Since this is my first posting, I’m going to set the tone for my future comments and opinions about business continuity, how it fits into an overall security program. I might be a little unusual, but I get pretty excited when talking and writing about data and system availability assurance. So let’s jump right in.Most security professionals are familiar with the CIA triad of security—confidentiality, integrity, and availability. Confidentiality and integrity seem to get most, if not all, the attention. Because loss of availability doesn’t usually cause the same journalistic frenzy, it is often pushed to the bottom of the IT priorities list. But business continuity isn’t just an IT issue.During my years of dealing with disaster recovery and business continuity issues, I concluded that IT is typically much better at paying attention to at least catastrophic event planning than the business users. Management teams outside the IS department see DR and business continuity management (BCM) as an “IS problem.” Little attention is paid to DR outside of ensuring there is a hot site contract in place, to be dusted off during the annual audit. In my opinion, security managers must assume leadership of BCM. Like other security controls, it’s up to the CSO to make a business case for planning for service interruption events. Working with risk management personnel, if they exist outside the security function, security managers are in a good position to demonstrate business impact if employees are unable to execute against existing business processes. After all, understanding business processes is a key element of segregation of duties and least privilege enforcement as well as HIPAA and SOX compliance. BCM is more than restoring data center function after a disaster. It is a proactive approach to ensuring established processes are designed and implemented to consistently achieve business objectives, even when the unexpected happens. Future posts will address these and other issues related to BCM, including:The importance of a BCM strategy and how to create oneHow a management supported BCM policy starts the process of strengthening availability as well as integrity and confidentialityThe differences and similarities between BCM and disaster recoveryHow the guidelines included in the Related content opinion MQTT is not evil, just not always secure The MQTT messaging protocol standard used by IoT vendors is not inherenly secure enough. Solutions exist to secure it, but organizations and vendors must assess risk and properly configure IoT and network security. By Tom Olzak Jul 17, 2017 3 mins Internet of Things opinion IoT messaging protocol is big security risk Popular IoT messaging protocol lacks encryption and sufficient device authentication security. By Tom Olzak Jul 14, 2017 3 mins Cloud Security Data and Information Security Internet of Things opinion Anatomy of an insider attack Manage insider attack risks with scenarios and application of common sense. By Tom Olzak Sep 30, 2016 4 mins Business Continuity Security opinion Identity governance and admin: beyond basic access management User behavior analytics give additional power to identity management and compliance. By Tom Olzak Aug 30, 2016 5 mins Investigation and Forensics Compliance Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe