[Resilience is]…the ability to continuously deliver the intended outcome despite adverse cyber events.

—Janis Stirna and Jelena Zdravkovic, authors ofCyber Resilience:—Fundamentals for a Definition

That which does not kill us makes us stronger.

—Friedrich Nietzsche, Germanscholar and philosopher

Overview

In this chapter, I present the case for the best definition of resilience. I then describe the four tactics to deploy it: crisis planning, backup and restore operations, encryption, and incident response. Next, I explain that to run a mature resilience program, infosec teams have quite a bit of planning to do, which typically shows up in corporate business continuity and disaster recovery plans. Finally, I will explain how mature programs also practice their plans with the organization's senior leadership team.

What Is Resilience?

As a concept, ASIS International coined the phrase cyber resilience as early as 2009, but it was really describing what turned out to be business continuity.¹ I will cover the difference between the two later in this chapter. In 2010, the Department of Homeland Security identified resilience in cyberspace as the “ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.² The World Economic Forum formalized a cyber resilience definition in 2012: “…the ability of systems and organizations to withstand cyber events… .”³ Since then, other thought leaders have refined it. U.S. President ...