π₯ Heard about the Cyber Resilience Chasm? π₯
π Let me explain: as security organizations gain more access to resources, they equally grow in maturity.
β Normally, a security organization's maturity would be reflected in its ambitions and achievements. These would be demonstrated by tailoring efforts towards achieving compliance and cyber security goals. The level of achievement heavily hinges on the organization's bias: security-driven or compliance-driven ...in rare cases, there is a nice balance.
β Now comes the main point -> cyber resilience is often left out of this bias due to some misconceptions. While some security organizations wrongfully assume Cyber resilience is automatically fulfilled via cyber security (think inheritance ), other security organizations continuously shift forward the time to consider cyber resilience. It is commonly thought that cyber resilience is an option to be ONLY considered when the security organization achieves a certain security maturity point - X.
π₯ Huge misconception right there: security maturity point X never comes or arrives too late, often via a much more costly process (e.g. as part of a post-breach effort). In the meantime, attackers continually evolve and breach the organizations' defenses successfully.
β Importantly, every security organization has a single objective π KEEP THE BUSINESS SAFE FROM MALICIOUS ACTORS. Compliance, cyber security, and cyber resilience are means to achieve this objective. Hence, security resources would need to be balanced across this means to achieve the security objective. Determining when to start with cyber resilience is agreeably challenging, but the decision needs to be made, primarily due to the inevitability of cyber attacks.