Enterprise Resiliency goes beyond Disaster Recovery
By Gary Sheehan, Chief Security Officer at ASMGi
Resiliency sounds like a common-sense approach to business. Each organization must anticipate, prepare for and adapt to change and disruptions in order to survive and prosper. Who wouldn’t want to do that, right? But like many things in the real world, moving from theory to executional excellence is a bit more complex.
Truly understanding what goes into enterprise resiliency, and aligning information security and other key programs to company goals will result in an effective security program and a contribution towards both enterprise and security resiliency. Typically security programs fail for the following reasons:
- True threats are misunderstood
- Lack of focus on risk
- Lack of a security plan/strategy
- Lack of business focus
- False reliance on perimeter protection
- Poor training
- A failure to understand the true significance of insider threat.
So let’s take a big step back.
What is enterprise resiliency?
Probably the most important thing to keep in mind is resiliency is a goal, not an end-state. That goal will almost certainly be a moving target. The organization must remain agile in its goals as employees transition to different roles, as systems update, and as new threats emerge.
Resiliency is more and more being used as a synonym for “disaster recovery” or “contingency planning,” but it’s much bigger than that. True enterprise resiliency goes beyond technology and focuses on the workflow and dataflow within the organization.
Enterprise resiliency takes in full organizational context. You must focus on strategic needs (long-term needs), process needs (functions within the enterprise) and operational needs (users’ tasks within the enterprise). Enterprise resiliency looks at both the internal and external issues that can impact the enterprise objectives.
Strategic resilience deals with broader areas of both threat and opportunity to the business, such as fluctuations in market share and impacts from regulatory changes. Process resilience refers to the underlying systems upon which the organization relies to function, such as IT and other technological systems, business processes and management systems. Operational resilience refers to the ability to respond to every-day business threats, such as cyber risks, utility failures and loss of plant and equipment.
Aligning resiliency with business goals
To be effective, enterprise resiliency must be practical and business-focused.
Resilience requires the ability to make good decisions informed by an understanding of what the organization stands for and where it is trying to go, the organization’s environment, what matters to the organization and what resources it has at its disposal.
If resilience isn’t paired with business goals, it will never work. In the information security space, I’ve seen some information security programs that appeared to be rock solid. But as I dug into the way the programs were implemented, it was obvious they were better on paper than in practice.
At the end of the day, a resiliency program will knock down siloes. Enterprise Resiliency is the maturation and integration of the individual disciplines into one integrated set of processes and capabilities that work collectively, instead of in silos. This approach allows businesses to have minimal disruption in the event of an incident that affects the entire organization.
A strong resiliency program understands the human element, where individuals in a chaotic situation must be empowered, prepared and educated on how to respond accordingly. After all, they’re the ones who will execute or not.
Also – managers need to support their employees through development of an adaptive environment that promotes innovation, enables flexibility and agility and includes training and development of the people doing the day-to-day tasks.
Tools for resiliency
The core tool of resiliency from an information security standpoint is a framework. By aligning the security framework objectives to the enterprise resiliency framework and strategies, the security organization and the business will be able to focus on achieving the goals of the enterprise.
Enterprise Resiliency can occur when a collection of internal controls enable an organization to identify, prevent, detect and endure unplanned events and effectively recover from any damages when they do occur.
Aligning your security framework with resiliency needs gives you two critical things: An accurate way to assess critical business functions and data flow and a way to effectively develop and empower the staff.
Choose the right framework, focus on your business and put the entire process through a strong gut check to ensure it’s viable.
This blog post was originally featured in the MISTI sponsored InfoSec Insider.