Resilience is the ability to recover quickly from a crisis and bounce back even better. But as crises increase in kind, cost, and intensity, resilience management, the process of integrating all of an organization’s protective activities, becomes more important than ever. What are the top resilience management challenges companies face today? This article lays them out.
Top resilience management challenges
1. Cyber crime
Surprising no one, cyber crime rates as one of the top resilience management challenges. And that’s thanks in large part to the shift to hybrid working which has increased security vulnerabilities to networks and applications.
Ransomware, in particular, continues to be a keen threat, with the potential to cripple operations.
Worse still, ransomware attacks are only getting more sophisticated. Criminals are increasingly turning to Ransomware-as-a-Service and doubling down on distributed denial-of-service (DDoS) attacks to extract higher payments.
Not just private actors, either. Cyberattacks are also being conducted by state actors, perpetrating these operations to achieve geopolitical objectives.
2. Cyber compliance
Of course, this precipitous rise in cybercrime, particularly attacks on critical assets, has provoked a backlash. In consequence, regulatory regimes are expanding, roping in ever more organizations.
Now, if forecasts bear out, we’re likely to soon see two thirds of the world’s population covered by data privacy regulations. That will surely tax the resilience management capabilities of firms further.
By how much, though?
Well, this year alone saw five U.S. states roll out comprehensive consumer privacy laws.
For their part, national regulators like the Securities and Exchange Commission (SEC) are increasingly proposing new disclosure requirements on their regulated entities, as well.
3. Operational resilience compliance
Meanwhile, we’re also witnessing a related uptick in operational resilience regulations, specifically in the financial services sector.
Where a few years ago, the Bank of England (BoE) stood out as one of the only major regulators to mandate operational resilience standards, now its regulatory path has been taken up by the following national and supranational regulators:
- In Australia. The Australian Prudential Regulation Authority (APRA) released Prudential Standard CPS 230, focusing on operational risk management.
- In the U.S.The U.S. Federal Reserve released a joint regulatory paper on Sound Practices to Strengthen Operational Resilience.
- In the EU.The Digital Operational Resilience Act (DORA) seeks to align the approach to managing ICT and cyber risk in the financial sector across all EU member states.
What does it all mean? This new compliance environment, a keen resilience management challenge, represents a shift in how regulators and policymakers think organizations should be addressing the threat of disruption.
These organizations should now assume that disruption is inevitable and prepare accordingly.
4. Overstretched cybersecurity personnel
Of course, some of these compliance requirements will be simple to adhere to, e.g., disclosing policies and procedures to identify and manage cybersecurity risks. Others, such as the timely reporting of material cybersecurity incidents and follow-up reporting, are likely to be more onerous.
Which brings us to another resilience management challenge – a lack of manpower and capability among overstretched cybersecurity personnel.
Exacerbating the issue is the sharp rise in cyber-attacks. More cyber-attacks mean even more data alerts for security personnel to triage.
Indeed, more than half (56 per cent) of large companies handle at least 1,000 alerts per day, according to industry data.
However, the data in the alerts is often considered too granular to be actionable. Coming from noisy sources, the data is often wrong or misleading.
This alert fatigue is also complicating recruitment and retention of security personnel.
Employees, particularly Security Operations Center (SOC) staffers, acknowledge not wanting the thankless task of wading through innumerable data alerts, many of which turn out to be red herrings.
5. Security leaders out of the loop
Not just low-level staffers, but also security leaders tasked with running security operations are facing resilience management challenges of their own. They are being left out of the loop of corporate decision making.
What’s going on?
According to survey data from the Ponemon Institute, only seven per cent of security leaders report directly to the CEO. That’s even with three in five respondents saying that they should report directly to the top to increase awareness of security issues throughout the organization.
As a result, nearly two in three security leaders cite insufficient budget to invest in the right technologies. More than half of polled security leaders believe they lack executive support.
CEOs, intentionally or not, don’t see their security deputies as stewards of overarching business goals. They often consider the security program itself as an administrative burden rather than a value-adding function.
6. Physical security threats
The varying permutations of the cybersecurity (personnel) challenge are likely to have already been on everyone’s radar of resilience management challenges. Less likely, though, is the reality that cyber threats exacerbate human threats.
Corporate security budgets, slashed at the beginning of the pandemic, have yet to rebound. Meanwhile, the threat of recession is likely to exert downward pressure on budgets.
Commercial building security funding has also atrophied with less demand for tenancy.
Corporate security, as such, is expected to perform its function with fewer resources, even though fewer workers in offices only increase the relative level of risk to the lone workers left behind.
7. Natural disasters
Those same physical assets and facilities will remain at risk from natural disasters, as well, another resilience management challenge.
2021, for instance, saw 47-billion-dollar weather disasters, the third costliest year on record.
Before that, data from the world’s largest insurance broker identified 2017 and 2018 as the costliest back-to-back years for weather disasters on record. That’s with over USD 200 billion in economic loss directly attributed to damage caused by natural disasters and extreme weather events. Half of those losses were uninsured.
Indeed, the World Economic Forum and other risk advisories have consistently named extreme weather as one of the biggest global risks, followed by concerns over climate change.
Integrated software to address resilience management challenges
What then can be done to address these resilience management challenges?
Given that they cross narrow solution-area boundaries, only integrated resilience management software is likely to help by covering all aspects of resilience, including incident and crisis management, situational awareness, business continuity, risk and compliance, security operations, and threat intelligence.
Why integrated, though? Integrated resilience management technology ensures that all necessary capabilities, e.g., resilience data, reporting and analysis, and workflows, are in one place – consolidated and available across the incident’s lifecycle.
Besides eliminating information silos, this level of integration provides a consistent user experience, too. Practitioners manage any type of event with familiar tools and workflows.
And not just any type, but any scale, as well – from routine to crisis, with the cumulative effect being the lowering of total cost of ownership (TCO).
Finally, resilience management is back on the corporate radar. But resilience management challenges, as this article has argued, have only accumulated.
Addressing these challenges to mitigate the disruption threat will take serious resilience management software, such as Noggin Resilience, which seamlessly unifies operational risk management, business continuity, operational resilience, incident and crisis management, and security and safety operations.
But don’t just take our word for it. See how Noggin Resilience can work for you in a tailored demonstration.
.svg)
.svg)
.svg)