That’s the concept of cyber resilience - broadly speaking your organization’s ability to withstand or quickly
            recover from cyber events that disrupt usual business operations. It has been discussed for several years
            now, as the risk of cyberattacks has increased.

            Back  in  2009,  Carnegie  Mellon  University  Software  Engineering  Institute  announced  its  CERT®
            Resilience Management Model (CERT®-RMM) version 1 as a foundation for a process improvement
            approach to operational resilience management. The CERT®-RMM is a maturity model which can be
            used by organizations to help them manage and improve their operational resilience.

            When the Department of Homeland Security (DHS) published its Cyber Resilience Review (CRR) in
            2016, it was derived from CERT®-RMM. The CRR assesses organizations against a set of criteria from
            the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

            Later  the  same  year,  the  DHS  created  The  Critical  Infrastructure  Cyber  Community  (C³)  Voluntary
            Program to help organizations use the Cybersecurity Framework to improve their cyber resilience.  This
            included guidance on how to use the Framework in key industries: chemicals, critical manufacturing,
            dams, emergency services, healthcare, nuclear, transportation and water to name just a few.


            One of the problems with the US government’s approach to cyber resilience is that C³ is voluntary. That’s
            a concern. According to The State of Industrial Cybersecurity 2017 report by Kaspersky, over half of the
            sampled  organizations  experienced  one  or  more  incidents  on  their  industrial  control  systems  in  the
            previous year. In fact, targeted attacks were the second biggest actual threat to industrial systems and
            caused incidents in over a third of companies.

            So, as the likelihood of aggressive state actors view ICS as a target, there remains no legally-binding
            mechanism to force companies to build resilience into their systems to protect society.

            In 2011, the Partnering for Cyber Resilience report from the World Economic Forum (WEF) recognized
            the importance of cyber resilience and made a call for a global response from both businesses and
            governments  for  2  reasons.  Firstly,  to  avoid  a  catastrophic  failure  threatened  by  an  ‘all  or  nothing’
            approach to cyber risks (e.g. preventing network penetration as the only plan). Secondly, because it
            argued the conversation needed to go beyond technology or data security.

            Whereas cybersecurity can often be viewed as binary – i.e. you are either secure or you aren’t - cyber
            resilience is not binary. Cyber resilience requires a more strategic, longer-term approach. It's really about
            risk management, and there isn’t a single point at which it begins or ends (cyber resilience can always
            improve, or degrade, if neglected).


            Instead,  cyber  resilience  comes  from  building  strategy  and  working  to  ensure  that  the  risk-transfer
            mechanisms that work for more traditional threats are also brought to bear on new cyber threats. To
            assist in these goals requires a concerted effort to help develop the skills required to build cyber resilience
            into everything which an organization does. Certification is part of that.

            In 2015, AXELOS, a joint venture company, partly owned  by the UK  government announced it was
            launching  a  cyber  resilience  certification  scheme  called  RESILIA®.  RESILIA®  helps  professionals
            understand how decisions impact on cyber resilience and how to make good cyber resilience an efficient
            part of business and operational management.





                                 52