Close cyber incident response gaps with a minimum viable company strategy

By Gordon Millar, Robert Pitcole

During a recent cyber stress test, one of our customers discovered that a payment process they expected to recover in two hours took instead 34 hours to restore.

Their experience isn’t a unique one.

In fact, a Kyndryl and IDC report found that only one in four organizations feel adequately prepared to prevent and respond to a disruptive event¹. It’s becoming clear to many teams—whether through similar stress tests or, occasionally, all-too-public mishaps—that there is often a significant gap between recovery expectations and recovery realities.

This is a miscalculation that modern enterprises can’t afford to make. But a concept like minimum viable company can help teams recalibrate. While minimum viable company should not be considered the silver bullet for cyber risk, it is a powerful tool for prioritization and right-sizing, which helps teams create a realistic and actionable incident response plan.

Drawing on our experience with a wide range of businesses, we have identified the fundamental ingredients of any successful minimum viable company strategy.

Establish a clear definition of “critical”

Minimum viable company encourages teams to define their most critical business layer by determining which services, functions and data must be accessible to maintain operational viability in the crucial hours after an incident.

Of course, defining what “critical” means—especially in industries that deliver essential services, like healthcare, or provide economic stability, like financial services—can present its own challenge. To narrow the scope, try to evaluate the true operational impact of a given process. What would the financial, reputational and regulatory consequences be if this process was damaged or failed outright?

A matrix that measures impact across different impact dimensions—operational, reputational, regulatory and financial—will help your team develop a minimum viable company definition that aligns with your specific risk framework.

Set realistic recovery targets

Even after careful analysis, many teams may be inclined to over-define their minimum viable company and thus set unrealistic recovery targets. Thinking about minimum viable company through the lens of impact tolerance will help to prevent slipping back into that dangerous gap between expectation and reality.

Impact tolerance doesn’t replace the more traditional concept of Recovery Time Objective (RTO)—the expected time for a process to be restored—but rather augments it, encouraging teams to determine the maximum downtime they can endure before their clients, operations or brand experience intolerable harm. 

To establish your organization’s impact tolerance, consider examining the probability of the incidents you will likely face, utilizing organizational and industry data. By modeling out these various business disruption scenarios, many teams might find, for example, that while a significant malware attack would undoubtedly pack a bigger punch, smaller incidents such as minor data corruption or breaches often pose a much more immediate threat.

Integrating these findings into your minimum viable company will allow your team to target the most critical and vulnerable processes, further helping to place your incident response plan firmly within the realm of possibility.   

Start designing your recovery environment

Putting your minimum viable company into practice means mapping these critical processes to their respective applications, underlying infrastructure and data—where applicable. This is a vital step, especially given the amount of data teams manage today.

Consider one of our customers, who experienced exponential delays—17-fold, to be exact—in their recovery time: This was largely due to the sheer volume and dependencies of the data involved in their payment process.

Understanding the true scope of your organization’s data—and the unique dependencies of your critical processes. Your team can then assemble a checklist detailing the specific requirements of your recovery environment. In short: What needs to be protected and how. This will probably include an isolated vault for data storage, a clean room for malware removal, a reliable recovery area and a trusted safe room to manage the recovery process.

Understand the long game

Minimum viable company should never be considered the be-all and end-all of incident response. Instead, it is the first stage of a much longer journey toward complete recovery, focused on accelerating the restoration of critical operations for the company. This perspective on minimum viable company is critical to its success.

By embracing the long game of incident response, your team is also well on its way toward making a crucial cultural shift: away from an era of cybersecurity and into an era of cyber resilience. After all, no team can predict precisely when and how a cyber incident will impact their organization. But they can plan how they will react when that time inevitably comes.

Gordon Millar is an Advisory Associate Partner for Strategic Markets at Kyndryl and Robert Pitcole is an Executive Consultant with Kyndryl’s Global Security & Resilience practice.

^{1. "Building Resilience in a Digital-First World.” IDC. October 2022}