Security vs. resilience: Know the difference

If you really want to know the difference between security and resilience, pour yourself a cup of strong coffee and dig into the all-but-impenetrable PPD-21, Presidential Policy Directive—Critical Infrastructure Security and Resilience. Or just go to the U.S. Department of Homeland Security (DHS) website, which cuts to the chase with a few good examples of each:

Security measures

1. Badge entry at doors.
2. Using antivirus software.
3. Fencing around buildings.
4. Locking computer screens.

To which we would add:

• Network firewalls.

Resilience measures

1. Developing a business continuity plan.
2. Having a generator for backup power.
3. Using building materials that are more durable.

To which we would add:

• Acquiring and maintaining a complete understanding of how your digital networks work.

Scan these two lists, and you come to an inescapable conclusion: Security and resilience are not synonyms or even second cousins. In fact, security and resilience have remarkably little to do with one another. The measures under the “security” list are about locking up. Those under “resilience” are about standing up. Security is about hunkering down. Resilience is about doing business.

The DHS lists include analog measures and digital measures. Since it is the digital realm that constitutes the front and back doors of business today, let’s focus on digital security and digital resilience. Digital security tries to make your network bulletproof against attacks and breaches by securing its periphery, its many endpoints, and trying to see any malware coming in.

The trouble is, today’s attacks come from inside as well as outside, and no periphery compatible with doing business can be 100% bulletproof. With the clever techniques the bad guys have developed, people remain the weak link. Unlike digital security, digital resilience is not about firewalls and other peripheral issues. Digital security is not even an IT issue, a network security issue, a hardware security issue, or a software security issue.

Digital resilience is a business issue. Here’s what I mean.

Security won't stop all attacks

Digital resilience never makes the hopeful but false assumption that security will stop all attacks and breaches; therefore, resilience is about surviving inevitable attacks and penetrations, about continuing to do business even under attack, about discovering breaches and containing them, and about ultimately prevailing in spite of them. It’s about being prepared for the unexpected.

Resilience must involve the entire organization

Because resilience is a business issue, the endeavor to achieve and maintain resilience must involve the entire business, the whole organization, and not just IT, a security team, or a CSO. Creating and maintaining digital resilience requires cyber teams to work with executives and managers across the organization to prioritize all business data assets. The objective is to analyze the business value of data items as well as their accessibility to attack.

This two-factor analysis calls for both a strategic business assessment and a technical assessment. That is why it requires insight from the entire organization. Only when you have these insights in hand can you create a truly resilient strategy that provides differentiated protection for your most important data. Critically important assets call for close control of access as well as high levels of encryption. Less sensitive data assets can be made more widely and readily accessible.

Why not just lock down everything equally?

Defensive security overkill makes a business less efficient, less agile, and less responsive by indiscriminately restricting access, and it costs a lot of money. This slows a business way down, very often impeding service to customers. In contrast, because it is a business issue rather than a security issue, resilience is necessarily about enhancing, never diminishing, business. For instance, a recent article in The Irish News cites Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), who called most online login requirements “onerous and dumb.”

Forgotten passwords, SMS verification, requirements for full login for one-time transactions, and the like discourage customers and result in high rates of online shopping cart abandonment. Resilience strategies need to address all business processes, from product development to marketing and sales to human resources to the supply chain. Building a firewall around the perimeter of your network will not make your network resilient. Threats come from outside—often through connections you make—and from inside.

Networks matter

The fact is that your network is no more secure than the networks with which it connects. Back in 2013, the digital networks of Target were catastrophically breached because a vulnerability in the retailer’s supply chain went unrecognized. The insecurity of a B2B contractor’s digital network enabled the penetration of Target’s network. The result was credit card data theft that victimized 70 million customers and cost the company about $252 million.

Even closer to home than your supply chain are your own frontline employees. It is essential to involve top executives and boards of directors in integrating digital resilience throughout the enterprise, but it is no less important to recruit and educate all employees, at every level, to protect whatever data assets they handle. Nowhere is this more critical than with customer-facing personnel, who routinely handle—and potentially mishandle—sensitive customer data, including personally identifying information (PDI).

Lessons from the Maginot Line 

Like most other business issues, digital resilience is active rather than passive. In contrast to typical digital security measures, resilience is not some barrier you install and walk away from. Resilience is nothing like, say, the Maginot Line, which became cliché shorthand for naive reliance on any passive, head-in-the-sand security measure or policy. The Maginot Line was, in fact, a state-of-the-art, multitiered set of fortified defenses France built during the 1930s all along its eastern border, extending from Switzerland to Luxembourg and with a very sketchy extension all the way to the English Channel.

No sooner did the Germans invade France in 1940 by simply marching around the Maginot Line via Belgium, than people began citing it as a cautionary tale about the folly of wishful defensive thinking. No less an authority than Gen. George S. Patton Jr. scornfully reminded “pacifists” that the Maginot Line was easily breached at the start of World War II. He then went on to point out that, centuries earlier, “Troy fell … the walls of Hadrian succumbed … [and] the Great Wall of China was futile.” He concluded that, in war, “the only sure defense is offense, and the efficiency of offense depends on the warlike souls of those conducting it.”

The historical truth behind the Maginot Line is more complex than the rhetorical cliché that has been made of it. André Maginot, the French minister of war who proposed building the fortified line that was named after him, took pains to disclaim having any “dream of building a kind of Great Wall of France.” He explained that the fortifications would constitute a “powerful but flexible means of organizing defense, based on the dual principle of taking full advantage of the terrain and establishing a continuous line of fire everywhere.” In other words, the Maginot Line was intended to do nothing more than buy France time to set up a credible counterattack against invaders from the east. He never intended it as a hopeful defense substitute for an aggressive offense. He never intended France to substitute security for resilience. On the contrary, the Maginot Line was designed to increase national resilience by delaying invaders long enough to provide time to mount an effective counteroffensive.

Get secure to the core

It can be fatal to confuse security with resilience, but it is equally destructive to deny the real and urgent value of security by advocating exclusively for resilience. Doing business in our intensively connected civilization requires combining security and resilience—but doing so with the understanding that security is an indispensable adjunct to business, whereas resilience is both a core requirement and a core value of business.