{"id":2804,"date":"2014-11-03T20:45:46","date_gmt":"2014-11-03T20:45:46","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2804"},"modified":"2025-07-21T09:25:09","modified_gmt":"2025-07-21T13:25:09","slug":"resiliency-the-new-cyber-in-washington-security-needs-to-be-bottom-up","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/resiliency-the-new-cyber-in-washington-security-needs-to-be-bottom-up\/2804\/","title":{"rendered":"Resiliency, the New Cyber in Washington: Security Needs to be Bottom Up"},"content":{"rendered":"

WASHINGTON D.C. \u2013 If you had asked me about \u201ccyber-resiliency<\/a>\u201d six months ago, I would have asked you if resiliency was even a word. Today, resiliency is the latest buzzword in a town and industry that lives for buzzwords; born of a military tradition that emphasizes the ability to remain operable while withstanding damages.<\/p>\n

Having first encountered the idea at the Billington Cybersecurity Summit<\/a> in September, it was the topic of a round-table discussion<\/a> consisting of high-ranking current and former military and NSA officials at the Department of Defense\u2019s Mark Center on Monday. After attending the Kaspersky Government Cybersecurity Forum<\/a> on Tuesday, it\u2019s become clear that cyber-resiliency, as Kaspersky Government Security Solutions general manager and president Adam Firestone quite clearly stated, is the <\/em>future.<\/a><\/p>\n

\"Adam<\/a><\/p>\n

A security luminary and cybersecurity coordinator for multiple presidential administrations, Howard Schmidt, explained that cyber resiliency is having a contingency plan, knowing how you\u2019ll respond and acting accordingly when bad things happen. However, resilience is not compliance, he said, and compliance is neither a means nor an end. It will not save us. Organizations should not be compliant and assume they are secure. They should be secure and compliant as a result, Schmidt said.<\/p>\n

Resiliency the New Cyber in Washington: #Security Needs to be Bottom Up<\/p>Tweet<\/a><\/blockquote>\u00a0<\/span><\/p>\n

It\u2019s one thing to parade military and government and private sector officials around and have them hit their talking points, saying we need our systems to be more resilient. We all know what resilience means. Technically speaking though, what does it take to be resilient on the network level?<\/p>\n

According to Firestone and a bevy of speakers at Tuesday\u2019s event, resilience is achieved by building security in, rather than bolting security on. Perhaps more plainly put, the woeful state of security in which we now live is a result of protection coming from the top down. Top-down security means that you fix something when it breaks. Or, if you\u2019re the lucky one, you put a new lock on your door after your neighbor\u2019s home is broken into.<\/p>\n

In other words, Firestone argued, current security practices are reactive and reactivity will never put an organization out ahead of the threats.<\/p>\n

This, of course, is a backward approach. Security needs to come from the bottom up. Developers need to think and practice secure coding. It\u2019s not just developers either, as Joel Brenner, the former head of U.S. counterintelligence under the Director of National Intelligence, noted in his afternoon keynote. Human resources, the general counsel, public relations, marketing, finance, executives, everyone in the company must understand its importance and collectively share in the burden of security together.<\/p>\n

As Karen S. Williams, the national director of the US Cyber Challenge put it: CIOs need to be able to explain security to their C-Level colleagues.<\/p>\n

Everyone needs to think secure, somewhat paradoxically, while also understanding systems will be breached, because security is different from almost any other industry, in that failure is assumed.<\/p>\n

That\u2019s what bottom up means. However, these failures must be partial and not complete or systemic. Firestone explained that the idea of accepting losses to the nonessential while remaining in motion is not new. In fact, he said, it\u2019s merely an extrapolation of a 100 year old principle known as \u201call or nothing.\u201d All or nothing is the idea behind a pair of World War One, Pennsylvania-class battleships, which deployed the heaviest armor for the most critical parts of the ship and lighter armor to the parts of the ship that could afford to sustain damage.<\/p>\n

#Resilience is not compliance, and compliance is neither a means nor an end.<\/p>Tweet<\/a><\/blockquote><\/span><\/p>\n

\u201cResilient systems must withstand both coordinated attacks from the outside and threats from the inside,\u201d Firestone said.<\/p>\n

Brenner took resilience to the specific level. Industrial control systems, he said, should be built to do one thing well. Cyber resilience means having the most robust back-up plan, not the most modern.<\/p>\n

\u201cConnecting the [electric] grid to the Internet may have brought efficiencies but it was foolhardy,\u201d Brenner said. \u201cResilience means having a broom and a dust pan when the fancy system goes down.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

Brian Donohue reflects on Kaspersky Government Cybersecurity Forum discussions about cyber-resiliency. We all know what resilience means. Technically speaking though, what does it take to be resilient on the network level?<\/p>\n","protected":false},"author":42,"featured_media":15883,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2213,2214,97],"class_list":{"0":"post-2804","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cyber-resiliency","10":"tag-kaspersky-government-cybersecurity-forum","11":"tag-security-2"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/resiliency-the-new-cyber-in-washington-security-needs-to-be-bottom-up\/2804\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/resiliency-the-new-cyber-in-washington-security-needs-to-be-bottom-up\/2804\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/resiliency-the-new-cyber-in-washington-security-needs-to-be-bottom-up\/2804\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cyber-resiliency\/","name":"cyber-resiliency"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=2804"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2804\/revisions"}],"predecessor-version":[{"id":33367,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/2804\/revisions\/33367"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15883"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=2804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=2804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=2804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}