Organizations have traditionally treated information security and business continuity management as two separate disciplines. But is the situation changing? By David Evans.
Cyber security threats are real, difficult to manage and require specialist knowledge to protect the business, monitor the threat and handle the incursion. What’s more, all the evidence points to a rapid growth in the sophistication of attacks and an increasing difficulty in countering the threat. So what is the role of the business continuity professional in a world where the teenage hacker, cyber criminal and cyber terrorist prevail?
The reality is that data is valuable, it interfaces with core business activities and any threat to it or the aligned processes is a threat to the business. From reputational damage to loss of services, there can be significant impacts from cyber attacks and it is easy to predict that the response requirements will go far beyond the technocrats. Which means there is a need when implementing protective and measures and when making incident response plans to ensure that the events and impacts are not lost in a world of IT acronyms and cyber specialists but, instead, have a business focus based on impact and risk.
Put aside the complex and technology knowledge that’s required to understand the micro details of an attack and take a look at the business implications and disruption that occurs. From denial of service attacks to loss of data, fraud, criminal activities etc. all impact the day-to-day operations of a business; and such impacts fall squarely within the remit of business continuity managers.
A particular area where business continuity brings very relevant experience to the information security table is in testing and exercising; and the involvement of the BC team in cyber exercises can take these to a new level. Testing ideas, raising awareness and integrating response teams across the technological/business divide are all objectives for cyber exercises, but if well run they should also help to build corporate understanding of the value of the assets and the threat to core business activities of cyber crime. Or, to put it another way, a well-run exercise will help to validate and promote the business impact analysis.
I believe it is time for the business continuity profession to actively participate in managing and preventing cyber incidents. Do you agree? Are you seeing more input from the business continuity team in your organization? I’d love to hear from you…
David Evans is a Partner at Corpress LLP. Corpress has recently supplied a new resource to Continuity Central. It offers guidance for the business continuity professional on running cyber exercises, and can be downloaded from here, after registration.