The development of modern cloud-based mobile applications has changed much of the IT landscape. New methods of application development (Agile & DevOps) have driven organizational change and brought IT to the forefront of new digital business models. Hyper-connected, massively distributed Cloud applications are also driving changes in traditional IT methods for business continuity and security - two primary functions missioned to manage IT risk.
Protecting information systems and ensuring their availability has been the province of the business continuity management (BCM) function. On the other hand, access control, privacy, and identity management have been handled by IT security. Historically separate, both functions play an important role in managing operational risk. As cloud and mobile applications evolve several factors suggest the need for a new approach to manage IT risk:
- Cyber breaches are increasing in frequency. Many threat types such as zero-day exploits and Ransomware create significant business impact with little or no advance warning
- Acceptable downtime for most IT systems is < 4 hours. Many systems are designed to be resilient with no downtime and minimal data loss placing pressure on business continuity and cybersecurity incident response teams
- Business continuity and security metrics are often presented in technical terms. For example, the amount of malware detected and blocked, or the percentage of backups successfully completed. Senior executives need to understand these programs in the context of business risk
- Protecting brand reputation is more important than ever. Companies must respond to disruptions (natural or cyber) with speed and accuracy to ensure minimal impact to brand reputation and external partners
While BCM and cybersecurity are managed separately, both teams must work together to develop and manage a common incident response process. This provides management and company stakeholders with the confidence their organization has a consistent way to defend against threats and respond in a manner that protects their brand.
This new approach, merging security and business continuity functions (while balancing risk and budget) is known as Cyber Resilience. Among the benefits of this approach are better incident response, an improved ability to manage risk, and more effective coordination of resources.
Response to cyber threats has created new challenges that business continuity planners must deal with. Unlike a natural disaster, cyber events create crime scenes. Law enforcement and external stakeholders must be engaged and public image must be managed. Business continuity and cybersecurity planners must develop response plans to manage these new threats.
Best practices for Cyber Resilience are still emerging. Most companies manage BCM and cybersecurity separately, while others have merged the functions. Because BCM and cybersecurity programs often compete for the same risk funding, it’s not uncommon to see conflicts in how these programs are led and managed.
One trend we are seeing is senior executives integrating these functions under the role of a Chief Risk Officer (CRO). The goal is to create a holistic view of risk and a common method for organization, governance, and funding. The CRO is responsible to allocate funding where it’s needed most and drive BCM and cybersecurity programs to ensure they are coordinated, integrated and delivering value.
The nature of risk is constantly changing as Cloud and mobile applications evolve. Internal and external cyber threats will increase as the numbers of blackhats grow. Consequently, BCM and cybersecurity will continue to evolve as Cyber Resilience tools and techniques mature and companies develop new ways to manage risk.
The CRO may become your new best friend.
This blog was co-authored by Jeff Marinstein, Founding Principal of Marinstein & Co. and Michael Puldy, Director of Global Business Continuity Management at IBM.