As companies embrace an Agile framework and introduce DevOps to their organizations, writing and releasing code has never happened faster. But the emphasis on business continuity and disaster recovery is often removed from a company's security efforts.
That's where a new term -- cyber resilience -- is beginning to take root. Cyber resilience is an attempt to knock down silos between the operations department and the CISO or CIO's office, injecting cybersecurity into the development process, according to Lev Lesokhin, executive president of strategy and analytics at CAST, a New York City software company that specializes in custom software analytics.
SearchCIO caught up with Lesokhin at the MIT Sloan CIO Symposium in Cambridge, Mass., where he talked about what cyber resilience is and where CIOs might encounter hurdles when building a cyber-resilient organization. Below are excerpts from the interview; to listen to the interview in its entirety, click on the player button.
What is cyber resilience?
Lev Lesokhin: Cyber resilience is a concept that is similar to cybersecurity. I think it's kind of grown out of the cybersecurity realm, but it's broader. It encompasses not just security, but the stability, the integrity and the availability of the environment that you're developing or that you're bringing to your customers.
Traditionally, the security concerns have been siloed to the CISO's office. And the disaster recovery and business continuity concerns have been siloed to the operations team, which is a different team. The CISO typically sits separate from the operations team and separate from the development team. The CISO and the [quality assurance] organization oversee development, and it's been a piecemeal approach to making sure that what you deliver is actually stable, it's robust, it's resilient and it's secure.
The concept of cyber resilience is to bring all of that together and to shift it forward in the development process.
What are some of the first steps CIOs or CISOs can take to build a cyber-resilient organization?
Lesokhin: It's important for the CIO to enable the CISO's organization to penetrate the development organization, and to, what we call, 'shift that concern left' -- meaning upstream -- in the development process to enable the development teams to be better educated about security and resilience concerns, and to also have processes and tools and techniques for introducing cyber-resilience concerns into what they deliver for the business.
What are the hurdles CIOs will likely run into when trying to 'shift left?'
Lesokhin: In some ways it's not that difficult. It's something that IT organizations and development organizations are trying to do all the time. But one of the biggest obstacles to shifting left is the need for speed. There's an old expression in our language: 'Haste makes waste.' When you're up against the business, which is constantly being pushed to deliver capabilities more quickly to the market, shifting cyber-resilience concerns left sometimes may slow some of that down in the immediate term.
You may actually need to do a little bit more work upfront to make sure that you engineer what you're developing, what you're delivering, in a more resilient, robust way. But in the longer term, doing that actually helps you speed up the agility of your organization and how quickly you deliver things in the longer term.
Are CIOs the de facto leader of cyber resilience?
Lesokhin: The business sort of expects a level of resilience, but it's not something that's fun or glamorous to work on. And it's easy to compartmentalize that responsibility and say, 'This is our resilience czar, and it's their responsibility.' But I truly believe this is the responsibility of not just the CIO, but to some extent the business leadership and the board as well. Everything is relying on software and our information technology, and the tradeoffs that are being made between just getting something out there as quick as possible versus building a resilient platform, a resilient organization and resilient software, are tradeoffs that have to be made at the very top level.
How engaged is the business side in cyber resilience?
Lesokhin: A lot of organizations that are highly dependent on technology are starting to see cyber resilience as an issue at the board level. There's a lot of regulatory pressure these days driving that awareness. For example, New York state just issued its cybersecurity regulation in March, and compliance deadlines start in September and then in March of next year. It's [happening] very fast, and any organization in financial services or insurance that does business in New York state has to comply.
One of the first things the regulation stipulates is that you have to have a CISO. … If you're a CIO in an organization that doesn't have that yet, and you believe this is an important issue for your business, there's a lot of evidence that you can collect from other companies [or] from the media to present to your CEO and to your board to explain that this is something they need to take up -- just from a governance standpoint for the health of the business.