by Dave Cohen
An engaged workforce is undoubtedly the strongest layer in a cyber defence strategy. In the battle of usability vs security, usability will always win, unless the individual ‘why’ is connected to the organisational ‘why’.
We are faced with a problem: the technical team of an organisation often communicates best with other technical people or machines. Non-technical people, for reasons of time, patience, or inclination, might not seek to understand complex, militarised jargon such as ‘threat actor’, ‘attack surface’, ‘threat vector’, ‘data breach’, and so forth. Consequently, our trusted insiders sometimes try to bypass security controls out of a simple lack of understanding, or because they see those controls as pointless or obsolete. Most of the workforce is merely trying to be productive, unknowingly creating vulnerabilities in the organisation’s IT (Information Technology) and OT (Operational Technology) infrastructure. These vulnerabilities could potentially halt operations temporarily or even shut them down permanently.
Organisations typically invest valuable resources in technical controls that aren’t always accepted, understood, or adopted by the wider workforce. These controls aim to deter actions that might harm the organisation, yet they’re not always the most effective path to an improved cyber maturity plan. Despite the substantial investments in technology solutions like SIEM (Security Information & Event Management) for early threat detection and SOC (Security Operations Centre) for real-time cybersecurity event monitoring, the entire security infrastructure can be undermined by a simple fragile link—a careless act, such as an administrator leaving their written password within plain sight on their desk, open to misuse and exploitation.
The concept of Presilience® was first coined by Dr Gavriel Schneider after several years of post-graduate research into the psychology of risk, along with his own post-doctoral studies. Presilience® is a portmanteau of Proactive Resilience, with the main emphasis being on a shift away from reactive compliance and recovery, and into the fully actualised state of Presilience®.
The ground-breaking concept called Cyber Presilience® takes a human-centric approach to cybersecurity. By integrating people, processes, and technology, Cyber Presilience® aims to build a robust cybersecurity defence strategy tailored to each organisation’s unique needs.
A presilient cybersecurity defence strategy will look different from one organisation to another, depending on industry type, organisational vision, the organisation’s size, maturity, risk appetite, and other factors. The aim is to do most of the heavy lifting upfront, allocating fewer resources to a well-planned incident response plan during an event. We should prepare for the worst while hoping for the best of all possible worlds; our primary goal is to reduce the likelihood of a successful breach and minimise its impact if it does occur.
A balanced integration of people, process, and technology is vital to an effective cyber presilient approach. ‘Balanced’ does not imply equal distribution, but rather distribution in a way most suitable for the specific organisation. The adage, ‘Cybersecurity is a team sport’ has been frequently quoted. It’s a great concept, but the question is, do all team members understand the rules of the game? Not only the rules but their roles within the team and when they should be active or passive.
Establishing a cybersecurity culture requires more than just workshops, phishing campaigns, or news about cyber breaches. Non-technical people need to understand why cybersecurity matters, even when they’re far away from a hostile environment. They should realise that as a part of the organisation, they are responsible for maintaining its cybersecurity, whether they’re in the office or at home. This is often known as the ‘butterfly effect’ – even small actions can have big impacts on a massive organisation.
The “How”
The process involves engaging the workforce. It may involve education, upskilling or reskilling to gain formal qualifications or certifications. It may be through culture change programs, continuous awareness education, and the creation and constant revision of cybersecurity policies and procedures. Acceptance and comprehension of these policies are important; they should be seen as opportunities to build a safer cyber culture across the organisation, not as burdensome compliance tasks.
Finally, once we have an organisation that supports and adopts a cyber culture with appropriate policies and procedures, technology is implemented to automate tasks, protect assets, and increase efficiency.
In conclusion, there is a clear interdependence between people, process, and technology in creating a robust, layered cybersecurity defence strategy. A cybersecurity approach that aligns these elements can lead to a secure and presilient organisational environment.