What does the title imply?
In late 2013, a data breach at a major retailer illustrated that being compliant with the Payment Card Industry (PCI) Data Security Standard (DSS) was not the same as being secure. Now both Target and their security advisor, Trustwave, are facing legal action over the breach.
What does this tell us? That if you seek merely to become “compliant” to any standard or set of guidelines you are preparing to fail. Compliance should be but one of the outcomes of ensuring that business processes and information systems are secure and resilient. This approach requires that cyber security, information assurance and business continuity are all addressed together, in harmony, for the benefit of the organisation, and to:
- secure executive buy-in;
- deliver effective implementation;
- improve organisational resilience; and
- effective embed security, resilience and continuity in the organisation’s mindset.
We live and work in an era of interconnectedness and high levels of dependence on technology, where the secure and efficient operation of information systems is crucial to organisational success, almost regardless of the field of endeavour the organisation is involved in. Resilience for the organisation depends upon many factors, some human, some process-related and some technological. Security of information, systems, networks and the organisation as a whole have the same dependencies. It is therefore incumbent on decision-makers and decision-implementers to ensure that no action to ensure the resilience or continuity of the business is undermined or damaged by actions to ensure security and continuity.
There is increasing competition for resources and every penny or cent spent on matters not directly related to service delivery or income generation must demonstrate their worth more robustly than ever before. Public and private sector organisations have long struggled with the problem of showing clear and unambiguous evidence that addressing security, business continuity and technology requirements delivers the returns on investment required by owners and other stakeholders. As an industry (and I include both business continuity and information security in this) we have for too long focussed on “avoiding the downside” in preparing business cases for executive approval.
You will all be familiar with the phrase “if we don’t do this, bad things could happen” – my contention, proven over many years of practical experience, is that unless we can show tangible, measurable business benefit from investment in security, resilience and continuity, our work will continue to be seen more as a necessary evil than a true enabler of success. We must show that investing in cyber security and business continuity will enhance the bottom line, improve corporate reputation, help retain talented people and attract customers through improved service levels.
The case we need to make to decision-makers is: “if we do this, good things WILL happen.” By “this”, I mean effective investment in security, resilience and continuity. By “effective investment”, I mean investment that tangibly and measurably improves organisational performance in ways that are meaningful to owners, leaders and other stakeholders.
In this paper, I will outline, using real-world examples, how:
- strategies for crisis management, security, resilience and continuity should and can be aligned to the strategy of the organisation;
- critical success factors and key performance indicators for improvement programmes addressing security, resilience and continuity should and can be derived from those for the organisation as a whole;
- projects, tasks and deliverables within the scope of a continuous improvement programme should and can be shaped to deliver results rather than outputs.
I have been attending meetings, seminars and conferences on risk management, business continuity and cyber security since the late 1990’s. One of the common themes has always been the need to secure effective executive engagement in order to obtain the necessary investment funds and ongoing support. One of the complaints I have heard most frequently is “they just don’t get it” or words to that effect.
Sorry to say this, but I was taught many years ago that in any communication, responsibility for getting the message across lies with the communicator not the audience. So what have we been getting wrong? My experience in both public and private sector organisations, is that, as a profession, we have a tendency to use “our” language rather than “theirs”. We talk in terms of recovery time objectives, recovery point objectives, advanced persistent threats, malware, intrusion detection and so on when we should be talking about protecting and enhancing corporate reputation, delivering return on investment and being able to cope with the unexpected when it occurs, as well as continuing to run the business. It is no wonder that our audiences sometimes lose patience with us.
When I was just starting out in this field, I was full of the passion and enthusiasm of youth. I loved my new found “expertise” and could not understand why everyone was not just as enthusiastic. A very kind and patient customer took me for a cup of coffee one day and said, “Son, I admire your energy and enthusiasm but you’re being a pain in everyone’s backside. Remember that if you are to be successful, we need to not only be successful but also we need to feel successful. Stop trying to do this TO us, understand what we need to achieve and how what you advise can help us to achieve our goals. Do this, and you will shine. Fail to do this and you won’t last another week.” It was the best advice I ever had.
