By Christopher Burton, consultant, Avalution Consulting.
Today’s business vocabulary is filled with buzzwords such as ‘information security’, ‘business resiliency’, ‘business continuity’ and ‘disaster recovery’. Most professionals would agree that these concepts are all critical to the long-term success of the modern organization, but who should assume the responsibility of managing it all – or should a single role manage it all? One current trend amongst organizations of all sizes and industries is to combine information security and business continuity in an effort to safeguard against any type of business interruption. This perspective discusses this trend.
Historically, organizations focused their recovery efforts on IT disaster recovery, exclusively targeting the timely recovery of key technologies in the event of a data center loss (or loss of connectivity to the data center). In recent years, however, with tragic events such as 9/11 and Katrina, organizations learned that there is far more to recovery and business continuity than simply data center restoration. Further, the recent economic recession has severely impacted the bottom-line of many organizations, making any business interruption or outage potentially more detrimental to the organization than it may have been in previous years. These situations have clearly demonstrated the need for a comprehensive approach to business continuity, but the decision on where to position the program and assign responsibility is ultimately a springboard for discussion (and confusion) within the organization.
According to a recent publication by researcher CU360, there is a significant disconnect between information technology and business executives when it comes to disaster preparedness. While both parties agree that information availability is important to the success of their organizations, fewer than half of business executives (49 percent) say disaster recovery and business continuity are important to business success compared with a large majority of IT executives (74 percent). Understanding the need for technology availability within organizations, it’s no wonder that IT executives deem disaster recovery and business continuity important and are commonly given this responsibility to complement their other risk management (e.g. information security) activities.
The combining of expansive roles such as information security and business continuity can lead to two preliminary observations. First, the similarity in roles and commitment to resiliency and responsiveness makes the combining of roles a logical argument. On the other hand, given the ever-expanding growth of Internet technologies and communication, increasing the responsibilities of information security to include business continuity could direct valuable resources away from those activities that need them most. At the same time, the scope of the combined entity would increase to include threats from information security, facilities, human capital and technology. To learn more about the trend of juggling information security and business continuity, Avalution spoke with Information Security Directors from diverse industries in order to capture their thoughts on these two very important responsibilities, with the aim of providing guidance to other organizations.
Information Security Director Q&A
Q: How has your previous experience in information security and ITDR benefited your new role as the leader of the business continuity program?
A: Previous experience with information security and IT disaster recovery is definitely value-adding when assuming responsibility of a business continuity program; it gives appreciation for the risks associated with not having a viable and visible program. Many of these risks are related to information security, while others are unrelated. Regardless, understanding broader business risks enables the improvement of all risk management disciplines. On a high-level, the conceptual framework that is applied to both information security and IT disaster recovery is broadly the same, but the details and the tactics must be readjusted and refocused for business continuity.
Q: What synergies do you feel are generated by the combination of information security and business continuity into one role?
A: Numerous synergies are generated with the combination of information security and business continuity into one role, primarily because you are interacting with many of the same individuals throughout the entire organization. The combining of roles facilitates broader exposure to the enterprise, enabling more comprehensive and strategic planning and recovery efforts. Said differently, as an Information Security Director, you must have a strong, strategic understanding of the business, its key objectives and customer requirements if you are to be successful in protecting the organization’s technology resources and information. You need the same knowledge and information to be effective in business continuity; working in both disciplines makes you more effective in the other. That’s a synergy that adds value to the organization.
Q: What are some drawbacks of combining information security and business continuity into one role?
A: Bandwidth and credibility. Both roles carry with them huge responsibilities with diverse solutions. In order for both to be successful in both disciplines, dedicated resources (personnel, funding, and management) must be uniquely applied. Having said that, when information security and business continuity are combined, it is important for the program to be reviewed and benchmarked without bias.
One other challenge is educating the business that business continuity is more than technology. Because Information Security Directors are often viewed as technology professionals, the natural reaction is for business colleagues to think you only address technology recoverability - nothing could be further from the truth. In addition, often the most pervasive risks to business recoverability are located in IT. It can be difficult to clearly portray those risks to business professionals from a position inside the IT organization.
Q: Without previous business continuity experience, where did you turn for advice and guidance initially?
A: Most information security professionals have some basic understanding of business continuity – professional education covers it, even if only at a high level. Professionals who have taken the time to achieve certification are a key to successful business continuity and disaster recovery programs. Numerous business continuity-related resources are available (and oftentimes free) including industry publications, webinars, conferences and magazines.
Q: What advice would you provide to new Information Security Directors who have recently assumed responsibility for an organization’s business continuity initiatives?
A: Executive commitment (from outside of IT) to the business continuity program is essential to long-term success. New directors must ensure that a business continuity steering committee is in place in order to define the tone at the top of the organization and create an appetite for strategic investment. In addition, business continuity buy-in should be clearly articulated in a program charter and skilled personnel should fairly assess the real value that the business continuity program delivers to the organization.
Q: As the need for 24/7 global connectivity and availability increases, how do you think the role of information security and business continuity will change in the future?
A: Ten years ago, the same statement would have been applicable. The demand for 24/7 global connectivity and availability continues today and will continue to increase. However, certain markets and even pockets of the business exist where resiliency would be overkill. It is important for organizations to understand their unique business requirements and implement information security and business continuity programs that are appropriate and aligned to strategic business need. Understanding this, the role of information security and business continuity may not change as much as it will evolve.
There are numerous advantages and disadvantages associated with the decision to either create a standalone business continuity program or to combine it with information security. Insight collected from Information Security Directors interviewed for this perspective strongly encourage organizations to fully understand their business needs and to adopt a business continuity program structure that matches those specific needs. No matter if business continuity stands alone within an organization or if it is managed and facilitated by information security, the shear presence of such a program is vital.
Author: Christopher Burton, Consultant, Avalution Consulting: Business Continuity Consulting.
MAKE A COMMENT
Christopher has written a considered and well articulated article. I agree with most of what is being said. To add towards the consideration and; having worked in both ICT and financial areas of the business environment, I would say that the ownership of business continuity must rest with the Executive Board. There are financial issues that are well outside of the scope and capabilities of most information security and availability professionals. Similarly the technical complexities of a large ICT infrastructure are mostly outside of the remit and skills set for financial professionals. It is therefore clear that both business continuity and ICT service continuity must co-exist with business continuity. Business continuity demands ICT availability as a mandate for it to succeed in continuance of key business activities. Leadership of the business continuity activities should normally come from the business leadership. If the Head of ICT be a member of the business leadership team it could be acceptable for that person to lead the initiative but only with sponsorship from the business owner and with cooperation of financial and operational business leadership. We must remember that the ICT business function is normally no more than an internal supplier of information services to the business overall and not the function in charge of the business. For business continuity to really work the whole leadership team must be bought in and it not become just be seen as another technical initiative being imposed upon the business. True business resilience only comes to fruition if operations, HR, financial implications, technology and buildings are within consideration.
Gareth Crompton, MBCI
•Date: 9th Feb 2010 • Region: US/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED WITH READER COMMENT 30TH MARCH