Forrester: Why (and How) Security Must Drive Business Resiliency
Four reasons and eight practical steps for building a better business resiliency program
By Stephanie Balaouras, Forrester Research
November 23, 2008 — CSO —
Business continuity (BC), IT disaster recovery (DR), and information security are essential elements of business resiliency, with the common objective of managing the risks of business disruption. While all have traditionally operated as separate silos, they follow similar processes, all require a business impact analysis and risk assessment processes, and all have a heavy reliance on controls documentation, monitoring, and testing.
Security and risk professionals should apply a common risk-based approach to these disciplines to streamline processes, improve cross-discipline collaboration, and provide a common system of managing risk.
So how should your company attempt to leverage common best practices, processes, and tools across disciplines to improve business resiliency? One way is to have the same senior executive ultimately accountable for their success.
Today, at least 66 percent of security decision-makers are already either primarily or completely responsible for BC/DR. They may be responsible for both BC and IT DR or only IT DR, but it's clear that as companies seek to institutionalize these disciplines, they are turning to senior security executives for leadership.
But running a companywide security program is difficult enough. Why would security professionals want to raise their hand to take on BC and IT DR?
- Security standards recognize information availability as a responsibility. Information security professionals have always considered themselves responsible for preserving not only the confidentiality and integrity of information, but also the availability of information.
- CISOs, CSOs or other head security officers have the skills to institutionalize these programs under the security umbrella. Successful BC and IT DR programs require the skills that a successful security leader already has.
- If it's not your responsibility today, someone will ask you to do it in the future. As companies begin to establish these programs, they must determine who in the organization can take on these responsibilities. Forrester has seen the following executives assigned the responsibility: the CIO or the CISO (the most common), a dedicated risk manager (typical in large financial services firms), or the COO or CFO (this is the least common).
- It's an opportunity to make the security program more strategic. The tasks associated with executing security policies such as software patching and application security are increasingly being automated through tools, then managed and monitored by the IT operations team. This allows the CISO to focus on more strategic business and IT priorities. In addition, both BC and IT DR require the input and collaboration of multiple groups, including business owners, application owners, legal, HR, facilities, and IT. This gives the CISO the opportunity to increase their exposure and relevance to non-IT audiences.
ESSENTIAL READING
- Introduction to VMware vCenter Site Recovery Manager 5
- Reliable Disaster Protection with VMware vCenter Site Recovery Manager
- Introduction to Virtualization
- What CSOs are saying about Advanced Persistent Threats
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- ESG Analyst White Paper - VMware's vSphere Storage Appliance: High Availability for Small IT Operations
- Forrester: Economic Impact of Switching to Google Apps
- TechRepublic: Cloud Computing - Potential Value for Your Company?
- ESG Analyst Whitepaper - Virtualization Management Critical to Achieving Scale and Efficiency
- Forrester Analyst White Paper "The State of Enterprise Disaster Recovery Preparedness 2011"
- eBook: A Guide to Modern IT Disaster Recovery
- Your RSA, BSidesSF survival guide for 2012
Last year I wrote a column on how to get the most out of RSA and Security B-Sides without getting eaten alive by all the flash around you.
read more - Patch Tuesday preview, February 2012
- M86 report proves water is wet
More Salted Hash with Bill Brenner
