Essential Cyber Resilience Frameworks — Review & Guide

It might be a tall order, but building and maintaining a cyber resilience framework is crucial to fending off cyberattacks. 

A cyber resilience framework helps organizations proactively address potential risks by identifying and prioritizing vulnerabilities and threats. This proactive approach allows for the implementation of preventive measures to mitigate the likelihood of successful attacks. 

Building a cyber resilience framework isn’t a one-time thing. It’s an ongoing process with system changes, and the introduction of new people, policies, procedures and hardware updates. 

So how do you build cyber resilience? We spoke with the National Institute of Standards and Technology (NIST), Canalys and cybersecurity vendors to get the nuts and bolts of cyber resilience. 

Ronald Ross, a fellow at NIST, said cyber resilience is crucial because IT has gotten “so good, so powerful — and it's so pervasive now.” 

“In fact, computers are in everything that we care about today, from pacemakers in your chest, to the power plants that control the electric grid and the water distribution systems,” he said. “Those computers are driven by software and firmware, and they have … to be reliable and resilient, which means they have to withstand a lot of different types of threats.

NIST's Ronald Ross

Sometimes systems can fail for a variety of reasons," Ross continued. "There could be software defects that cause the system to fail. There could be cyberattacks, but the fact that computers are being pushed into everything, we call that cyber physical systems convergence. And the best example I use is the automobile. You have more than 100 computers in your car, and they're controlling everything from the entertainment system to your critical safety systems, like your brakes. So we're extremely concerned about the fact that through cyber physical convergence, we are totally dependent on technology.” 

There must be some degree of trust in the technology in those systems because “they’re in everything that matters today,” Ross said. 

“The other big issue is … we're pretty much addicted to technology; it's everywhere and it's growing more complex by the day,” he said. “Every time you have a new application, new systems, new components that come online, that complexity of the systems continues to grow. That's a huge factor in trying to understand how to make these systems more resilient. The example I use is being able to take a punch. If you're a boxer, you don't go down for the count after one punch. A system can be attacked or there could be some anomaly that happens and the system doesn't go down completely. It can continue to operate even if it's in a degraded or debilitated state.” 

Complexity in the world of cyberattacks equates to more attack surface, Ross said. 

“In other words, the more complicated our systems are, the more applications and hardware, and software components we have, that gives the adversary a wider playing field to try to attack us and to cause damage,” he said. “And of course they can do a lot of things to us. They can shut down your system, which means you lose the capability completely. They can install malicious code, which means they can bring your system down at a time of their choosing, maybe through a coordinated cyberattack. We're very concerned about those things with our electric grid and other critical systems. They can also steal critical information, intellectual property.” 

System resilience is the overarching concept and cyber resilience is the part of system resilience dealing with cyber and computers, Ross said.

Channel Futures TV: ThreatLocker's Heather Hartland tells Channel Futures editorial director Craig Galbraith about the company's zero-threat approach, challenges from AI threats and how the company is working closely with MSPs to support their SMB customers.

“The reason it's so important is because we are so dependent on it and we can't survive without these systems,” he said. “They're so interwoven into our society; critical infrastructure — all 16 sectors. So that's why it's important. Because when these systems fail, it can be catastrophic.” 

According to NIST, cyber resilience is the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources. Cyber resilience aims to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment. That’s an environment in which advanced persistent threat (APT) actors, competing entities and entities with similar resource needs contend for control or use of cyber resources. 

Matthew Ball, chief analyst at Canalys, said cyber resilience encompasses business continuity, and the ability of organizations to minimize the impact and recover quickly from cyberattacks. (Canalys and Channel Futures share a parent company, Informa.)

“This goes beyond reducing the risk of attacks by taking preventive measures and focuses on detection, response and recovery,” he said. “This is a critical area given the increasing operational and financial consequences of breaches, and helps organizations to shift planning from if to when attacks happen.” 

Canalys' Matthew Ball

The opportunity for partners is to expand their services capabilities, including managed detection and response (MDR), incident response planning, penetration testing and more around their technology offerings,” Ball said. 

“It is not a one-off engagement, but rather ongoing, continuous and proactive interaction,” he said. “A lot of partners are following the NIST Framework to increase cyber resilience within their customers.” 

Chris Morales, Netenrich’s CISO, said CIOs, CISOs and security professionals must continuously adapt to a constantly evolving threat landscape. Cyber resilience has emerged as an important concept that “we must understand and implement to safeguard our organizations effectively.” 

“As threats evolve and become more sophisticated, our resiliency strategies must evolve in tandem,” he said. “In short, cyber resiliency is dynamic — not 'set it and forget it.'” 

Jason Soroko, senior vice president of product at Sectigo, said as threats evolve, so must an organization's defenses, adapting to APTs, zero-day exploits, ransomware and supply chain attacks. Cyber resilience is crucial for business continuity, minimizing operational, financial and reputational damage, meeting regulatory requirements and maintaining customer trust. 

“Achieving cyber resiliency begins with a thorough risk assessment to identify and prioritize assets, threats, vulnerabilities and potential impacts,” he said. “Developing a comprehensive resiliency plan that includes strategies for prevention, detection, response and recovery is essential. Implementing a robust security architecture with layered defenses, and establishing a well-defined incident response plan with clear roles and responsibilities are critical steps. Continuous monitoring, including real-time systems and threat intelligence, helps detect and respond to incidents swiftly.” 

