Cyberinfrastructure is reshaping daily life as societies transition to digitized economies that merge the cyber and physical domains. In this new reality, cyber resilience has become critical for business sustainability, government sovereignty, and security, as well as a key component of competitiveness strategies.
At the same time, the technology landscape driving this transition is becoming increasingly complex, interconnected, and automated, making it difficult to anticipate all potential cyber threats and failures or prevent their rapid spread. These emerging risks elevate the costs of improving cyber resilience, with security standards evolving daily, introducing new compromises, malware, and encryption codes. Most businesses and governments lack the resources to keep up with these evolving security standards and end up relying on third-party companies—a choice that, in turn, introduces new vulnerabilities.
To unpack this intricate reality, the GFCC, in collaboration with Lockheed Martin, hosted a webinar on February 20th featuring Amy Parde, Director of Resilience at Lockheed Martin, and Karl Wood, CTO of Netlinkz, on Securing Digital Infrastructures Against Cyber Threats and Technological Failures.
Ms. Parde oversees the resilience and recovery of IT systems at Lockheed Martin and previously led the organization's cybersecurity infrastructure. Mr. Wood designs cloud-based cybersecurity solutions in a platform that supports multiple industries. Together, they analyzed how to drive a resilience strategy from a business-centric approach, explored emerging risks in today's technology and geopolitical landscape, and discussed a shift in mindset—from avoiding breaches to assuming failure as a critical component of system design.
Business-centric approach
Building cyber resilience starts with understanding what threats and hazards apply to the business environment, identifying actors that could be interested in hacking, evaluating IT infrastructure that supports operations, and assessing possible points of failure.
"Resilience is a business imperative. It's not a technical solution or simply a box to check. The choices that we make about cybersecurity and resilience in any business relate to the specific risks and impacts that matter most to the organization", comments Ms. Parde.
Beyond these initial considerations, business leaders and security experts must also assess broader dependencies that could introduce new risks into business operations. These include but are not limited to telecommunications, environmental hazards, regulatory and legal ramifications, the overall business reputation, and even costumer's expectations and public reaction.
Ms. Parde cited the case of a U.S. pipeline operator that suffered a ransomware attack. While the attack itself was contained, it disrupted the company’s ability to supply gas to the eastern United States. However, it was the public reaction—driven by fears of a fuel shortage—that led to a surge in demand, ultimately causing supply shortages that could have been avoided.
Making hard choices
A recent Gartner survey revealed that only 14% of security and risk management leaders can effectively secure their data while also supporting business objectives. This highlights the widespread vulnerability of organizations to cyber threats.
According to Mr. Wood, major cyberattacks typically occur for two reasons. First, organizations store data they shouldn’t—unnecessary data retention increases the attack surface. Second, the ongoing use of outdated software and hardware (legacy systems) that often lack built-in security features and can be more vulnerable to attacks.
In most organizations, investments in cybersecurity often compete with other business priorities. There are two most common trade-offs stopping leaders from making the hard choice of building cyberinfrastructure resilience.
One is that cybersecurity often trades with speed since it involves additional time in designing and delivering controls to safeguard and validate solutions. The other is that building resilience often trades with cost-efficiency. Designing to build capacity or additional alternative approaches is investing in the reduction of risk to avoid potential damage events that could or not happen, this choice is often hard to make when resources are scarce.
Ms. Parde and Mr. Wood agree that these trades don't have to be at odds and that investing in building cyber resilience capacity will save money in the long run. "There used to be an old rule in quality assurance: every $1 spent upfront during development saves $100 down the line. In cybersecurity, with the right investments, processes, and strategies, that figure is likely closer to $1 saving $500 in the long run," says Mr. Wood.
Expect to have failures
In an increasingly connected world, the focus has changed from prevention to resilience. While new integrations and automation can deliver new capability and value at speed by interconnecting data, they also expand the risk surface of where cyber threats can occur or where operational issues can manifest.
"When we think about how to plan for resilience against these threats, we are evolving to rely more on assuming breach or failure as a critical component of design", he states. "The mindset is that we can act to prevent but we won't be able to prevent all incidents. We need to work to build resilient systems that can respond at scale and speed", says Mr. Wood.
The best approach, he suggests, is to invest in prevention while assuming that failure will happen and prepare systems to adapt and recover quickly.
Finally, leaders should continually align cybersecurity strategies with business priorities, evaluating risks and investment decisions.
.