, they are not integrated with the company’s crisis management program,” says Nolan, who recommends that organizations proactively engage with legal and regulatory frameworks and integrate them into their cyber resilience strategies. This approach can help minimize penalties and strengthen their overall cyber resilience posture.
DORA and the regulations issued by the SEC tend to create ripples across the world, according to Gartner’s Zhao.
“Regulatory changes in one jurisdiction often have cross-border implications, as multinational companies operating globally need to comply with multiple regulatory frameworks,” she says. “This has led to the need for organizations to harmonize their cyber resilience strategies across different markets, ensuring consistent security practices and compliance with various regulations.”
Regulations have also played a key role in raising awareness of the importance of cyber resilience. They encourage companies to assess their security posture as well as their board’s oversight and governance, according to Accenture Security’s Abend.
“However, we are witnessing a growing awareness among CEOs, the C-suite, and boards regarding these risks, driven not solely because of regulations but by genuine business concern,” she says.
But while regulations help, compliance alone does not necessarily mean resilience.
Organizations could “run the risk of falling into a false sense of security that their strong compliance posture equates to a strong security posture,” Bishop Fox’s Edgeworth says.
The importance of people
While many organizations invest in technical solutions for cyber resilience, they often overlook the importance of having the right people on board and fostering a culture of security awareness among them.
“The ability to rapidly find cyber talent at an affordable rate is creating vulnerabilities within the industry,” says CyberMaxx’s Shaha.
As such, security leaders must develop robust, diverse sourcing strategies to ensure evolving talent needs are met.
Moreover, they should also invest in training programs that go beyond basic awareness of phishing emails and password security, Trustwave’s Daniels says. Training should instead “encompass a deeper understanding of cyber threats, the importance of data protection, and the role of everyone in maintaining cyber resilience,” he adds.
Exercises and crisis simulations help, too. “Companies should ensure that their exercises use a variety of scenarios to guarantee that response plans can handle unexpected events,” says GuidePoint’s Williams. “These black swan events can be handled with confidence if the planning process is kept relevant and up to date.”
Such exercises should be conducted regularly and should be difficult. “Only by conducting challenging exercises that push the limits of teams, policies, and procedures will an organization know where its limits are and where it needs to improve,” FS-ISAC’s Dicker says. “An incident should never be the first time you test your response plan.”
Source link
