Moving Beyond Resilience to Prosilience
Our researchers have spent over a decade at the CERT Division exploring, developing, and analyzing operational resilience as a way to not just manage risks, but to achieve mission assurance. Resilience has been codified in our CERT-Resilience Management Model (CERT-RMM), which is a maturity framework of best practices across security, business continuity, and information technology operations focused on an organization's critical assets.
CERT-RMM assists an organization in achieving its mission before, during, and after a disruptive event and ensuring that the organization can return to a full operating capability. This body of work has expanded into derivatives that have been used to assess the cybersecurity capabilities of over 500 (and counting) critical infrastructure owners and operators, and continues to be used as a way for organizations to measure their performance (e.g., against the NIST Cybersecurity Framework) as well as baseline and improve their capabilities.
There is much work left to be done in the area of resilience, and CERT researchers continue to expand and improve the resilience body of knowledge. As a Department of Defense Federally Funded Research and Development Center (DoD FFRDC), it is also critical that we look beyond what is needed now. Our mission is to anticipate and solve the nation's cybersecurity challenges. The space around us is evolving on multiple planes with increasingly complex systems and expanding attack surfaces as the Internet of Things becomes a reality. Our adversaries and their tools are also becoming both more numerous and more sophisticated.
Some organizations perform post-mortems or lessons-learned activities to identify what caused an issue, and they then work to fix errors made by people, processes, or technology. This is the action of a mature organization with resilient properties. However, emerging areas of technology have moved beyond the age-old steps of fail→investigate→fix to concepts of self-healing and artificial intelligence giving systems the IQ of an average four-year-old human. Don't we want our organizations to be at least as smart as this? So what comes after resilience? Haven't we "won" if we can achieve our mission even in a degraded state during a disruptive event?
I propose that we build operationally PROSILIENT organizations. If operational resilience, as we like to say, is risk management "all grown up," then prosilience is resilience with consciousness of environment, self-awareness, and the capacity to evolve. It is not about being able to operate through disruption, it is about anticipating disruption and adapting before it even occurs--a proactive version of resilience. Nascent prosilient capabilities include exercises (tabletop or technical) that simulate how organizations would respond to a scenario. The goal, however, is to automate, expand, and perform continuous exercises based on real-world indicators rather than on scenarios.
Operational prosilience is not a state; it is an evolving set of characteristics and capabilities. We at the CERT Division are exploring these characteristics and capabilities as part of our DoD mission. We encourage you to engage with us in the discussion and their design. Look for more about this exciting new CERT research soon!