So Now You’re a CISO Running a Business Continuity Program?

While I was in Atlanta last month speaking at a security conference, I had the opportunity to meet with three separate CISOs in three separate industries.  One was in the Home Services industry, one worked for a multi-billion-dollar healthcare company, and one worked for a large regional bank.  What really surprised me in talking with all three of them was this: All three of them had been recently asked to take over or significantly increase their responsibilities in their company’s Business Continuity programs.  

I admit that there is a tremendous amount of overlap between the workings of business continuity, disaster recovery, and cyber security; however I was surprised to have such similar conversations with CISO’s in three disparate industries. The timing of it also surprised me because all of them had been given those duties within the past few months, on top of everything else they had going on. To top it off, to the best of my knowledge none of these people had ever worked as a business continuity professional, or even had any experience running a business continuity program. 

Given the current regulatory environment, and the new regulations that are going to be going into effect over the next 24 months, I suppose this shouldn’t be a surprising trend. Cyber security has been given the authority and attention in recent years to be able to protect companies from a wide variety of threats, and most cyber security programs are staffed and funded these days. Business continuity has been a traditionally unloved area of focus, so it makes some sense to move it underneath a high-profile program area where it could (hopefully) get more of that much-needed authority and attention.

“The way to get started is to quit talking and begin doing.”

Walt Disney

With that in mind then, what advice would I give a CISO that was freshly-tasked with trying to run a business continuity program? 

1. Perform a Business Impact Analysis (BIA) – Not only do Business Continuity best practices recommend performing a BIA to help quantify risk, it’s also something they talk about when you’re studying up for your CISSP, and it’s something that many Cyber Insurance companies are wanting to see.  Performing a BIA can show you your most likely pain points surrounding business interruptions, so you can plan ahead.

I’d recommend you revisit this BIA data annually, and in order to make sure that happens, you need to…

2. Update your BC Policies – If this is something new that your office is now managing, and you weren’t before, then your policies are out of date. You need to update them anyway.  With that in mind, change your policies to establish an oversight process for your Business Continuity Program. Require a 3 year plan, establish goals, and come up with a program mission statement. Do it right.

Once you’ve got that done, you should get an independent opinion on those policies to make sure they’re helping you move in the right direction.  So, you really should…

3. Figure out where you are on the map – Have someone perform a Business Continuity Program Maturity assessment so you can figure out where you stand.  A good assessment will tell you how far away you are from best practices, and what you need to work on.  It will tell you what you’re doing right, and where you have room for improvement.  This will help you figure out what needs to go in that 3-year plan you just required yourself to put together, and give you some vital feedback on those policies you just crafted.

I’d recommend planning on doing something like this annually to track progress, because you if you want to do what the best BC programs do, you should…

4. Start using metrics – A business continuity program isn’t just something that happens in a single department if you want to do it right. If you want to get the most from your efforts, you need to track what you’re doing and make sure that those actions are achieving the desired results. Track things from year to year so you have a history of the program to look back on, and track work as it happens to improve the quality of it.  Track accuracy, track completeness, and track timeliness.  Use those metrics to shape and reshape your policies, and your level of commitment to the program.

A great example of someplace where using metrics can really improve the quality of the program will happen when you…

5. Validate your CMDB – In many companies, the CMDB is an unloved and poorly-managed database running on an outdated engine, and its data is full of errors.  It’s got naming convention issues, outdated references to staff and applications, and probably more than its fair share of data integrity issues due to typos and missing data.  However, the quality of data in your CMDB is probably a great analogue of how prepared you are to respond to an actual DR event.  Keeping your CMDB up to date is simple housekeeping, and if your staff isn’t doing that, they’re probably also not doing proper housekeeping on your backups, your DR testing, and other things.

You can’t restore your systems if you don’t know what you have, and the health of your CMDB is a great place to start gathering that data.  The CMDB is also one of the first things I’d recommend working on when you go to…

6. Automate your BC Program – If you’re still using Word, Excel, and SharePoint to manage your Business Continuity program, then you’re basically depending on technology older than Windows XP to recover your business.  If you’ve got 30 plans in your company and you need to update one person’s phone number, you’ll have to open 30 documents, make 30 (100% accurate) manual changes, then send out copies of those 30 plans to whomever needs them.  If you’re thinking there has to be a better way to do that, there is: A Business Continuity Management System (BCMS).  Not only is a BCMS going to save time by making those 30 plan changes take a few simple keystrokes, it’s also going to help you with many of the critical things listed above like performing that BIA and implementing those program metrics.  Most BCMS implementations will also help you enforce policies, by reminding people when it’s time to update their data, or reminding you that they haven’t done it yet.  Your BCMS can also integrate with other data sources in your company, like your Active Directory, your HR System, your ERP System, and that freshly-updated CMDB, and use that data to automatically update many aspects of keeping your BC, DR, and Crisis Management plans up to date.

A BCMS will also help your staff work more efficiently, which helps a lot when it comes time to…

7. Fund it and staff it – I’ve often quipped that you can tell if a company is really serious about doing something, because they’ll fund it and staff it.  Much as underfunded and short-staffed infrastructure or security projects are doomed to fail, so too are underfunded and understaffed Business Continuity Programs doomed to fail.  If you don’t staff your program with competent people, and you don’t give your staff the right tools to do their jobs, you can’t expect positive outcomes — that goes for any program, right? 

So, there’s a whole lot of what to do and why to do it. Need some help with the how? Sayers is here to help. We have experience building Business Continuity Programs from the ground up, and can help you write your policies.  We can also help you decide when it makes sense to invest in Business Continuity Program Management Tools. And, our Business Continuity Maturity Assessment Tool can help show you what state your BCMS is in, how mature your Business Continuity Program really is, and what might need a little attention.

---