The current state of business continuity management (BCM) standards? Abysmal. According to a joint Forrester/DRJ study, 69% of respondents said that British Standard (BS) 25999 did not influence or only somewhat influenced BCM at their company. It’s not much better for NFPA 1600, 70% of respondents said that it did not, or only somewhat, influenced BCM at their company. I find this shocking. BS 25999 is one of the most widely recognized standards for BCM worldwide and NFPA 1600 has been popular in the US for years. In addition, the U.S Department of Homeland Security’s Private Sector Preparedness Program (PS‑Prep) recognizes both of these standards for assessing preparedness. If you’re wondering what standards respondents named in the “Other” category, it was mostly the Federal Financial Institutions Examination Council (FFIEC) and NIST. Not surprising but also a little disheartening, it’s clear that unless compelled to do so, most BC professional would not adopt or follow a BCM standard.
Even if you don’t intend to certify to these standards, they should strongly influence your BCM program. Why? It’s because:
They provide a foundation and a common vocabulary for BCM best practices and processes. This is important if you need to implement BCM across a geographically dispersed enterprise or you have to work with a multitude of global partners on joint preparedness.
I just love the theme of our upcoming Forrester Security Forum (Las Vegas in May, and Paris in June -- check out Laura Koetzle's definitive blog post). Leapfrog Your Global Competition. Rethink Security; Run At The Threat. There's never been a better time to take a deep breath and rethink how security can contribute to business savvy and agility. The "Zero Trust Identity" report I'd telegraphed in my previous post on API access control is now out, and it's consonant with this theme. I found that if enterprises want to be nimble and secure in getting value out of mobile, cloud, and consumerization trends, they're going to have to get over some bad "unextended enterprise" habits, such as tight coupling to authentication functions.
In a recent Forrester/DRJ joint survey on BC preparedness, of organizations that have invoked a BC plan in the last five years, 37% said that their BC plans had not adequately addressed communication. In my experience, I’ve found that many organizations:
Don’t appreciate the importance of effective communication. Many organizations focus the content of their BC plans and the goals of their BC exercises on the details of recovery procedures but don’t focus on how they will contact and coordinate response teams, employees, partners, first responders and customers. If you can’t communicate, you can’t respond to anything.
Rely on manual procedures like call lists or email alone. By themselves, manual procedures are unreliable, they don’t scale for organizations with thousands of employees (or citizens) and they don’t provide any kind of reporting.
Underestimate the difficulty of communicating effectively under stress. During the incident is not the time to attempt to craft effective communication messages or look for a secondary mode of communication because your first mode of communication (land lines and email) is no longer available.
Calculating the cost of a data breach should be a part of every organization’s information security risk management strategy. It’s not an easy task by any means, but making efforts to do so upfront — as opposed to after a breach, when calculating cost is the last thing on the to-do list! — for your organization can help to assess risk and justify security investments. But where does one begin, and what should be considered in cost estimates? There are the usual suspects, or direct costs, relating to discovery, response, notification, and damage control such as:
In-house time and labor (IT, legal, PR, incident response, call center, etc)
New technologies or services implemented as a result of the breach to change or repair systems
External consultants or services for incident response
Through this process, we uncovered a market that we believe is currently ripe for a major disruption: market demand for managed security services (MSS) remains extremely strong, customer satisfaction is higher than we’ve seen in the past, and current MSSPs tend to compete on delivery, customer service, and cost.
This isn’t to say MSSPs all currently offer the same services with the same level of quality – not by a long shot. Selecting the right provider still means that you must understand your needs and the areas you feel they can enhance your security program the most. Each MSSP we evaluated has solid overall security capabilities, but has unique strengths in certain security areas and use different deployment methods to bring their offerings to bear.
At the same time, however, we hear more decisions today come down to cost and execution, and as this becomes more commonplace, we begin to prepare ourselves for a shift in the market. In fact, we believe we’ll see significant changes over the next couple of years for three primary reasons:
We are kicking off research on security and identity intelligence, which is about understanding risk and detecting abnormal behavior. One thing is clear: companies don't even *know* what kind of security (SIM, data, identity, email, etc.) information they should be inspecting to detect security threats and where they should start eating the giant elephant of risk. They clearly need intelligent and automated systems to establish what a normal baseline means in user behaviors and events and then alert on any anomalies - and when they see any changes to normal patterns, understand whether they should send a guy with a gun or a guy with a wrench. In this research (which will also be the topic of my Security Forum keynote speech) we will look at the interdisciplinary areas between enterprise fraud management, risk based authentication, data protection and identity management. I want to hear about your concerns, issues, and early case studies/solutions in this area.
One of the highest-stakes parts of my job as the leader of our Security & Risk business is the in-depth business review that I present to Forrester’s executive team twice a year. And I always start those presentations with a single slide in which I attempt to capture the Security & Risk profession in as few words as possible. My current formulation is: “We protect our company’s brand – and our Security & Risk program allows our company to pursue new business opportunities safely.”
Our CEO, George F. Colony, sat bolt upright and said, “Wow – I didn’t know that CISOs saw their roles in such business-centric terms!” To which I replied, “And that’s exactly the problem. Strong CISOs are generally all action and very little talk – they put the brand and business opportunity at the center of everything they do, but they don’t brag about it. And thus they don’t get the recognition they deserve.”
And my team and I are on a mission to help you change that. Because we know that a strong security & risk program can be a competitive differentiator. We can help our businesses win on the global stage by enabling our firms to accept more (and different!) risks than others can afford. Rethinking your security assumptions and your security infrastructure means that you will have the skills, processes, and tools your business needs to seize new opportunities. So now you just have to get the word out that you can help.