When building a cyber resilience framework, Netenrich’s Chris Morales said consider these key dos: 

And consider these don’ts: 

Agnidipta Sarkar, vice president of CISO advisory at ColorTokens, said to prevent breaches from becoming crises, practical cyber resilience requires meticulous planning, design and architecture to leverage existing investments and function before, during and after a breach, continuously improving over time. 

ColorTokens' Agnidipta Sarkar

Sarkar said at a minimum, entities must: 

NIST’s Ronald Ross said when you're in the business of computers and building trustworthy systems, “you’ve got to put your big boy pants on.” 

“It's not a pleasant picture,” he said. “It's difficult. It's challenging because we're dealing with complex hardware and software. We're dealing with trillions of lines of code and billions of devices, and they're all interconnected through 4G and 5G communications technology. So in some sense, the connectivity and just the enormity of the infrastructure and the attack surface, makes it a very challenging problem.” 

There’s also technical debt to deal with because these problems haven’t been addressed for the last 20 or 30 years, Ross said. 

Channel Futures TV: Sophos' Scott Barlow talks to Channel Futures editorial director Craig Galbraith about updates in the company's MSP business, Sophos Partner Care and key findings from the company's 2024 Threat Report.

“We're now living with the infrastructure that we built, so in some sense, we're trying to do the best we can to hold on and do what we can, and make the systems as resilient as they can be,” he said. “But yet we have to have that vision down the road to make sure that as we evolve to the next generation of components and systems, and system of systems, that we can have a better sense of how trustworthy they are. And this gets to a concept called assurance.

"There’s capability of systems," Ross continued. "Those are the functions that the system can perform, whether it's a weapon system putting steel on target or a satellite delivering communications — those are functions. The question is how were those components built? And what kind of secure coding techniques or systems development techniques [were used]? What kind of techniques were used to ensure that we have the assurance, the confidence that those systems are going to perform and do what they're supposed to do when they're supposed to do it? That's a heavy investment. It takes a lot of discipline and work to achieve that.”

Sectigo’s Soroko said measuring cyber resilience involves tracking mean time to detect (MTTD) and mean time to respond (MTTR) to incidents, setting recovery point objectives (RPO) and recovery time objectives (RTO), and analyzing the impact of incidents on business operations. 

Sectigo's Jason Soroko

“Compliance metrics and employee awareness levels should also be assessed regularly,” he said. “Maintaining cyber resiliency is an ongoing process, requiring continuous improvement and adaptation to stay ahead of the evolving threat landscape."

ColorTokens’ Sarkar said measuring cyber resilience has been made into a science by papers published by MITRE and NIST. 

“Cyber resilience is usually measured through the comparison of anticipated outcomes against actual results and encompasses four fundamental components,” he said. “The technology component is assessed based on the appropriateness of the technology in promptly recovering affected digital assets with precise information required for recovery, ensuring consistency and prioritization. The communication component is evaluated in terms of the efficacy of internal and external communications. The coordination component ascertains the successful collaboration of financial, legal and operational entities with suppliers and their readiness, backed by proper authorization from the board, to implement emergency measures. Lastly, the operational component verifies whether all digital operations effectively upheld the planned support for business functions.” 

Guy Rosenthal, vice president of product at DoControl, said maintaining cyber resiliency is indeed an ongoing process. 

Channel Futures TV: Check Point Software Technologies' Dave Meister describes to Channel Futures editorial director Craig Galbraith the latest email security threats and offers updates to the security provider's channel programs.

“Threats evolve, new vulnerabilities emerge and business environments change,” he said. “Organizations need to continuously assess, adapt and improve their cybersecurity measures to stay resilient in the face of these changes.” 

The importance of cyber resilience can't be overstated, Rosenthal said. As threats become more sophisticated and frequent, organizations need to be able to not just prevent attacks, but also continue operating effectively when attacks do occur.  It's about maintaining business continuity and protecting critical assets in the face of cyber threats. 

Netenrich’s Morales said the threat landscape, technology and your own organization are constantly changing, requiring continuous adaptation in terms of resiliency. Here are some key aspects of adapting to maintain resilience:

Netenrich's Chris Morales

“Remember, cyber resiliency is not just about technology — it’s about people, processes and continuous improvement,” Morales said. “By focusing on these areas and maintaining a proactive stance, we can build truly resilient organizations in the face of evolving cyber threats.” 

NIST’s Ross said when building cyber resilience, “don't become overwhelmed, take it one step at a time.” 

“Try to break the problem down into bite-size components,” he said. “Phase one, cyber hygiene, getting organized. Going to phase two, maybe zero trust is an architecture you can consider after you've done some of the basics, and then moving on to the things we talk about in NIST Special Publication 800-160 Volume 2.

"It's definitely an evolution," Ross added. "You build on layers of goodness and foundations. There's nobody that can start at layer five and say, 'I'm going to jump right to cyber resilience.' It's not going to happen because the adversaries will always compromise your system at the lowest possible level in the stack. If you've got good security in your applications, they're going to try to bore into the operating system, come in through the network. If you've got an operating system that is trusted, they may come in and try to compromise the firmware or even get into the supply chain and compromise the supply chain, the development process of components and systems.” 

There's always a way the adversary can get in, and it’s like “you're looking 24/7, 360 degrees around the turret, so to speak,” Ross said. 

“I don't think you can ever lose sight of starting with the basics and building on the basics,” he said. “It's just like a football coach. The first thing you do in summer training is two weeks of working on blocking and tackling. You don't talk about fancy plays, the things that come in later. Once the team has the fundamentals down, they can block and tackle, then you move on to defining all your clever plays and all that. It's the same way with the systems.”