Delivering Cyberresiliency for Mainframes
Cyberresilience is essential for operational and business continuity: it’s part-and-parcel of providing continuous protection for the business and maintaining a hardened security stance. How can you develop and deliver the right strategy to ensure this resilience, secure your mainframe systems and data from attack and other threats and, crucially, resume operations quickly and effectively in the case of an attack, or some other unplanned event that impacts your operations?
What Is Cyberresilience?
The US National Institute of Standards and Technology (NIST) has defined cyberresilience as “The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.”
Indeed, one line of thought holds that resilience ultimately comes from recovery (CSO Online). It’s as simple as that. We live in a complex, ever-changing and evolving world, where the very best defense may not be a guarantee against an attack. That’s why built-in cyberresilience is so important.
This is a serious business. I recently read that the UK’s Ministry of Defence is working with a specialist third party provider to bolster its cyberresilience capabilities, including running cyberdrills and addressing its security talent gap using a specialist platform, simulator and software products.
The EU, meanwhile, is proposing a new EU Cyber Resilience Act (CRA), “the first horizontal regulation to introduce security requirements for connected devices and related services.” As part of its digital strategy, the European Commission explains the thinking behind the CRA: “Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion [in] 2021.”
Noting that cyberresilience is a discipline that extends beyond protecting against deliberate attacks, IBM describes it as concept that “brings business continuity, information systems security and organizational resilience together … the ability to continue delivering intended outcomes despite experiencing challenging cyber events, such as cyberattacks, natural disasters or economic slumps.”
No two cyberresilience strategies are the same, just as no two organizations or workforces are the same. Creating your own tailored strategy (like the UK MOD) will typically draw on several existing operational disciplines, including business continuity (BC), disaster recovery (DR), incident response (IR), and cybersecurity planning. These elements already exist in most organizations but are often siloed. You need to bring them together. A successful approach to cyberresilience depends on understanding the interrelationships between these elements, how each one complements the functions of the others.
We’re seeing increasing demand from mainframe organizations who want help from experts to prepare, protect, detect, respond and recover from cyber threats, internal or external, whether intended or accidental. We take a two-pronged approach: develop the right cyberresilience strategy for you, then build and execute (and regularly update) a robust cyberresilience plan based on that strategy. Here’s how you can get started.
Developing a Viable Cyberresilience Strategy
Achieving a viable cyberresilience strategy depends on the smooth collaboration of several preventative, detective and responsive plans. You may already have some, or perhaps even all, of these elements in place.
The strategy defines how and what you develop along with the priorities of your cyberresilience plan. Maintaining updated plans, which are clearly documented and regularly exercised, is achieved through a balanced program of activities. These typically include cybersecurity planning, BC/DR plans, IR plans, periodic business impact analysis (BIA) and risk analysis, regular testing, and stakeholder engagement. It’s vitally important to have buy-in and support from the senior leadership team for your cyberresilience strategy, not least because additional investments may be required.
That means part of the process is educating and updating your leaders on the threat landscape, based on the assumption that a breach will take place. This means explaining the risks and potential impacts of not having a strong strategy and plan, and quantifying the benefits wherever possible in pounds, dollars or euros. Cyberresilience can help to significantly reduce financial loss and reputational damage.
Build and Execute Your Cyberresilience Plan
Both your strategy and the resulting plan are based on identifying and understanding the key components that underpin cyberresilience. These components are then managed, maintained and improved in line with the strategy you have created. Each organization and its requirements will be different, requiring a flexible approach that includes:
- Gaining input from diverse stakeholders
- Identifying and documenting the most critical elements to the business
- Performing a risk analysis and risk rating of systems, applications and data (penetration testing and security assessments may form part of this)
- Building and implementing a bespoke cyberresilience plan in line with your cyberresilience strategy
- Selecting and deploying tools and processes that work for your specific environment
- Ensuring your plan aligns with or reflects wider cyber related requirements such as e.g. GDPR and the Security of Network and Information Systems (NIS) Directive
- Documenting, testing, refining and updating—while ensuring you keep testing and updating your plans
Various tools are available as well to support your cyberresilience plan; your choices will depend on which work best for your own set-up and requirements. Options include IBM Z Cyber Vault, Dell’s Data Protector for z Systems (zDP), as well as products from Maintegrity, Action Software, New Era, Vanguard, BMC and others.
When you have your plan, frameworks and tools are available to help you assess your arrangements. You can identify strengths and areas of weakness, gaining an assurance that you’re not simply maintaining minimum requirements for cyberresilience but also making informed decisions on updating and improving your stance—to achieve the heightened levels of cyberresilience you will undoubtedly need.