Raising the resilience quotient

What leading companies are doing differently to keep operations running smoothly and securely as digital connections multiply

You can’t protect what you don’t see. You can’t fix it with half a team. You won’t improve if you can’t learn.

Good enough is not enough anymore. That much is clear from PwC’s Digital Trust Insights study into resilience strategies in over 3,500 firms globally. We’re in the midst of a mindset shift in what it takes to protect the business and rebound from cyber disruptions. Here’s how we know: Businesses where strategies are the most mature are also the most likely to have revamped resilience plans. And they’re not done. They’re aiming for these standards:

  • Real-time visibility into critical assets and processes
  • An enterprise-wide plan and response
  • Continuous redesign of business services and processes

Half of more than 3,500 business and IT leaders from around the world reported that increasingly commonplace business practices are “significantly raising vulnerability to cyberattacks.” Practices like these are driving businesses to update plans or revamp strategies for resilience entirely.

What are organizations doing to improve resilience? What’s the standard they should aim for? To find out, we surveyed the maturity of resilience strategies in three areas. We found a high resilience-quotient (high-RQ) group that scored in the top 25% across the three areas.

The high-RQ group is more likely to have revamped strategies in the face of new, “very significant” threats, 59% vs. 31% of the rest of the survey respondents. They are also more confident that they can manage emerging risks that test cyber resilience, 73% vs. 24% of the rest.

In essence, high-RQ group members have shifted their mindset away from the traditional—and myopic—disaster recovery/business continuity model to “resilience by design.” This more expansive approach involves gaining real-time views of higher-priority processes so that decision makers and responders can react to incidents in concert, with minimal harm to the business.

The 1-2-3 of building resilience

1. Having visibility into core processes, assets and dependencies in your organization

Without understanding how data assets and processes are connected to core business services and their interdependencies, an enterprise can’t know which systems or assets to isolate if a disruption occurs. The most striking difference between the high-RQ group and the rest is this: 91% of high-RQ companies maintain an accurate inventory of assets and refresh the list as needed, compared to only 47% of the rest.

Just creating this extensive inventory can yield important discoveries. For example, a company mapped what it thought were all 50 of its critical assets and systems in one area, and thought itself well-protected against cyber incidents. Yet when it used software to probe its networks, it uncovered secondary and tertiary connections that brought the number of critical systems to 450—a ninefold increase. By virtue of lying “hidden,” those 450 systems made the organization more vulnerable to disruption.

The inventory should encompass third-party relationships: an enterprise’s more sensitive connections may in fact be outside its walls. In one recent major customer data breach, hackers compromised a chat services vendor that was used by several retailers to manage customer service matters.

For large enterprises, IT assets run in the millions and connections in the hundreds of millions. But there are technologies now to map critical assets and processes in-depth. More than half of high-RQ entities have automated their inventory and mapping processes, compared to only 10% of the rest.

This first step to resilience is not easy. We learned from the May 2019 Digital Trust Insights Cyber trailblazers reframe security, driving business growth that IT professionals (even trailblazers) consider their capabilities least mature in the “Identify” function of the NIST Cybersecurity Framework, which is about pinpointing assets and processes that need protection.

Catch up to the high-RQ group:

  1. Develop a way to maintain an accurate inventory of assets that can be refreshed as circumstances change.

  2. Automate the inventory and mapping process for continuous and accurate visibility across the network and data end-points.

2. Defining and testing how much disruption your organization can tolerate (“impact tolerances”)

How much disruption can an organization withstand without crippling its ability to serve its customers?

To answer that question, it must first define its critical business services—a non-trivial task. It’s not surprising that 73% of the high-RQ group have identified their most important business services, while only 27% of the rest have done so.

Next, the organization must set limits on the duration and the cost it’s willing to bear—in short, its impact tolerances. About two-thirds of high-RQ respondents have set impact tolerances for critical business services, while only 24% of the rest of the survey respondents have done so.

The high-RQ group is also more likely to have translated impact tolerances into specific metrics. A ransomware victim cannot waste precious time determining its tolerance after an attack; it must use its pre-defined limits on the nature, severity, and length of disruption it can endure, in addition to other risk considerations to help decide whether to pay the ransom.

More resilient enterprises also conduct tests of their ability to stay within the impact tolerances, starting with “tabletop” exercises with its devised scenarios and round-table discussion. Tabletop tests help teams rehearse vital communications during disruptions and discover gaps in governance and other processes. Some go beyond tabletop by mirroring systems in a simulated environment, testing dependencies and connections there.

And a final differentiator: Among the high-RQ group, 61% have mapped impact tolerances to business services, not just critical ones. Only 18% of the rest have done so. This is particularly important if disruptions result in paying contractual penalties to business partners.

Catch up to the high-RQ group:

  1. Identify your critical business services and set impact tolerances for downtimes.

  2. Define the impact tolerances into specific metrics or outcomes.

  3. Test impact tolerances.

  4. Map impact tolerances to business services.

3. Building digital resilience by design: the next frontier

The “third leg” of the journey required for resilience is the most challenging. That may be why so few organizations—even among high-RQs—have completed it. Asked if their organization has implemented “digital resilience by design” across the enterprise, only 34% of high-RQs said “yes.” For the rest, that number drops to 14%.

What the third leg entails is three-fold:

  • Create an always-on, enterprise-wide perspective into performance of core assets and the IT dependencies.

    Once a company has done the hard job of mapping data assets and processes to business services for the first time, taking the extra step to pull everything together in an always-current view is worth the time saved in future updates, which can then be accomplished in minutes, instead of months.
  • Build a team that monitors the stream of information, makes sense of it, and then responds together. You may have to bring people together who have never collaborated on threat intelligence or orchestrated their restore-and-recover actions before. The exposures you face today cannot be adeptly managed without visibility and communication across all affected areas.
  • Use the platform and learn from disruptions to continuously redesign business services and supporting process. What used to be hidden or hard to decipher will now be exposed. For example, do you really need to hold on to assets that increase your exposure but don’t add value to the business? What alternative recovery methods do you have to restore services if systems cannot be recovered? (Banks can send payments to alternate processors to protect customers during an outage, for example.) Or if your company is merging with another, expanding and complicating your network of vendors, risks, and processes, what changes do you need to make in security? Resilience by design means evolving with the business environment.

PwC has seen the evolution and the payoffs that come with using automation, analytics and visualization for an always-current view of critical business services and the related IT assets and processes. Adopting these technologies allows for continuous improvements in the organization’s resilience capability.

The next frontier for the high-RQ group: Resilience by design

Build a platform for a real-time view of prioritized processes so that decision makers and responders can react to incidents in concert, with minimal harm to the business and its customers.

What will it take for your organization to make the shift to resilience by design?

For Financial Services companies, already represented well in the high-RQ group, regulations may be the trigger. Top of mind for many is the Bank of England pilot stress testing on how disruptions can affect payments. Its focus on the ripple effects of cyber disruptions on customers is prompting plans for greater resilience.

Without a regulatory challenge or precipitating crisis, finding the motivation to embark on the resilience-by-design journey may be challenging. But hearing this question from the board or the CEO can create the momentum you need to get started: “Is our organization safe from a crippling, costly disruption or a headline-grabbing incident?”

Contact us

Sean Joyce

US Cybersecurity and Privacy Leader, PwC US

Joseph Nocera

Principal, Cybersecurity and Privacy, PwC US

Shawn Connors

Principal, Cybersecurity and Privacy, PwC US

Jay Cline

Privacy Leader, Principal, PwC US

Follow us