A Journey in Organizational Cyber Resilience Part 2: Business Continuity

September 20, 2021
| |
4 min read

Keeping a business up and running during a problem takes the right people for the job. When it comes to cyber resilience through tough times, many things come down to the human factor. We focused on that in the first piece in this series, but it also makes a big difference to the second topic: business continuity. So, how do you make sure that your business processes and functions keep running during a disruption?

Where Cyber Resilience Meets Business Decisions

First, what is a business function? Information security managers and staff need to know because it’s important for them to be comfortable with the language of business. Doing so is simply a part of creating and managing a strong cybersecurity program. Part of that language includes knowing the nuances between business continuity, disaster recovery and continuous operations. The IBM System Storage Business Continuity: Part 1 Planning Guide provides some very helpful guidance in Section 1.1 showing these nuances. For work, you may have to be able to explain them. They could come in handy when you start looking for internal backing for your cyber resilience efforts.

In essence, a business function is the set of tasks a department performs to produce an output. This is a very basic explanation, different for different jobs. But for our purposes, it suffices. A business process is often a set of chained tasks performed by people or equipment to produce a service or a product.

Together with disaster recovery and other resilience strategies, sound business continuity planning helps spot stakeholders. It also better positions your group to respond to incidents that could impact your finances, brand, reputation and value.

Therefore, whatever cybersecurity framework you end up using, business continuity plays a key role. After all, you need to be acutely aware of what services and products your business offers. In other words, while it may be your job to keep the network going and the data at hand, it is a good idea to know why you have do that. The answer is you need to keep offering the service or product during a disruption.

Plans, Plans and More Plans for Cyber Resilience

If you are unsure where to start when it comes to the business continuity game, two great go-to resources are NIST 800-34 Contingency Planning Guide for Federal Information Systems and ISO 22301:2019. NIST 800-34 is very helpful. It specifies differences between various distinct, but closely related, plans. These include business continuity plans, continuity of operations plans, crisis communications plans and more visible at the link.

Maybe your organization can develop and execute all of the above plans. If so, your cyber resilience posture is likely quite strong, with the following caveat: plans without testing are just documents collecting dust. Therefore, you need to test your plans. And testing without security mindfulness or culture means you’re just checking the boxes. Therefore, remember that plans are just the first step.

Process Contingency Strategies

Over the past year and a half, some of us were fortunate enough to work from home. This is a unique example of a process contingency strategy. Business process shifted to remote because of a disruption.

Below are some of the more common process contingency strategies. Picking which one is right for you and your business is a function of criticality, practicality and risk tolerance.

Process Transfer: As the name says, the process gets transferred to another person or piece of equipment. You could transfer it in-house, but do not rule out a managed service provider, either. This is where formal contracts and memorandums of understanding need to be in place already.

Also, pro tip here: throughout the cyber resilience journey, if you are relying on a third party, make sure you know what your prioritization is. Remember, a disruption may impact more parties than just you, and that third party you are relying on may be supporting many others. Any cyber resilience roadmap development requires you to know what your resources are. Third party functions and service offerings fall into that category.

Alternate Site: The process is carried out at an alternate location. It is worth noting in this case that an alternate site may or may not be owned and operated by your organization. Again, you need to be up to speed with what your third party contract agreements are.

Remote Work: There is a nuanced difference here between alternate site and remote work. The perfect example for many is working from home. After all, you are not really working at an alternate site in this case.

Follow the Sun: You will see this strategy for organizations that normally have a global footprint. This doesn’t apply to every company, of course. But it’s useful for large enterprise resources spread throughout the globe. In the most basic form, the follow the sun model means that offices in different time zones pass processes between them. It sounds very practical in theory, but in practice it may be a bit more difficult. After all, it requires different regions to handle not only their local processes, but those of the region that has been disrupted. This may require some extra coffee pots.

Depending on your business model, you may be able to come up with some more contingency strategies for your processes, but practicality needs to come into your decision-making. A small business, for example, may not be able to transfer a process because they have limited staff. This is where succession planning comes into play. But what you should begin to notice is that there are a lot of pieces moving here and more to come on the cyber resilience journey.

Putting the Puzzle Pieces of Cyber Resilience Together

In the next article in this series, we will talk about disaster recovery and identifying interdependencies.  Disaster recovery is an interesting topic because of the cloud. Briefly, much of the literature and practice surrounding disaster recovery was written during the time of data centers and colocation sites. So, stop by next time to see how the cloud is changing the disaster recovery discussion.

George Platsis
Senior Lead Technologist, Educator and Author

George Platsis works with the private, public and nonprofit sectors to address their strategic, operational and training needs, focusing on projects related ...
read more