Taking operational risk to resilience with emerging AI systems: Gartner – ARN

“The key thing is what security controls is to help an organisation be resilient, but sometimes it is missed that cyber security sits under operational resilience,” said Ellery. “Ideally CISOs should be thinking how they can maintain operational resilience — one [option] is the technical.

“The second is having redundancy, so there might be options to have identity and access management in that they might be able to place some of that in their demilitarised zone with their provider – that gives optionality.”

They then have to work with their provider to set up that resiliency so that their cloud services go down or they lose connectivity, they are not impacted, noted Ellery.

“They want services there, or they might have a cold standby so they might have VPNs [virtual private network] that they are able to connect directly to services,” he said. “[Although] that costs a bit of money — to have brought them up all the time.

“They can spin up so that they can still have the staff and access resources that they need.”

The third option is people doing the training and scenario testing.

“A good example of this is that vendor management teams are using external parties to help with scenarios and doing scenario role plays,” said Ellery. “Also, when events occur, doing post-incident review to learn from those.”

This helps to build this culture of if an incident happens, rather than being faced with a fighter response, cyber security teams are going straight into that problem solving – working as a team to try and figuring it out, as well as escalating the problem straight away to the right people to ensure broader programs around enterprise risk management and operational resiliency at a business level are invoked.

For managed service providers working with the cyber security leaders ensuring a level of transparency and working together can actually build trust, that might be one of those areas that it’s incorporated into the account management and the vendor management relationships that organisations have, in addition to reporting.

“One of the hardest things that CISOs struggle with is actually getting insights into whether the controls are actually in place or not,” added Ellery. “That sounds to be something that’s quite vulnerable for those organisations to actually enact, because it requires that transparency and maybe revealing when things aren’t perfect.”