Defining digital resilience in the uncertain world

COVID-19 has been a global case study on resilience. Under the unprecedented circumstances surrounding the pandemic, businesses had to find ways to continue operating, often, with the help of digital technology. Digital networks and services enabled remote work, collaboration, customer outreach, online transactions and many other business functions to continue amid government-mandated lockdowns and ongoing social distancing measures.

But digital technologies themselves are susceptible to failure. According to a Digital Trust Insights¹ report by PWC which examined resilience strategies in over 3,500 firms, some commonplace business practices can raise the enterprise’s vulnerability to cyberattacks and disrupt its digital systems. Examples include the use of third-party cloud providers, deployment of IoT applications, increased outsourcing to contractors and greater integration of the technology stack – all of which increase the attack surface and expose the enterprise to heightened cybersecurity risks.   

As we head towards a digitally dependent future, what can enterprises do to address these risks and be more digitally resilient?

For a start, it is important that digital resilience is viewed through a much broader lens instead of focusing only on cybersecurity. Digital resilience not only involves protection against threats to digital assets; it is also about business continuity planning to maintain critical functions in the event of a disruption and building the capability to respond effectively to change.

A starting point for building digital resilience is to know what the enterprise needs to protect. This involves identifying the core business services of the enterprise and the processes, digital assets and dependencies that enable the delivery of these services. The dependencies will also include connections to third-party systems outside of the enterprise.

The interconnectedness of today’s digital systems makes the task of asset identification much more complex. The PwC report¹ cited the example of a company which thought it had mapped out all its critical assets and systems, only to discover that there were nine times as many critical systems linked through secondary and tertiary connections.

Unless there is a clear understanding of all these dependencies, it will be difficult for an enterprise to decide which systems to isolate in the event of a cyberattack or any other form of business disruption.

Having identified the processes, assets and dependencies across the organisation, the enterprise will have to prioritise them so that resources are focused on the most important areas. It will also have to assess where the threats are likely to come from – e.g. whether it is a threat actor or a natural disaster – and how they are likely to impact the organisations. This will help guide resource allocation in terms of cybersecurity and manpower investments.

As part of strategic planning for digital resilience, the enterprise will also have to assess its tolerance to disruption. This is about understanding how much disruption a business can withstand and setting limits on the time and cost it is able and willing to bear for any outage.

The inputs from all these actions – developing an inventory of digital assets, prioritising the assets for protection, and determining the business’s tolerance for disruption – are important in helping the enterprise to develop a robust incident response and business continuity plan.

But it is not good enough. The volatility of the business environment, exacerbated by the current pandemic, underscores the need for enterprises to continuously redesign business services and processes to strengthen that resilience.

In Joseph Fiksel’s book on Resilient by Design², resilience is described as a business’s capacity to “survive, adapt, and flourish in the face of turbulent change”.

Beyond having a business continuity plan, being digitally resilient by design is about the enterprise’s ability to create systems and processes that enable it to respond effectively to change. This means having to embed digital resilience and awareness at every level of the enterprise. Staff must be trained to be mindful of digital resilience in their day-to-day work and to respond operationally to incidents and cybersecurity threats.

Everyday work processes that are essential to business operations must be examined and reinforced to ensure continued competitiveness and business survival. A good example was how COVID-19 compelled businesses to adapt to changes in staff working arrangements.

New technologies and systems must be assessed in terms of their impact on overall business resilience. This means conducting cybersecurity impact assessments on every digital project and making digital risk assessment a part of due diligence for new service providers or outsourcing arrangements.

And just as business continuity plans have to be tested regularly, so too does the enterprise need to test its resilience. A comprehensive and holistic testing approach is needed to see how people, technology and process come together to adapt to changes in the business environment. For example, tabletop exercises can be conducted to bring teams together and test their response and communications capabilities in various scenarios to uncover any gaps.

A final point about digital resilience is that it is not only related to risk; it is also about responding to opportunities. Digital resilience allows the enterprise to innovate with confidence. A report³ in Financier Worldwide Magazine describes it as a “risk dividend” that can be reinvested in the company. “Digital resilience is a strategic imperative and can underpin competitive advantage in an uncertain world,” it said.

Build digital resilience to innovate with confidence. Find out how.

1 Raising the resilience quotient, Digital Trust Insights, September 2019, PWC.

2 Resilient by Design, Joseph Fiksel, Island Press, 2015.

3 Seven steps to build digital resilience in an uncertain world, Financier Worldwide, May 2020.