SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image

Three phases in the evolving Australian business conversation about resilience

Fri, 11th Oct 2024

Resilience has come up in a number of contexts this year. In a short period of time, we've seen it evolve from a cybersecurity conversation to a whole-of-business focus. 

That evolution is now continuing with the focus turning to the customer journey and how resilient each stage of that journey is to disruption.

Resilience as a cybersecurity conversation

For some time now, organisations have worried about their resilience to identity theft, ransomware and other types of attacks and about how long it would take to recover or 'bounce back' from an incident.

These concerns have become heightened in the AI boom as threat actors increasingly leverage AI tactics to raise the sophistication and efficacy of their attacks. Some 41% of organisations see AI driving a significant increase in identity threats over the next year - making these attacks more convincing and harder to detect. AI is also raising concerns with consumers, with 89% having concerns about artificial intelligence (AI) impacting their identity security. Organisations without adequate security controls and systems are considered less resilient to these kinds of attacks taking place.

Resilience as a business conversation

While resilience as it relates to specific cybersecurity threats remains important, this year demonstrates that resilience is a much bigger and broader conversation. One of the drivers for this expanded conversation is the role and risk that third-parties, such as vendors and other technology service providers, play in and pose to organisations' operations. 

When procuring outsourced or cloud-based services, there is an inherent reliance on providers in these engagements, and their architectures, remaining resilient to disruption, whether the cause of the disruption is erroneous or malicious. 

Traditionally, organisations have been somewhat shielded from repercussions related to the resilience of third-parties they engage, but this is changing. The regulatory trend is to make organisations directly responsible for the resilience of third-parties they utilise as part of their operations. In Australia, that is occurring with specific financial regulations such as CPS230, as well as with broader critical infrastructure rules that cover a much larger cross-section of industries.

While some of these new rules have helped to raise awareness of business resilience issues that are caused by third-parties, it is the materialisation of this risk - where organisations have been left unable to operate due to the actions of a third-party - that has really driving organisations to have important conversations about resilience and risk at the Board level, not just inside of IT. 

We've observed an increased number of chief risk officers, CISOs, CEOs and directors recently revisiting business continuity conversations. They've been pressed into having these conversations because, with more operations digitally-driven and data-driven than ever, the cascading impact of just one service or one piece of this technology failing is better understood to be potentially catastrophic to their operations. 

Through these conversations, business executives and directors are learning about or uncovering gaps or exposures to resilience risks. That, in turn, is driving investment in and emphasis on the implementation of additional targeted controls, guardrails and tools that promise to improve business resiliency. 

But it doesn't stop there. 

Resilience as a customer journey conversation

With the broadening of resilience discussions, organisations are naturally starting to test the resiliency of all aspects of their operations. One of the ways this is playing out is the exploration of resiliency in the context of the customer journey, understanding every element of that end-to-end experience delivery and how resilient the organisation is to a technology or controls-based failure at any stage of that journey.

The typical digital customer journey covers a number of stages: beginning with when the customer visits a website, to them creating an account, building out a profile, logging in and using the service, and then the business being able to capitalise on all those previous stages by having the customer return and buy more or take up additional services, building their customer lifetime value. 

There may be cybersecurity controls or technologies that are needed at each stage of the journey to ensure it runs in a frictionless manner. The entire customer journey is only as resilient as its weakest component. This is why it's important to have a granular understanding of the journey and all its component pieces, so the resilience of each piece can be worked on and, if needed, improved so that it meets the expectations of the customer and of the organisation providing the experience.

Identity-related controls can be beneficial to multiple stages of the customer journey. Current best-practice is to verify who a customer or user is at the start of the journey, and to use continuous authentication challenges at other stages of the journey to prevent fraud, manage expanded access to services over time, and make it easier to recognise occasions where the customer's identity should be reconfirmed for safety and security purposes.

Through this, organisations can move to a situation of continuous adaptive trust with their customer, such that the front-facing experience remains frictionless, but the customer is still occasionally challenged based on their actions to reinforce the security of the interaction. This should also help with the resilience of the experience, since interactions in the customer journey become more predictable and any exceptions can be managed appropriately.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X