Helping your non-technical, business counterparts to understand the importance of cyber security can sometimes be an uphill battle. The part of the business that’s focused on increasing revenue often sees security measures as a hindrance to productivity. Gathering support for governance, compliance, and controls requires that you make the business case for the impact of a cyber security event. In recent years, highly-publicized breaches have helped reinforce the importance of cyber security to boards and executives. That’s an encouraging development, but to build a cyber security culture (as we wrote about last month) you need to take it a step further. All of your employees need to understand the importance of security.
Does everyone know the drill?
Let’s assume that your organization has implemented information security or cyber security processes and controls. Here’s my question – how aware are the non-IT staff members of your organization of their role in disaster recovery processes and response?
Virtually every organization with a formal business structure has a list of policy documents awaiting a new member’s acknowledgement during the onboarding process. These policies include information security and cyber security matters. So, you have the policies, but outside of the IT department, that’s too often where it ends.
Most organizations that go through the trouble of creating information security and cyber security policies have some formal documentation of procedures, standards, or guidance. The truth is, in the broad spectrum of business maturity it’s common for the processes to be created before the “need” for a policy covering them ever comes into existence. The reasons for this are obvious – you can’t build the processes on-the-fly, during a disaster.
The trouble with this type of process development is that if you’re not careful, your process could leave gaps in information security and cyber security response. These gaps may not be identified until a disaster occurs. Fortunately, there’s a better way.
For executives that believe their organization is ready to respond to a disaster-level information systems event, here’s an exercise that you can conduct to find your gaps. First, let me define the scenario. What is a disaster-level information systems event? Simple – one in which all the staff’s information systems are no longer available for use. No workstations, laptops, internal business network, no internet, no office phones. Your cell phones work, but that’s because I’m a kind and gentle soul.
Now, armed with this disaster-level scenario in hand, go out and ask those staff members with a title below Director the following questions:
- What are, in priority of importance, the data sets, systems, and processes that need to return to operational use for you to do your job?
- What other groups in the organization need to be up and running for you to do your job?
- What data do those groups need to be able to provide to you?
- What information systems do these groups need access to, in order to provide this data?
If all of your staff can answer those questions, across all roles and responsibilities in the organization (without saying “let me think about it and get back to you”), then your organization is in a very risk-resilient state when it comes to information and cyber security.
If your staff says, “Wait, let me pull out the _______ ” (fill in with title of your organization’s Business Continuity/Disaster Recovery plan), and proceeds to answer your questions, call me. Because I’m buying you a drink and I’m going to promote the heck out of you and your organization to other businesses and the information security and cyber security industry.
Many of you may be thinking, it’s a lot of work to get there. Maybe, maybe not – it depends upon the business. If an organization is starting from zero, you have an inertia challenge. However, once the inertia gets going, it becomes much easier than expected.
More importantly, the process and conversations involved in identifying and prioritizing the “assets” – i.e. the data, information systems, communication requirements, processes, etc. – required for the organization to recover and operate are the most important factors to creating a truly resilient organization.
Notice, I didn’t say conduct a Threat Assessment, i.e., the process of identifying those events that could lead to a disaster-level event. That’s a topic for another blog. What I’ve pointed to is one of two critical steps in a Business Impact Assessment; the other would be to determine the “value” of an asset, as opposed to the prioritization of recovery of the asset to a business.
Why is it so important? Because it is the process of figuring out what is important and disseminating that knowledge across the organization that is so critical.
Disaster recovery can become messy if the users of information systems do not know before the event what needs to be done, in what priority, and why it matters to the organization. Think of the demand signals to the IT staff trying to recover the systems. Think of the fights, or worse yet the silence, that take place during such events.
The truth is, in a disaster recovery scenario, the IT staff remains what it was before the disaster – an asset the organization is dependent upon to execute its plan.
Disaster recovery is not an information systems recovery activity – it’s a business survival activity. It should be planned for, practiced/reviewed, and treated as such.
If you’d like help developing a disaster recovery plan or educating your team on the activities and importance of having one, send us an email at firstname.lastname@example.org. We’re happy to help.