More

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance

    By Yo Delmar, vice president GRC Solutions at MetricStream, and Harvey Betan, associate principal at Risk Masters Inc.

    Business continuity programs are often considered on a standalone basis, but recent incidents that involve security breaches highlight how business continuity, disaster recovery, security and risk management teams are compelled to work more closely together in order to understand the true likelihood and impact of potential disruptions to the business. Let’s consider the situation, for example, when an IT infrastructure is compromised or made unavailable (e.g., DDoS attack) to an online banking site or an online retailer. Companies that have been impacted by these types of incidents have experienced, in some cases, dramatic effects on their business operations and revenues. To ensure that the business sails smoothly, more and more organizations are beginning to converge IT security, risk management and business continuity teams in order to establish and agree upon a common framework and processes for crisis management.

    Today, business continuity planning and management goes beyond the physical continuity of the business, encompassing areas such as e-continuity, as well. We live in an era of e-business, with a growing percentage of business transactions moving through the Internet, extranets, virtual private networks and cloud service providers. The complexity of this ecosystem has given rise to a larger threat surface, with a higher number of threats to digital information and traffic flows. Over the last two to three years, the rise in cyberattacks has driven an integration of security with operational and enterprise risk management. More recently, business continuity and disaster recovery teams have become an increasingly key partner in these collaborative teams as a natural fit in the larger concept of a 360-degree risk management.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 1

    360-Degree Risk Management

    Click through for more on how business continuity, info security and risk management collaboration are improving business performance, as identified by Yo Delmar, vice president GRC Solutions at MetricStream, and Harvey Betan, associate principal at Risk Masters Inc.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 2

    Driving Trends

    Trends Driving Collaboration and Convergence

    According to the 2013 Ernst & Young survey on Global State of Information Security, business continuity and disaster recovery has been defined as the top priority information security area over the next 12 months. The three disciplines – IT security, risk management and business continuity – are now beginning to converge in the way that they analyze, identify and evaluate threats and risk when it comes to the common goal of continuity and resilience in business operations.

    Several trends in business today drive this convergence:

    • Tolerance time is shrinking: Disruption tolerance times are shrinking from hours to minutes to nano seconds. As our work lives become increasingly “always-on,” we expect responses immediately.
    • Impacts occur and cascade very quickly: Today businesses operate across a digital, social, mobile, and hyper-extended landscape where the impact of an incident can have a ripple effect that can expand very quickly. Be it electronic fund transfers or data transfer from clients to suppliers, transactions are increasingly electronic, moving through a complex and interconnected global supply chain and service delivery ecosystem.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 3

    Driving Trends Continued

    Trends Driving Collaboration and Convergence

    • Information security threats are increasing: The threat from Big Data, cloud, critical and trusted infrastructure, and mobile and social applications has been increasing steadily over the last few years.
    • Management is demanding a 360-degree view of risk: The role of risk intelligence with a 360-degree view of risks and mitigation strategies is becoming table stakes for good risk management. Management must ensure that thresholds for risks and incidents are well communicated and distributed in the operational fabric of the organization, and that information on incidents is communicated on a near-real time basis.

    In March 2011, Epsilon, a provider of marketing services over email to large client bases, reported that their systems were “exposed to unauthorized entry” in which hackers stole the names and email addresses of millions of people. These were the names of customers of several large financial and retail firms, including Citi, Barclaycard US, Disney, and BestBuy, who in turn were customers of Epsilon. All companies notified their users/customers to be aware of “phishing” attempts to solicit other sensitive information resulting from the initial breach at Epsilon.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 4

    The Value

    The Value of Convergence and Common Terminology in Effective Crisis Management

    The positive effect of convergence between a business continuity model (BCM), security and risk management is that a broader view of risk is understood and a system for monitoring and managing risks can be derived. Collaborative teams form a better understanding of the most important activities in an organization, the resources that support them, and on-the-ground challenges they face. As a result, an integrated approach provides better risk identification, analysis and prioritization, more pragmatic risk treatment, and efficient investment in remediation.

