With cyber attacks getting more sophisticated, cyber security incidents are becoming more a question of ‘when’ than ‘if,’ being a CISO has never been more challenging – and surviving as a CISO is harder still.
For CISOs still fine-tuning their approach to cyber security, it’s not just the constant threat of costing the organization money that keeps them up at night, it’s the fear that even after doing everything feasible to mitigate cyber security risk, something will inevitably fall through the cracks resulting in severe consequences whether that is the business shutting down, the company facing negative financial repercussions, a swift attacker getting through the preventative controls, an employee accidentally opening the organization up to risk, or a cyber security program not getting the traction it needs to be fully successful.
The first of these fears, –that a failure of foresight can be the reason the organization’s lights turn out– is the fear that haunts many CISOs. If a CISO fails to meet this impossible standard of fortune-telling into all incidents, there’s always a chance that one day an unforeseen incident will result in a disruption to business and when that happens facing severe job consequences becomes a very real possibility. Two key risks that can cause an interruption to business operations are:
1) A comprehensive business continuity plan couldn’t be developed
2) The business continuity plan could be improved
Business Continuity: Wrangling the Expansive Scope
With tens of thousands of new viruses on the internet every day, CISOs understand that they need to develop a business continuity plan to anticipate an attack that could interrupt their companies’ operations. But for some CISOs, the complexities of business continuity need to be further clarified to create a proper business continuity plan.
Many CISOs face challenges understanding the full scope of the difference between business continuity and disaster recovery.
ISACA, an independent association of IT governance professionals, advises that business continuity is defined as “how a business should plan for continuing in case of a disaster,” while disaster recovery refers to “how the IT (information technology) should recover in case of a disaster.” In other words, disaster recovery is a small component within business continuity. Even if an organization has a plan for how to restore email quickly, if it doesn’t also have a communication plan informing its staff to use their phones in the interim, the organization will ultimately end up with the same result- lost time and money due to a lack of planning and effective communication procedures. Simply put, a disaster recovery plan is not a substitute for a business continuity plan.
Many CISOs who run lean organizations underestimate the importance of business continuity.
Some CISOs may think, “Well, I have a fairly streamlined shop with a minimalist set-up and most if not all of our data is in the cloud, so I don’t need to worry too much about business continuity.” However, as most CISOs understand, there are risks when a business makes use of a cloud service provider to handle critical business operations. Specifically, the organization still faces the risk of being rendered inoperable in the event that a major security incident hits the service provider. However in some cases, outsourcing can create a sense of invincibility at worst, or offloading accountability at best.
While cloud providers in many cases are able to recover from incidents faster than if the company had not outsourced this function, it is still worth remembering that cloud providers are not immune from attack. In 2016, the Mirai botnet conducted a DDoS attack against the Dyn DNS service, causing companies that relied on the Dyn DNS system to be inaccessible to the public internet and facing technical difficulties for several hours. In a scenario like this one, it’s important to remember to build in controls to check on the security posture of the third-party provider.
While there are advantages to outsourcing to cloud providers, most CISOs use providers cautiously and with the correct set of controls in place, because outsourcing this function presents different variables and conditions to take into consideration that require vigilance to protect against potential threats.
Signs of a Failing BCP: Lack of Awareness and Data Loss
CISOs make business continuity plans but don’t have the bandwidth or resources to progress their efforts.
At some point, every motivated CISO has attended a cyber security conference or was preparing for an audit or third-party assessment, and that was the moment a Business Continuity Plan was drafted. The stakeholders sat in a room and outlined the series of events that should take place to minimize disruption to the company’s operations. The CISO took cyber security preparedness by the horns and made meaningful progress.
The problem is after this initial success there was a resting period between that audit and the next one or between that management meeting and the next one, and the business continuity policy and plan sat in a folder somewhere – understandably, because the CISO was swamped putting out the daily security fires and focusing on higher priority items.
It’s this situation that explains why there are many organizations that have business continuity plans (BCPs) in place that are not well-known throughout the organization. Carrying the initial efforts to create a plan through to implementation is no easy task in a world where hackers don’t take vacations. The resulting employee unawareness of the business continuity plan, coupled with employees having to operate on an unfamiliar alternate structure until systems are back up can cause interruptions to the business, even for companies who have crafted a mature cyber security program.
CISOs make a business continuity plan and later find that it could use improvement.
The most difficult challenge occurs after a business continuity plan is up and running fully. Imagine a scenario where a CISO encounters a severe security incidents that resulted in data loss.
Without getting into the financial and reputational repercussions, which can often paralyze business operations, the complete loss of data alone is a threat that can shut down business operations. Given that, according to BreachLevelIndex.com, 554 million records were lost or stolen in just the first half of 2016, it follows that there are a decent number of CISOs who were prompted to improve and update their business continuity plans as a result of an unanticipated risk.
So what are some measure that CISOs can double check to ensure they are creating a business continuity plan that measures up to the rest of their security practices?
- Re-evaluate the organization’s business continuity plan to ensure that its scope is broader than just disaster recovery. Check for important components like defining recovery point objective and recovery time objective, identifying key stakeholders and their responsibilities, providing communication procedures, and establishing alternative operating protocols.
- Check for business continuity controls that match the organization’s streamlined IT set-up. Take the time to think through every critical asset within the organization, how robust each asset is, and if continuity is ensured. For third-party cloud service providers, take the time to understand how and to what extent those providers guarantee uptime.
- Check that the organization’s business continuity plan goes beyond being compliant. As many CISOs know, compliance is a product of regulators and industry bodies alerting companies that everyone is behind and putting customers, consumers, and other business at risk. It’s often not enough to provide sufficient security, and with the increasing patchwork of regulations, trying to check boxes winds up more burdensome that setting up meaningful security that can be explained across standards to whatever outside party (or board) is asking.
- Conduct Business Continuity Plan Testing. Whether the choice is perform a scenario test, a walk through, a series of bubble-tests, or something else, develop an annual plan that incorporates testing of the plan itself.