Let’s face it – cybersecurity is exciting. Our profession is in the crosshairs of the media, with reports related to high-profile attacks frequently covered on the nightly news. We even have popular TV shows. For new entrants to our profession, this focus on cybersecurity may seem to be the norm. For those of us who have been in the industry more years than we’d like to admit, we recognize that the current focus on cybersecurity is a relatively new phenomenon. It may come as a shock to some that there was a time when cybersecurity (and before that, information security) was the forgotten stepchild of IT, overlooked from a resource and budget perspective. Security was the department – let’s be honest about this, the individual – that would get the table scraps from the IT budget once leadership addressed all other “priorities.”
I bring up this historical perspective to acknowledge our profession’s debt of gratitude to our colleagues in the business continuity and disaster recovery (BC/DR) community. Historically, our two disciplines shared similar common neglect. Like security, everyone knows and recognizes that business continuity and disaster recovery are important elements to an organization’s overall resilience.
Despite this recognition of the importance of BC/DR, most organizations only pay lip service to this critical discipline with incomplete and untested BC/DR plans. Furthermore, our colleagues in BC/DR frequently have their budgets and projects undermined by higher priority efforts within the organization. The result is that organizations are less resilient and subject to significant interruptions to their operations. Kind of sounds like the risk factors associated with inadequate and poorly-resourced security programs.
While the current focus on cybersecurity is beneficial, we should not overlook the contributions from our colleagues in BC/DR, especially in the context of resiliency. Our respective professions both focus on resiliency. Resiliency is at the heart of cybersecurity. No organization is immune from being attacked. In fact, our organizations are subject to ongoing and in many cases highly persistent attacks. Our jobs are to ensure that our organizations remain resilient when confronted with risks, be they cyber or natural disasters.
We can learn and have learned much from our colleagues in BC/DR. First and foremost, let’s not overlook one of the great tools that our BC/DR friends leverage to evaluate their continuity programs – the business impact analysis (BIA). BIAs are powerful tools that should be leveraged to improve our security programs. They convey detail related to organizational priorities, expressed in terms such as maximum allowable downtime (MAD), recovery-point objective (RPO), and recovery-time objective (RTO). Further, well-crafted BIAs highlight key dependencies on applications, staff, infrastructure, and vendors.
Collectively, the detail resulting from the review of a BIA provides essential context related to the organization’s risk landscape. We don’t have cybersecurity for cybersecurity’s sake. Cybersecurity must be focused on the business and not just cool and innovative technology. Ultimately, a business consists of distinct processes and protecting these processes from cyber risk is our raison d’être.
The BC/DR community has also done an excellent job of looking at mitigating strategies to improve organizational resilience. Strategies related to fault tolerance of components, fail-over, and high-availability architectures including active/active and active/passive configurations have their roots in approaches designed to improve RPO and RTO. In the aggregate, our BC/DR colleagues have produced a body of work that can inform how we look at our cyber programs with the ultimate goal of improving the operational resiliency of organizations.
Let’s take a look at how cybersecurity can improve resiliency. I’d like to recommend we spend a bit of time on the following:
- Defining, documenting, and mitigating risk
- Tying risk to the organization’s core priorities and organizational objectives
- Keeping executive management and the board of directors appropriately informed
These three practices will help us to position our cybersecurity program in a manner that improves the resilience of the organization.
CISOs would be well served to bring risk management front and center in their security programs. We cannot protect every system equally. Not all business processes, applications, and infrastructure are created equal. Similarly, not all employees have the same value to the organization. This inequality may seem obvious, but our security programs frequently don’t reflect this reality. Too many security programs attempt to apply ubiquitous security to all systems, infrastructure, and employees.
The consequences of a blanket, cover-all approach to security are challenging. Unless the organization benefits from an ever-expanding budget and nearly unlimited resources, the reality of a protect-everything-equally security program is watered down security. Critical systems are under-resourced and under-secured while we effectively overprotect non-critical systems. The root cause of this disconnect is fundamentally a lack of alignment with organizational priorities. A discussion that is risk-focused is the most effective means to avoid this dynamic.
Key to a successful risk discussion is for the CISO to capture and understand the organization’s overall risk appetite concerning the impacts on the confidentiality, integrity, availability, privacy, and even the safety of material business processes. These impacts, however, need to be more formally aligned with enterprise risk management and specific risk considerations for the organization related to financial, reputational, operational, and other higher-level risk considerations.
When done correctly…
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.