Five steps to integrating business continuity and cyber resilience
- Published: Friday, 08 June 2018 08:10
Integrating cyber resilience into the broader business continuity strategy will maximise the company's ability to protect against a data breach, detect when one has occurred; and recover from it, says Michael Davies, CEO of ContinuitySA.
Business's increasing dependence on digital platforms and data has generated significant efficiencies, but has also spawned a well-resourced cyber crime industry. The ability to protect organizational IT systems, and recover from any breach, which we call cyber resilience, is therefore critical. Cyber resilience is not just about technology, it must also cover the company's people and processes. Cyber resilience thus cannot exist in isolation, and must be integrated into a broader business continuity plan.
The following are five critical steps to achieve this integration:
- Align IT and business to a cyber resilience strategy. A critical element will be to use a common language to enable this alignment. Neither party will be effective working solo.
- Get top management buy-in. As with most business initiatives, having executive sponsorship is critical to gain traction, and receive budget. Given the importance of business continuity as a whole, and cyber resilience, this sponsorship should be at board level.
- Get the balance between risk appetite and resilience right. There is no one-size-fits-all approach. Companies must take the time to understand their particular threat landscape, and their risk appetite. Mitigating risk costs money.
- Develop a comprehensive cyber strategy incorporating people, processes and technology. As with business continuity, a multi-pronged approach is required. Everybody in the company, and every process, uses technology, so all must be involved.
- Create a holistic resilience culture of protect, detect, respond and recover. Protection is vital but is unlikely to be foolproof, so the ability to detect that a breach has even occurred is vital in order to trigger a suitable response.
Recovering from a successful cyber attack is never going to be a purely technological issue; the people and process angles have to be there, not to forget the key role of crisis communication with stakeholders, employees and the public where appropriate. That's why cyber resilience must form part of business continuity management: everything has to work together.