How to Leverage Business Continuity for Security
CISOs: Use Business Impact Reports To Prioritize Risk
There are a few themes we see emerging for security professionals, especially those leading the charge, (we’re talking to you, CISO). One theme is that operating a more risk-aware security organization requires an understanding of what to prioritize. A related theme is: How do you actually prioritize security risks based on how it will impact the organization as a whole (rather than only in IT)?
To arrive at this place, a security leader needs to have an understanding of all the business functions of all the departments. Beyond the functions, CISOs need to have a handle on the impact of security events on the systems of those business units.
In a large, global company, this is no small task.
The Solution? Find Reporting Tools Already In Use
Reach across disciplines and find those groups that are already capturing this kind of impact information, and leverage the hell out of it.
With more and more emphasis on business metrics in security contexts, it can be very challenging for security pros to get their heads around how to begin the prioritization process. An excellent article by Tony Martin-Vegue, Sr. Manager, Cyber-Crime & Business Continuity, at mega-clothing retailer, Gap Inc., offers some insightful advice. Martin-Vegue writes:
Most medium-to-large companies have a separate department dedicated to Business Continuity… [O]ne of the core functions of these departments is to perform a business impact analysis on critical business functions. For example, the core business functions of the Accounting department are analyzed. Continuity requirements are identified along with impact to the company. Many factors are considered, including financial, revenue stream, employee and legal/regulatory impact.
A compounding issue, however, is actually identifying all the risk in an organization given the rise of shadow IT where business units begin using third party systems, such as SaaS or cloud applications, to enable some business need they have identified. Security teams are likely not going to be shutting these operations down in 2015, but will have to find ways to make them less risky to the organization.
CISOs will need to work closely with business continuity professionals to discover and audit those kind of rogue systems, and to understand their impact in a security context. This will certainly help CISOs who now have more attention with executive boards than they ever have had before.