In the next four chapters, we’re going to do a deep dive into the entire process of preparing for, responding to, recovering from, and learning from cyber incidents. A passage Bill writes in Chapter 17 is worth previewing here: While it’s helpful to break the entire incident response discipline into a series of discrete phases so that each can be described individually to assist with training and the command and control of response activities, it is rarely clear-cut when one process ends, and the next begins. There is often significant overlap, and as new information emerges, it is usually necessary to revisit a phase previously thought completed. For instance, while in recovery, monitoring activity may detect the presence of indicators of compromise identified for the current cyber incident and that may send you all the way back to the containment phase.
At times, the material we present over the 12 essays that make up these next four chapters, that overlap will become apparent not just within the activities of responding to the specific event, but over the entire set of disciplines we cover.
In Chapter 14 we look at the close relationship between business continuity planning and your strategy for becoming a cyber-resilient organization. Each of the three authors ties these two critical business processes together and emphasizes the importance of understanding what is fundamental to the business.
Bill discusses backup and recovery planning. He challenges the reader to factor into their backup planning the traditional elements of business continuity planning while considering vital new dimensions. These new dimensions include accommodating new service delivery models such as cloud computing and new attack methods such as ransomware in our models.
Matt emphasizes the importance of executive and board-level engagement. From understanding the organization’s core priorities and tying those to the appetite for risk to making sure the board understands how the BCP / DR strategy seeks to manage and mitigate that risk, Matt shows how ultimately it is about business strategy. A key way that the CISO drives this engagement is by making sure that the security program and security architecture should be reflective of organizational priorities as captured in BCP tools such as the BIA. Ensuring that the organization is a going concern is the ultimate responsibility of the board.
Gary reminds us of the impact that cyber incidents can have, including outcomes like disruptions to business continuity and reputation damage. Significant events can translate to disappointed customers, lost jobs, and hard monetary costs that can leave an organization reeling. He then helps the reader construct a plan by building on many of the lessons from previous chapters and showing how the pieces fit together.
Some of the questions the authors used to frame their thoughts for this chapter include:
♦ What is a Business Continuity Plan (BCP) and what are the steps to create one?
♦ What critical components should a Disaster Recovery Plan (DRP) include to be effective?
♦ What value does the CISO’s security program receive from the organization’s Business Continuity Plan and its associated Disaster Recovery Plan?
Cybersecurity’s Debt to the Business Continuity Community – Stamper
Let’s face it – cybersecurity is exciting. Our profession is in the crosshairs of the media, with reports related to high-profile attacks frequently covered on the nightly news. We even have popular TV shows. For new entrants to our profession, this focus on cybersecurity may seem to be the norm. For those of us who have been in the industry more years than we’d like to admit, we recognize that the current focus on cybersecurity is a relatively new phenomenon. It may come as a shock to some that there was a time when cybersecurity (and before that, information security) was the forgotten stepchild of IT, overlooked from a resource and budget perspective. Security was the department – let’s be honest about this, the individual – that would get the table scraps from the IT budget once leadership addressed all other “priorities.”
I bring up this historical perspective to acknowledge our profession’s debt of gratitude to our colleagues in the business continuity and disaster recovery (BC/DR) community. Historically, our two disciplines shared similar common neglect. Like security, everyone knows and recognizes that business continuity and disaster recovery are important elements to an organization’s overall resilience.
Despite this recognition of the importance of BC/DR, most organizations only pay lip service to this critical discipline with incomplete and untested BC/DR plans. Furthermore, our colleagues in BC/DR frequently have their budgets and projects undermined by higher priority efforts within the organization. The result is that organizations are less resilient and subject to significant interruptions to their operations. Kind of sounds like the risk factors associated with inadequate and poorly-resourced security programs.
While the current focus on cybersecurity is beneficial, we should not overlook the contributions from our colleagues in BC/DR, especially in the context of resiliency. Our respective professions both focus on resiliency. Resiliency is at the heart of cybersecurity. No organization is immune from being attacked. In fact, our organizations are subject to ongoing and in many cases highly persistent attacks. Our jobs are to ensure that our organizations remain resilient when confronted with risks, be they cyber or natural disasters.