    Each new technology brings with it both new opportunities for creating value, as well as new threats and attack vectors that bad actors may exploit, as well as complexity that may lead to a failure or outage. It is critical for executives to understand this evolving threat landscape in order to set appetites, thresholds, and decide on policies that will both protect critical business processes and sensitive information. Increasingly, organizations are being asked to collaborate and cooperate on issues that may affect national security or the critical infrastructure that may be involved in an incident.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 5

    The Value Continued

    The Value of Convergence and Common Terminology in Effective Crisis Management

    More than ever, it is important that organizations have a common methodology, approach and nomenclature to support meaningful dialogues on real risk for members of these groups. A simple example of how different perspectives and terminology can cause confusion, distortion of metrics and ultimately remediation efforts is this: A disruption to the business may be regarded by the business continuity professional as an outage, whereas the IT professional may consider it to be a service-level agreement failure, and an information security professional may view it as a denial of service attack. In order to have an effective crisis management program, it is important for key stakeholders to agree on a common terminology as they collaborate to ensure that the organization continues to perform and meet objectives.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 6

    Evolving Threat Landscape

    A huge driver of collaboration is the evolving threat landscape. Teams need to consider the basic question: What increases threats to critical resources, business processes and sensitive or regulated information? Factors may include the physical or electronic availability of information anywhere, anytime accessibility to devices like Internet, smartphones, or BYOD; a lack of transparency in the context of third-party relationships – in particular, cloud service providers; or lack of verifiable controls and testing visibility into control states.

    Emerging threats span a wide range of technologies (e.g., mobile computing, social technology) and infrastructures (e.g., critical infrastructure, trust infrastructure, cloud computing and Big Data). One of the most rapidly emerging threats is supply chain interruption – either upstream or downstream or through indirect incidents. An example of an indirect incident is the 2012 volcanic eruption in Iceland. While the eruption itself was isolated to that area, volcanic cloud floated to northeast Europe, affecting air travels and deliveries. Increasingly, internal and external political issues should be considered in the threat landscape. For instance, in post-revolution Egypt, with the change in government, organizations not only had to deal with various supplier issues, but with the government restricting access to the Internet. Human-caused events like lockouts or leadership change in an organization are also being considered more and more in the business continuity threat landscape.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 7

    The Quintessential Triad in Risk Management

    Business continuity management (BCM) is the strategic and tactical capability of the organization to plan and respond to incidents and business disruptions in order to continue business operations at an acceptable, pre-defined level, according to the Business Continuity Institute. Many of the core functions of BCM are foundational with other risk management and compliance disciplines. For example, information security is all about protecting information assets. Operational risk focuses on minimizing losses resulting from inadequate or failed internal processes and systems, human factors or external events. There is a fundamental overlap between the mission and objectives of business continuity, information security and operational risk management.

    For example, BCM helps in managing business continuity requirements by mapping organizational hierarchies, conducting business impact analysis and establishing a risk register. That risk register can be extended to include information security risks, and also become part of a larger operational and enterprise risk framework. BCM helps in developing strategy, identifying preventive controls and developing an incident response structure, disaster recovery and communication plan. Again, information security and compliance teams can work from the same control framework, gaining perspectives from other groups’ testing, and reusing test results from other teams in analysis. BCM also tests, maintains, reviews and exercises plans. It manages disaster recovery requirements by conducting damage assessments, invoking a disaster recovery plan and initiating recovery activities, all of which flow naturally into operational risk management.

    When properly designed, the convergence of IT security, risk management and business continuity can be the quintessential triad in risk management.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 8

    Best Practices

    Priorities for Best Practice in Convergence of Business Continuity, Security and Risk Management

    When it comes to best practices for convergence of business continuity, organizations should consider their end-to-end ecosystem, including third parties and suppliers, and capitalize on opportunities to leverage and share information and processes with security and risk management teams and disciplines.

