Cybersecurity Control vs Cyber Resiliency

Cybersecurity Control (CSC) vs Cyber Resiliency (CSR)! Who will win?

In today’s digital age, cybersecurity threats are constantly evolving and any organisations are vulnerable to cyber attacks that can lead to huge losses. Some may say that having good cybersecurity controls is very important, while some may argue that having good cyber resiliency is crucial?

So, which is more important? 🤔🤔🤔

In the world of cybersecurity, the two terms “Cybersecurity Controls” and “Cyber Resilience” are often used interchangeably. While they’re related, they are definitely not the same thing.

In this article, we will take a look at what “Cybersecurity Controls” and “Cyber Resilience” are, explore the differences between these two concepts in a fun and easy way, and understand the importance of both.

Cybersecurity Controls

Cybersecurity controls refers to the protection from potential harm that could be caused by a cyber attack. Now imagine yourself in a movie setting where there is a zombie apocalypse happening. You need to keep them out and away from your house, so you built a wall to keep them away. The wall can be tough, tall, and robust, but then you think further and ask yourself:

The wall (in this scenario) is the cybersecurity controls; they’re like a series of measures to reduce/prevent threats from coming in. You can build as many walls as you want, but there’ll always be the possibility that the landscape may change (e.g. huge rainfall, earthquake happening) and/or loopholes are found over time (e.g. walls getting worn out).

Cyber Resilience

Cyber Resilience is the ability to withstand and recover from such attacks. Using the same movie setting as above except that you know the walls you’ve built will break one day, what would you do differently then? You may set up a safe house and pave a secret passageway to this safe house, in case the zombies swamped in and you may escape through this passageway.

This action of paving a secret passageway doesn’t prevent zombies from penetrating your house. Instead, you set up an important backup plan should any bad things happen to your walls. This backup plan is like cyber resiliency where you enhance your controls to keep you alive should that likelihood threat happens.

So which is more important?

Both need and have to go hand-in-hand!

Cybersecurity controls can be managed through a variety of cybersecurity measures, like configuring and setting up the web application firewall, conducting secure code review and/or penetration testing review, etc. However, it is important to note that no cybersecurity measure(s) can completely eliminate the risk of a cyber-attack. Therefore, it is essential to have a plan in place to respond to a cyber attack if it does occur. This plan should include the key steps to contain the attack, such as identification on the source of attack and recovery from any attacks (for more information, please refer to this website).

On the other end, cyber resilience refers to the ability to withstand and recover from cyber attacks should it happen to you; it is the ability to continue business operations in the face of a cyber attack and to recover quickly from any damage that has been caused.

Cyber resilience should be thought through and planned before the product’s initial release, because you don’t wish to think about resilience only when an attack has happened (well, everyone will be too stressed and panicking to even think about the next step). Imagine your house is slowly infested with zombies, do you think you will have the time to pave a secret passage and set up a safe house?

We highly doubt so. 🥴🥴🥴

In the realm of cybersecurity, it is difficult to say whether cyber resilience should come before cybersecurity controls or vice versa. Both are important and the necessary components of a comprehensive cybersecurity strategy. However, it is important to understand the differences between the two and the role(s) they are playing. Also note that cyber resilience is only effective if cybersecurity controls are in place. Without effective cybersecurity controls, an organsation will be vulnerable to cyber threats and cyber resilience measures will be less effective.

In summary, it’s not a matter of which should come first but rather, both are necessary and must be implemented in tandem to provide comprehensive protection against cyber threats.

We hope you had fun reading the above and have some takeaways. 😄

🧙🏼‍♀Team Merlin 💛
Application security is not any individual’s problem but a shared responsibility.