Are You Ready for a Disaster?

Business continuity (BC), IT disaster recovery (DR), and information security are essential elements of business resiliency, with the common objective of managing the risks of business disruption. While all have traditionally operated as separate silos, they follow similar processes: they all require business impact analysis and risk assessment processes, and all have a heavy reliance on controls documentation, monitoring, and testing.

Security and risk professionals should apply a common risk-based approach to these disciplines to streamline processes, improve cross-discipline collaboration, and provide a common system of managing risk. So how should your company attempt to leverage common best practices, processes, and tools across disciplines to improve business resiliency? One way is to have the same senior executive ultimately accountable for their success.

Today, at least 66 percent of security decision-makers are already either primarily or completely responsible for BC/DR. They may be responsible for both BC and IT DR or only IT DR, but it's clear that as companies seek to institutionalize these disciplines, they are turning to senior security executives for leadership.

But running a company-wide security program is difficult enough. Why would IT leaders want to raise their hand to take on BC and IT DR?

DR is Your New KRA
Security standards recognize information availability as a responsibility. Information security professionals have always considered themselves responsible for preserving not only the confidentiality and integrity of information, but also the availability of information.

CISOs, CSOs or other head security officers have the skills to institutionalize these programs under the security umbrella. Successful BC and IT DR programs require the skills that most successful security leaders already have.

If it's not your responsibility today, someone will ask you to do it in the future. As companies begin to establish these programs, they must determine who in the organization can take on these responsibilities. Forrester has seen the following executives assigned the responsibility: the CIO or the CISO (the most common), a dedicated risk manager (typical in large financial services firms), or the COO or CFO (this is the least common).

It's an opportunity to make the security program more strategic. The tasks associated with executing security policies such as software patching and application security are increasingly being automated through tools, then managed and monitored by the IT operations team. This allows IT leaders to focus on more strategic business and IT priorities. In addition, both BC and IT DR require the input and collaboration of multiple groups, including business owners, application owners, legal, HR, facilities, and IT. This gives the CIO the opportunity to increase their exposure and relevance to non-IT audiences.

Towards Business Resilience

Towrards Business Resilience

Extending your responsibilities and reach throughout the company under the banner of business resiliency will require that you:

• Set up a cross-functional advisory board. A senior executive in the company must have ultimate responsibility for BC, IT DR, and security, but none will be successful without involving business owners and other departments in the process.
• Give your resiliency managers a forum to network and exchange best practices. To increase collaboration across a large, geographically distributed company, you must hold annual best practices workshops, monthly teleconferences, and other forms of communication among various BCM, IT DR, and security managers.
• Test your plans more often and train everyone in their role and responsibilities. Test strategies should include plan walkthroughs, tabletop exercises, simulations, and full tests. Tests must be interdisciplinary and involve business members to be effective.
• Testing has many benefits. It helps validate team member roles, responsibilities, and competence, and it validates the currency of plans and the procedures.
• Run business resiliency assessments at least every two years. Adherence to the corporate standard must be assessed periodically. The assessment process should be constructive, not punitive; where there are areas for improvement, the local and corporate resiliency teams work together to implement the recommendations.

A Call To Join Forces

BC, IT DR and information security will continue to require specialization, but there are opportunities for better alignment given their common goals and requirements. Cross-team feedback on strategies and responses, the use of common software tools, and coordinated testing are substantial areas of potential benefit. By closely aligning these approaches you can:

• Close critical gaps in continuity strategy. Companies frequently lack coherent strategies for workforce recovery and emergency communication, because it's not clear if it falls within the scope of BC or IT DR. If you're able to successfully failover IT systems to an alternate site it doesn't help if no one has determined how employees will continue to work.
• Implement comprehensive resiliency testing. Forty percent of companies conduct a full test of their IT DR plans once a year, but 20 percent never conduct a full test. A first step toward increasing resiliency is to increase the frequency and types of tests with coordination among the BC, IT DR, and security teams. (See Calamity Check)
• Prevent security policy violations. IT disaster recovery often leads to the creation of multiple copies of data. Data is backed up once a day, and once a week it's taken off-site to another corporate facility or third-party service provider. Data is also frequently replicated over private networks or the Internet to an alternate datacenter. In addition, there is growing adoption of IT-related SaaS for online backup and disaster recovery, and this data could be transmitted and stored in an insecure way. Security professionals are not always aware of these IT DR arrangements.
• Leverage common tools. It's not uncommon to see one team responsible for continuity within a company subscribe to BCP SaaS while IT is unaware of its existence and is in desperate need of DR plan templates and a DR plan repository. Likewise, security professionals may deploy IT GRC software applications that also offer business continuity management (BCM) modules that could be leveraged by other groups in the company-but no one is aware of it. In the end, it's not unusual for a company to have invested in two to three different software applications with similar functionality. In addition to the unnecessary cost, it means that the company has no easy way to compile the information from these separate sources into a realistic picture of its business resiliency.

Incorporating BC and IT DR functions is not something that you can do with your existing security budget and staff. You will have to build the business case for a larger program by selling the benefits of greater efficiency, broader participation across the organization, and vastly more insight into the organization's risk profile.