    • Share organization and risk frameworks: When mapping business continuity requirements, it is critical to look at organizational hierarchies and processes and evaluate the actual tolerable period of disruption. Impact analysis will prioritize the various processes, and a risk assessment will help in creating a risk register in line with both enterprise risk management and information security.
    • Develop a strategy on determining how to deal with important issues: Maintain, review and exercise plans on an ongoing and continuous basis, and integrate issue management with crisis management processes that are used by security and risk teams.
    • Think through the cascade effects of an incident: For example, business continuity and operational risk teams should understand the risks of security attacks inherited in backups. They should be objective, honest and should view risks from all the angles before planning exercises.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 9

    Best Practices Continued

    Priorities for Best Practice in Convergence of Business Continuity, Security and Risk Management

    • Leverage asset information across teams: When there is a need to determine the criticality of assets and the effect of a disruption on business, leverage baseline or detailed risk assessments from other teams that are looking at risks due to confidentiality, availability or integrity or other factors that can be leveraged in a common framework.
    • Leverage social media for situational awareness: Social media like Twitter, Facebook, Pinterest, Google+, YouTube, etc., can be used in a positive way for seeking and sharing information that can be used as data in risk management. This data can be correlated to organizational assets, facilities or risks.
    • Leverage a common governance, risk and compliance (GRC) platform, with an asset inventory and risk and control framework and nomenclature. It is important for organizations to collect and develop better information and evidence about attack vectors, and the impact achieved by adversaries and threat agents. Organizations should perform a shift in security controls to accommodate emerging threat trends and integrate tests and exercises with business continuity and disaster recovery programs.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 10

    Technology Solutions

    Technology Solutions for Governance, Risk, Compliance and Business Continuity Convergence

    A common GRC platform with a 360-degree view of risk can provide an ideal base for this convergence. Here governance, risk, compliance, business continuity and management all come under a single platform. Common nomenclature and terminology within threat reports are supported and leveraged by a common policy, impact analysis, risk and control framework. Also, common processes for incident response and crisis management can be followed. This accelerates an organization’s ability to react quickly to avoid incidents and adverse events. It is important to get the alignment right in any organization, between incidents reported, crisis management, supply chain risk, security risk and operational risk. A GRC platform and integrated solution set can provide that repository of critical information from different perspectives.

    The objective of GRC technology is not just to leverage the common platform with the asset inventory and risk control framework, but to really extend the security nomenclature to include the work of business continuity, security and risk teams – the solution is based on a very broad platform that covers several functions and supports many stakeholders. The objective here is to provide risk intelligence that can improve performance of the organization.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 11

    Technology Solutions

    Technology Solutions for Governance, Risk, Compliance and Business Continuity Convergence

    A BCM solution within an integrated GRC platform helps in managing business continuity requirements, strategies, tests, and plans and responding to business interruptions. Content packs built around the International Standards Organization (ISO) 22301 requirements can be tailored to organizations, according to their specific needs. Typically, content packs include policies, processes, controls, guidelines, reporting templates, checklists and eLearning, all at par with ISO 22301.

    An effective BCM solution depends on a strong asset repository, and there is huge flexibility in a GRC platform for bringing in assets and integrating them with configuration management databases and asset inventories. GRC technology takes a risk-based approach to business continuity and provides a comprehensive solution.

    How Business Continuity, Information Security and Risk Management Collaboration Bolster Business Performance - slide 12

    Conclusion

    In short, convergence of IT security, risk management and business continuity teams is becoming ever more critical to an organization’s business performance. These teams share common goals in protection of people, assets, and processes, as well as sensitive and regulated information. Working from a common policy, risk, and control framework can be a foundation stone for providing a 360-degree view of risk. A common GRC technology helps in leveraging risk management, develops a common nomenclature within threat reports, implements a common policy, risk (including operational, IT, security, and supply chain-related risks) and control framework and issue management. It also leads to implementation of common processes for incident response and crisis management. Properly designed and managed, collaborative teams that converge these common functions, supported by the right GRC technology, can be the quintessential triad in risk management.

    Latest Articles