Over the past few months, I have been working with a small software company who provide online services to the automotive trade, connecting potential customers attracted by marketing campaigns to their local dealership and then ensuring that those leads are followed up. One of their customers, one of the world’s leading luxury car brands, required the software vendor to provide evidence of business continuity management (compliant with BS25999) and information security management (compliant with ISO 27001). The company had made a solid start but needed help getting the work completed on time without disrupting their business. Working closely with the Managing Director and Head of Technology, I helped them to complete the necessary policy documents and plans, staff briefings and the evidence that their customer’s auditor would need to see. We focused very closely on ensuring that policies, plans and procedures were appropriate for a company of 12 employees on a rapid growth curve. We implemented simple but effective monitoring systems to ensure that future audits would not require excessive effort on the company’s part in terms of collating evidence and each policy was required to make a positive and measurable difference to the performance of every business process it touched. The auditor concluded that not only was the company compliant with the relevant standards but that its information security and business continuity regime was better than any he had seen in a small to medium-sized business in more than 25 years of conducting such assessments.
Imagine a world in which there are no fines or other penalties for failing to ensure business continuity or cyber security – that customers and other stakeholders do not care about these issues and are happy to accept the risk that their personal or payment card data might be stolen and theft of intellectual property is considered a reasonable and fair business practice…
Now that we have effectively removed the negative drivers for cyber security and business continuity investment, how do we make the case that it is in the organisation’s own best interest not only to make those necessary investments, but also to make the fact of those investments a positive marketing and public relations message?
We need to understand what the organisation measures in terms of its own performance and what levels of performance are considered “adequate”, “good” and “excellent”. We can safely assume that anything below “adequate” will be unacceptable. It is these measures, and only these, that we need to embrace and use to demonstrate the impact of the investments we are asking the organisation (whether our employer or our customer) to make.
Once we understand the ways in which performance is to be measured, it becomes possible to design programmes for introducing or enhancing cyber security and business continuity that seek to make a positive difference to the performance of the organisation as a whole. This approach is about delivering improved security and improved continuity and resilience as components of wider business improvements, rather than as discrete objectives. You would not, I would argue, wish to build a house and then, when the structure is complete, seek to secure it and make it resilient against the weather. These issues need to be addressed as part of wider business performance improvement and transformation goals, and need to be addressed at the very outset… the results will be more effective, more efficient and more measurable. The resulting business processes will be better performing, more secure and better able to adapt in response to the pace of change in the world around us.
I took this approach with a pharmaceutical company, which researches, develops, tests, manufactures and distributes powerful analgesic medicines. Each business function had agreed performance measures; so when designing the programme, we agreed the levels of improvement that were required with each metric. We also set goals relating to business continuity and cyber security based on an assessment of the criticality of each business function to short-, medium- and long-term performance of the business as a whole. The programme lasted 12 months and each area of the business showed improvements in performance that more than paid for the costs of the programme. I believe this is the way all such programmes should be designed and managed.
Collaboration across specialist boundaries, especially those of crisis management, information security, business continuity and organisational resilience, is vital to delivering what our customers, employers and investors require. As security and continuity professionals, we can add value; indeed we must add value.
My experience, in private companies large and small and across a range of public sector organisations, is that most people are proud of what they do and for whom they do it. Few, if any, want to come to work to do a bad job or to let their customers or colleagues down. As internal or external consultants we must make it a priority to keep this in mind and respect those we work with as being best placed to make the changes we believe to be required. But we must also bear in mind that those changes will only be implemented effectively if the people who have to do the work recognise that making the change will improve their ability to be effective. Be the navigator not the tyrant; encourage debate and never assume you have all the answers – after all, tomorrow might be full of surprises.
I hope the contents of this paper will have shown you not only that it business continuity and cyber security are a good fit, but that they are intrinsically linked both with each other and with other disciplines such as strategic planning, corporate risk management and delivering return on investment. Ignore these connections at your peril; embrace them and success will follow.
 For the remainder of this paper, by way of shorthand I will use the term “cyber security” to imply cyber security and information assurance.
Paper: BCIME14 – OOConnor – Paper
This year I shall be presenting at the inaugural BCI Middle East Conference on the relationship between Cyber Security and Business Continuity. After the event I shall post the paper and presentation here.
For more information and to register to attend http://www.thebci.org/index.php/upcomingevents/bci-middle-east-conference