I had this conversation a decade ago, and I remarked that business continuity is NOT information security (IS) as cybersecurity was then called IT security. This issue was then, more closely related to IT disaster recovery planning. Having said that, the world has since evolved and moved on. This is primarily due to the proliferation of IT usage and its heavy dependency. Hence, it is the time I revisit this remark taking into account the numerous changes that had taken place over the last decade.
Cybersecurity as a top threat to business continuity
Recent surveys conducted over the last two years had rated cyber-attacks as the top threat to business continuity. The most prominent case being Sony. It starts to make both BCM and IS professionals’ question: Are BCM and Cybersecurity related? If so, how are they related?
Before any IS or BCM professionals start to take their positions, it is important for one to understand and look at what your background, prior experience or in academic terms, your “World View”? Do you have a strong IT or IS experience or are you a physical security or facility person designated to manage BCM? The latter will say, it is not part of his or her responsibility as there is a constraint in term of IS competency. However, the IT or IS-literate person may agree that BCM is part of cybersecurity because of his or her high knowledge in IT and IT security.
Cybersecurity: Is it just about technology or is it truly part of business continuity?
I recently read Paul Kirvan’s discussion on Search Disaster Recovery regarding the integration of cybersecurity practices into a BCM program. Paul explained why the BCM program should be part of the information security and corporate Cybersecurity strategies. Immediately upon posting the comment, a rebuttal arose. The argument was that the discussion is creating artificial distinctions between “cyber security” and “business continuity” and this demarcation does not help. My observation is firstly to take a close look at how the organization views its overall resilience framework. We need to understand how the organization is structured to operate effectively under the respective functional roles such as IT, IS, and BCM. It is always an “organizational structure issue” when it comes to “Whose roles and responsibilities is it?”
When Does a Cybersecurity Incident become a Business Continuity Issue?
One may think that cybersecurity is strictly the jurisdiction of the IS unit. From a technical perspective, the IS specialist will provide an initial response to resolve security breaches. However, should the breach results in operational disruptions for the business to function normally and has an operational impact on the business, the emphasis may need to shift to business continuity.
NIST Framework Can Help Business Continuity Professionals Prepare for Cyber Attacks
Recently, NIST had released its framework (exactly a year ago to be precise). Though it is not similar to an ISO22301 BCM standard and hence, cannot be compiled with, it made a significant change in approach whereby, the concept of recovery is included in a necessary process. Even though, it is not auditable, the strength of this framework is that it get the various interested parties to come together to view the challenges and to develop a holistic standard approach amongst the different functional groups and industries.
One of the key features of a business continuity life cycle or execution process is to understand the six “Rs”. They are Reduce, Response, Recover, Resume, Restore and Return (Home). NIST’s framework is tied to BCM’s “recovery” process. This is where business continuity and disaster recovery professionals are involved in any cybersecurity incidents. As most Cybersecurity threats that cannot be prevented tend to fall into the “recovery” stage, it becomes critical to understand how to manage such disruptions. If it is business disruptions, this entails the right BCM skillset and knowledge to assure the continuity of mission critical functions or processes affected by the cyber disruptions.
Change of Mind toward Cybersecurity
I started this discussion with the prior disagreement that BCM does not have a role to play in cybersecurity unless the critical business functions or processes are disrupted. I will now add to highlight that organizations have to relook at its entire framework so as to ensure resiliency not only to its IT system but also the entire business. I can only conclude by saying “When the mission critical functions are disrupted, the entire organization is now disrupted, and it does not matter who is solely responsible.” The key is to get all the IT, IS, DR and BCM teams is to work together to prevent it from happening and if it happens, ensure that the business continue regardless of disruptions. It is all about working as a team.
About the Author
Dr Goh Moh Heng is the President of BCM Institute and the Managing Director of GMH Continuity Architects – a specialized BCM Consulting firm. His primary areas of expertise include Business Continuity Management (BCM), Disaster Recovery Planning (DRP), ISO22301 BCM Audit and Crisis Management. Since 2011, Moh Heng has assisted more than 20 organizations, particularly those operating in the Asia Pacific and Middle-East Region in their successful implementation of their Business Continuity Management System (BCMS) and achieving their BS 25999/ SS 540 / ISO 22301 organization certification. Prior to establishing BCM Institute and GMH BCM Consulting, Dr Goh held senior positions with a number of large organizations. During his career with the Government of Singapore Investment Corporation (GIC), he was responsible for all aspects of its BC and contingency planning. At Standard Chartered Bank, he saw to the global implementation of its BC management and planning. He also managed the BCM practice at PricewaterhouseCoopers.
Currently, Dr Goh is the senior advisor to the China BCM Forum, a quasi government agency responsible for BCM throughout China and an expert panel member of the Asia-Pacific Economic Cooperation (APEC) Network on Improving SME Disaster Resilience (since 2011) and JICA-ASEAN study to enhance resiliency of industrial areas against natural disasters (since 2012). He hold a PhD and also been awarded the highest level of certification from the three major business continuity management institutes. He is the author of nine business continuity management books. Dr. Goh is instrumental in creating the first Wikipedia for BC www.BCMpedia.org. He can be contacted at firstname.lastname@example.org or email@example.com.