When Resiliency Requires More Than Just Technical Specs
National Institute of Standards and Technology (NIST)’s recent update to SP 800-53 (Rev. 5) introduced SA-24: Design for Cyber Resiliency, calling on organizations to codify resiliency goals, objectives, techniques, implementation approaches and design principles, and embed them into risk management or security engineering processes.
On paper, SA-24 represents a critical advance, reshaping cybersecurity from static protection and recovery to resilience by design. But there’s a glaring gap: How do organizations socialize and internalize these requirements? The policy assumes that once defined, these elements will be adopted, but in reality, cybersecurity governance succeeds or fails in the boardroom, the war room and the culture.
1. Leadership Mindset: The Missing Starting Point
Defining goals and techniques is necessary, but not sufficient. If leadership doesn’t believe that resiliency is a priority, SA-24 becomes a compliance checkbox. A 2024 Deloitte study found that only 35% of cybersecurity executives say their senior leadership actively supports resilience-focused budgets and training.
Call to action: Embed SA-24 deliverables in executive steering reviews, not just IT documentation. Align board KPIs (e.g., time to restore service, trust reputation) with resiliency goals.
2. Culture, Not Just Control
SA-24 doesn’t prescribe how to cultivate a culture that views disruption as an opportunity, not a failure. Yet NIST’s own vendor-neutral Cyber Resiliency Engineering Framework (SP 800-160 Vol 2 Rev 1) highlights organizational learning and adaptive mindsets as core tenets.
Plug the gap: Introduce simulation-based learning (e.g., red teaming combined with war-room exercises) so teams internalize SA-24’s “resilience posture” rather than only cataloging it.
3. Siloed Systems vs. Integrated Practice
One of the biggest implementation hurdles is that risk, security, operations and communications units often function in silos. SA-24 requires integrated planning (e.g., technical recovery and narrative readiness), but most organizations do not have a fusion center model for this.
Bridge the silo: Pilot “cyber resiliency fusion cells” with reps from IT, communications, HR, and legal, co-owning SA-24 definition and revalidation.
4. Lack of Continuous Measurement
SA-24 mandates that goals and objectives be reviewed, but does not specify how often, nor how performance gets measured or publicly communicated. Yet frameworks like ISO/IEC 27001’s “plan-do-check-act” focus on iteration.
Action step: Map SA-24 objectives to quarterly dashboards: e.g., “Mean Time to Narrative Recovery,” “Percentage of critical dependencies validated,” or “Time to trust restoration post-incident.”
5. Workforce Resiliency and Succession Risk
SA-24 is silent on the human side, succession, retention, and institutional knowledge. Yet cyber resiliency often depends on in-group knowledge: Who owns the failover script, who knows the handshake. Losing this knowledge during retirements or turnover is a hidden threat.
Operationalize transfer: Integrate resiliency roles and documentation into talent pipelines and onboarding, so SA-24 isn’t lost if your cyber lead retires.
Final Thought
NIST SA-24 is foundational, but only if organizations treat resiliency as an enterprise capability, not a policy footnote. Without leadership alignment, cultural reinforcement, cross-functional integration, measurement, and workforce continuity, SA-24 remains aspirational.
Cyber resiliency fails when policy is divorced from practice. Let’s close that gap.
Dr. Rhonda Farrell is a transformation advisor with decades of experience driving impactful change and strategic growth for DoD, IC, Joint, and commercial agencies and organizations. She has a robust background in digital transformation, organizational development, and process improvement, offering a unique perspective that combines technical expertise with a deep understanding of business dynamics. As a strategy and innovation leader, she aligns with CIO, CTO, CDO, CISO, and Chief of Staff initiatives to identify strategic gaps, realign missions, and re-engineer organizations. Based in Baltimore and a proud US Marine Corps veteran, she brings a disciplined, resilient, and mission-focused approach to her work, enabling organizations to pivot and innovate successfully.
Leave a Reply
You must be logged in to post a comment.