The rapid pace of technological change is changing the way companies do business. Technology developments such as cloud computing and the internet of things (IoT) are affecting the way organisations function for the better, but they have also had an effect on the way we, as a profession, approach security.
Business resilience – both in an IT security and a non-security context – is ultimately about keeping the business running, no matter what. By nature, it is a proactive measure, whereby plans are set to prevent things from going wrong or plans are to keep the lights on if the worst happens.
We need to understand what the critical systems and critical processes are and how they relate to each other, ensuring that if something does go wrong, we have alternative systems that can be brought in quickly.
Business and IT are so tightly intertwined that a lack of attention to one severely affects the other. It is imperative, therefore, that IT, security and business continuity teams work together to create and test holistic plans.
The basis for this is, of course, risk assessment to identify business-critical assets and the threats and incidents that can impair their operation. Coupled with risk assessment is incident management, encompassing identification, response, recovery and learning.
Measurements of resilience are difficult – if it breaks, then it is not resilient, but how resilient do you need to be? But there are common metrics which can be used to infer resilience. Many of these are common to both business continuity and information security – such as risk assessment process measurement, business impact analyses performed, incident management plans in place, service continuity and reconstitution, and awareness and training performed – and can be used to indicate how prepared a business is for an incident that will test its resilience.
Importantly, resilience is not a one-off process or an annual task. It’s a living concept that requires updating with the business as it changes, along with testing and learning. This is where information security professionals can take the lead and engage with the business in a positive way. It presents an opportunity for information security professionals to break out of the reactive position highlighted in our most recent study from the Global Information Security Workforce.
Resilience is a proactive and forward-looking concept, and it provides a platform for information security to be seen by the business as a valued partner, rather than one that just fixes the next crisis.
Adrian Davis is managing director for Europe at (ISC)2.
This was first published in September 2015