We can learn and have learned much from our colleagues in BC/DR. First and foremost, let’s not overlook one of the great tools that our BC/DR friends leverage to evaluate their continuity programs – the business impact analysis (BIA). BIAs are powerful tools that should be leveraged to improve our security programs. They convey detail related to organizational priorities, expressed in terms such as maximum allowable downtime (MAD), recovery-point objective (RPO), and recovery-time objective (RTO). Further, well-crafted BIAs highlight key dependencies on applications, staff, infrastructure, and vendors.
Collectively, the detail resulting from the review of a BIA provides essential context related to the organization’s risk landscape. We don’t have cybersecurity for cybersecurity’s sake. Cybersecurity must be focused on the business and not just cool and innovative technology. Ultimately, a business consists of distinct processes and protecting these processes from cyber risk is our raison d’être.
The BC/DR community has also done an excellent job of looking at mitigating strategies to improve organizational resilience. Strategies related to fault tolerance of components, fail-over, and high-availability architectures including active/active and active/passive configurations have their roots in approaches designed to improve RPO and RTO. In the aggregate, our BC/DR colleagues have produced a body of work that can inform how we look at our cyber programs with the ultimate goal of improving the operational resiliency of organizations.
Let’s take a look at how cybersecurity can improve resiliency. I’d like to recommend we spend a bit of time on the following:
♦ Defining, documenting, and mitigating risk
♦ Tying risk to the organization’s core priorities and organizational objectives
♦ Keeping executive management and the board of directors appropriately informed
These three practices will help us to position our cybersecurity program in a manner that improves the resilience of the organization.
Defining, Documenting, and Mitigating Risk
CISOs would be well served to bring risk management front and center in their security programs. We cannot protect every system equally. Not all business processes, applications, and infrastructure are created equal. Similarly, not all employees have the same value to the organization. This inequality may seem obvious, but our security programs frequently don’t reflect this reality. Too many security programs attempt to apply ubiquitous security to all systems, infrastructure, and employees.
The consequences of a blanket, cover-all approach to security are challenging. Unless the organization benefits from an ever-expanding budget and nearly unlimited resources, the reality of a protect-everything-equally security program is watered down security. Critical systems are under-resourced and under-secured while we effectively overprotect non-critical systems. The root cause of this disconnect is fundamentally a lack of alignment with organizational priorities. A discussion that is risk-focused is the most effective means to avoid this dynamic.
Key to a successful risk discussion is for the CISO to capture and understand the organization’s overall risk appetite concerning the impacts on the confidentiality, integrity, availability, privacy, and even the safety of material business processes. These impacts, however, need to be more formally aligned with enterprise risk management and specific risk considerations for the organization related to financial, reputational, operational, and other higher-level risk considerations.
When done correctly, a risk-focused discussion translates detailed technical risk into business terms which senior executives and the board can more readily consume and act upon. Executive management and the board are concerned about the impacts of an adversary on the organization, its reputation, and its finances, even if they are not well-versed on the tactics, techniques, and procedures (TTPs).
CISOs should continually ask themselves: “What is it that I don’t know that I should know about this business process or initiative that could impact the confidentiality, integrity, availability, privacy, and safety of the process?” This open-ended question keeps the focus on considerations that could materially impact the organization. Returning to our colleagues in BC/DR, the BIA can facilitate this line of questioning. What dependencies and risk factors – notably from a cyber perspective – could negatively influence those processes that are most critical to the organization? Knowing these factors will help align your security program and architecture to those processes that the organization values most – as noted in the MAD and RPO/RTO.
Another, more direct but less structured approach to understand risk appetite across the organization is to simply ask colleagues in various departments and lines of business to clarify their areas’ priorities and key functions (e.g., business processes). This insight will facilitate the alignment of your security program to the organization’s core focus, effectively, what the organization values most. For the good of their security programs, CISOs must excel at understanding this business context.