Maintaining IT and Business Resilience Amid Economic Uncertainty
Business conversations around resilience usually refer to financial resilience or balance sheet strength. But when speaking about IT resilience, it’s important to understand exactly what it is and why it is crucial to maintain amid an economic downturn.
Security and resiliency are related concepts, but they’re not the same. Cybersecurity is more functional and involves protecting things like data, applications, and key infrastructure. Resilience is transformational and enables companies to bounce back when disaster strikes. It’s about developing people, processes, technology, and budget frameworks to withstand systemic shock to the business so that you can continue to do business and serve customers, partners, and employees.
As it relates to IT, resilience is an organization’s ability to remain operational even when standard cybersecurity measures fail. IT resilience doesn’t focus on putting out small fires. Rather, it focuses on larger risks that could plague organizations in the long run. For example, a team that lacks resilience might not train non-technical workers on security awareness, or might not have an efficient process for patching software, which are major causes of cyberattacks.
Building resilience requires IT leaders to develop a foundational understanding of the business, how it drives revenue and services customers. With an understanding of the business drivers, you can prioritize the most critical talent, technology, operations, supplies, and processes, and invest in preparedness.
What should be top-of-mind for security teams amid fluctuating market conditions?
Again, it comes back to understanding your business drivers — how your business makes money and services its stakeholders. Even something as basic as keeping the lights on is very critical to running the business.
This requires pragmatic leadership that emphasizes a tiered service catalog based on strategy versus an all-or-nothing approach. A one-year, five-year, and 10-year business roadmap is a simple framework for organizing long- and short-term goals. With each goal, figure out where IT ties in and how you can create value across departments. Infosec should be seen as a business enabler — educate teams and map infosec investment to business outcomes.
Once your department has a roadmap, you’ll know which technologies and services are critical, and which might be taking up unnecessary space in your department’s budget.
Finally, changing market conditions do not have to be a time for IT to sit back and be a cost center, but a revenue driver. So, leverage the downturn to find specific areas to innovate and arise stronger.
What should organizations do in times of budget tightening when it comes to cybersecurity? And how can IT teams maintain best-in-class security standards while staying within budget?
The human element continues to be a challenge for IT security leaders. And for those who managed to get their hands on top talent, they soon realized that it was short-lived. IT security professionals have a high turnover rate, with the average CISO lasting less than three years, and perhaps less for a junior staffer.
Top-tier security talent is not only short-lived, but expensive. Of course, a CIO must manage to different outcomes and add talent where necessary. But to make room for leaner times, talent is a critical area for assessment. When possible, IT leaders should hire low-experience personnel that can learn alongside the senior roles — and they might bring interesting new perspectives.
Additionally, IT leaders can look within rather than invest in outside talent. Adopt a cross-departmental approach and create a feedback loop that continuously provides information on risks. By proactively coordinating with marketing, finance, product teams, and others, businesses can promote proper cyber hygiene and develop a security-focused culture.
Where can organizations look to cut down on technology/security costs? What mistakes do business leaders typically make when trying to cut costs?
The most effective security investments tend to eliminate threats before they arise. Knowing no system is fully secure, IT security teams tend to overinvest on detection tools and software when in reality, these tools often just add complexity.
So the question is not whether there is waste, but rather how much? What tools have been long up on the shelf or underutilized? Start with an audit of the tools in your arsenal to tell you what has been providing value and what has been collecting dust.
Then focus on shoring up your software security. IT should proactively work with software teams to create a continuous feedback loop and ensure high-grade security. With every company turning into a SaaS company of some form, security needs to adapt to be embedded in the software, and that starts with better collaboration.
Lastly, I would argue a lot of infosecurity mistakes stem from a failure to understand your most critical assets and data. Not all data is created equal, so part of allocating resources effectively is not just knowing the types of security systems you will need but where to deploy them. Here, it’s best practice to create a tiered framework to stratify the business from most to less critical in the areas of talent, technology, operations, suppliers and processes.
BRCCI – Business Resilience Certification Consortium International (www.brcci.org)
We are thankful to the author for allowing us to post this insightful article on our website. BRCCI provides a comprehensive training and certification program in business resiliency, continuity and IT disaster recovery planning:
1. 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.
2. 3-day CBRITP (Certified Business Resilience IT Professional) is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry’s standards and best practices.
3. 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry’s best practices and standards including:
- ISO 22301: Business Continuity Management Systems – Requirements
- NFPA: Standard on Disaster/Emergency Management and Business Continuity Programs
- ITIL: Information Technology Infrastructure Library
For information on the above program, please contact BRCCI (www.brcci.org, 1-888-962-7224).