CISOs Must Act As The Glue Between BC, DR, And Security

During the past three years, you may have noticed that security and risk professionals have added a new term to their lexicon – business resiliency. Is this just an attempt by vendors to rebrand business continuity (BC) and IT disaster recovery (DR) in much the same way that vendors rebranded information security as cybersecurity to make it seem sexier and to sell more of their existing products? Some of it certainly is rebranding. However, like the shift in the threat landscape from lone hackers to well-funded crime syndicates and state sponsored agents that precipitated the use of the term cybersecurity, a real shift has also taken place in BC/DR.

If you look up the term “resiliency” in the dictionary, it’s defined as “an occurrence of rebounding or springing back”. Thus, business resiliency refers to the ability of a business to spring back from a disruption to its operations. Historically, BC/DR focused on the ability of the business to recover from a disruption. Recovery implies that there was in fact a disruption, that for some period of time, business operations were unavailable, there was downtime as the business strove to recover. Resiliency, on the other hand, implies that an event may have affected the business’ operations, perhaps the business operated in a diminished state for some period of time, but operations were never completely unavailable, the business was never down.

BC/DR also historically focused on events such as natural disasters, extreme weather, major IT failures, critical infrastructure failures, pandemics/epidemics etc. - events that have a low probability of occurrence but have a very high impact to the business. However, in today’s world of global, 24X7 operations and intense competition, downtime, regardless of whether it’s a natural disaster, a simple hard drive failure or a security breach, is unacceptable. The business doesn’t care what caused the downtime, they want service restored and they don’t care who does it.

Unfortunately, most enterprises treat BC, DR and security as separate silos. BC often reports outside of IT into the COO, CRO or some other executive. While the VP of IT Operations is in charge of DR and the CISO or equivalent is obviously responsible for denial of service attacks, security breaches, data leaks etc. But who ensures that during a security breach, IT operations doesn’t accidentally destroy forensic evidence when they recover systems? Who ensures that there is an appropriate crisis management plan in place or that the business notifies appropriate government agencies when the Security team discovers a breach? Who ensures that employees adhere to corporate security policies no matter where the business has shifted operations?

The truth is that BC, DR and security, while separate disciplines that require specialized expertise and their own well-documented response plans, also have a lot in common. They use common processes (business impact analysis, risk assessments) that could be combined, they have important points of integration (joint testing, links between response plans etc.) and they all have a requirement to see availability and security embedded into enterprise architecture, not treated as bolt-ons after applications and systems are already in production. I believe that CISOs, because of their growing focus on broader information and IT risks, are best suited to act as the glue between these silos. And the more that these silos come together, the more that an organization can achieve business resiliency – the ability to spring back from ANY kind of disruption in a coordinated fashion.

If you have thoughts on business resiliency and the role of the CISO, I hope you'll reach out for a one-on-one chat at our upcoming Security Forums in Las Vegas and Paris, and/or drop me a note in the comments or on Twitter. You can track and contribute to the Security Forum using the #FSF12 (Las Vegas) and #SFE12 (Paris) hashtags.


CISO's need to focus on

CISO's need to focus on breach prevention, deterrence, and detection. Business Continuity would be the higher level umbrella of the organization. The crisis committe should include the CISO. The CISO has a lot of responsibilities, but the BC team should be ensuring that CISO is covering the risk to the business. Info Sec seems to be trying to branch out way passed their area of responsibility in the environment. InfoSec contingency and DR plans are BC plans with commonly known names, but still are the responsibility of the BC owner. Authority can be delegated, but responsibility can't be delegated.

Bobby Williams, MBCP

It's the business asking the CISO to do more

Bobby, thanks for your comment. As someone who has more of a BC background, I would have normally agreed with your point. However, in the 2.5 years that I've been the research director of Forrester's Security & Risk team, I've seen CISOs take on more and more responsibility, everything from fraud management to records management and business continuity. According to our 2011 Forrsights Security Survey, 50% of security leaders says they are mostly or fully responsible for BC/DR.

But it's not the CISOs that are asking for more responsibility, it's the business asking them to take on more responsibility. I find that many CISOs who have a predominantly technical background are struggling in their expanded role and as a result, many of them are focusing on advanced degrees in business, not computer science or engineering. And I've found that when the business has an opportunity to hire a new CISO, they are now hiring someone who has more of a business and a risk background. You don't need to be the security expert to be the CISO, you can rely on the expertise of your security architects. One other interesting stat, 45% of CISOs no longer report into IT, they report into the CEO, the board, the CRO etc. It's also not unusual to find that some CISOs have to report to the board 4 or more times per year.

When you think of the CISO today, you have to think of an individual who is completely different from the CISO of five years, even just three years ago.

First, let me say that I am

First, let me say that I am not picking a fight about this. That being said, I say "shame on CEO's for loading those tasks on the CISO". Organizations need checks and balances. Yes, there are companies that burden the over achiever with things that belong somewhere else. The checks and balances get lost with BC, DR, risk management, records management, et al get lumped under the CISO.

I can understand why BC would/could align under risk management. It may fight the org chart or the culture. It can fit in the RM organization just fine. However, BC should never, never, never be under the IT orgnaization. It is laziness (or cheapness) that puts it there.

To say that some companies are putting these functions under the CISO and then calling that "the norm" is very dangerous. Report/document that as the oddity, not the glue holding BC together. There are companies that have the "at the time of disaster" strategy. TOD is a valid strategy, but not a very good one. It should be an oddity to have it in place, but the quantities don't make it the "glue".

I would never deny that there are CISO's in charge of things that were never intended to be under the CISO. Don't let trends change principles. As we see from the political arena, when we short change the checks and balances we get horrendous results that are sometimes impossible to correct.

Don't let companies take the cheap route out by putting very critical business processes in places that they don't belong. When they find out the errors of their ways, it will probably be too late to recover from it.