A question of integration: the importance of incorporating cyber security into operational resilience strategies

Published: Friday, 11 June 2021 08:33

To achieve effective operational resilience firms must make a significant strategic shift, adopting an integrated approach to addressing operational resilience and cyber security, rather than seeing them as two disparate functions, says Guy Warren…

When it comes to working patterns following COVID-19, there will be no ‘return to normality’: the pandemic has changed working patterns forever. Following a work from home boom as countries across the world went into lockdown, as things settle down, flexible working will likely become the norm as employees increasingly demand the choice.

But this transition hasn’t been a simple one. There has been a wide range of new challenges and threats that businesses have faced during the pandemic as a result of these shifts – with one of the most serious ones being the dramatic rise in cyber security threats. In fact, our research at ITRS has shown that hacking attempts have increased by over 300 percent since the start of the pandemic.

This rise in hacking is more than just a cyber security problem – it is a key threat to a firm’s operational resilience. In the UK, operational resilience is high on the FCA’s list of priorities, with new regulations demanding that financial services firms meet new operational resilience requirements. The regulations explicitly specify that, by 31st March 2022, firms must have identified any vulnerabilities in their operational resilience.

A company cannot be operationally resilient if it doesn’t have robust cyber security. The two are undoubtedly symbiotic: having the right systems in place to ensure operational resilience will, in turn, boost a company’s cyber security.

It is clear that there needs to be better integration between the two disciplines – but how should this be achieved? 

Finding a solution

Solving this problem will not be a case of simply throwing money at operational resilience and cyber security. While investment in these departments is a necessary foundation, any meaningful and long-term change requires a deep, considered approach. Firms must make a significant strategic shift, adopting an integrated approach to addressing operational resilience and cyber security, rather than seeing them as two disparate functions.

Often, a company will have one solution for their cyber security needs and another for their operational resilience needs – and the two will be completely separate from one another. This doesn’t need to – and, indeed, shouldn’t – be the case. For instance, a key element of operational resilience is complete oversight of internal systems, which requires an IT monitoring solution. This solution enables firms to identify potential weak spots and security threats within their IT infrastructure. However, due to such solutions being siloed from security functions and departments, it is often prevented from reporting these threats to the cyber security team.

here is no need to reinvent the wheel: we are not suggesting developing a brand-new solution that covers both functions. However, it is certainly possible for operational resilience solutions and cyber security solutions, with their significant overlap, to better inform, share information with, and feed into each other. The same goes for the respective human teams within companies. While total integration of operational resilience and security teams into one is not necessary, in order to effectively and efficiently mitigate threats, there does need to be greater cooperation between the two.

With less than a year before the FCA’s new regulations come into force, firms will be prioritizing operational resilience to ensure that they are compliant and avoid penalties. In doing so, cyber security must remain a focus. Not simply in terms of increasing security in and of itself in order to avoid attacks, but also developing a roadmap to integrate cyber security with operational functions – the only approach that will allow companies to not only remain compliant, but also strengthen their business.

The author

Guy Warren is CEO, ITRS Group.