Make a business continuity plan to achieve real cyber resilience

Cyber resilience cannot be considered in isolation, but should rather be considered within the context of the overall business continuity plan, says Cindy Bodenstein, Marketing Manager at ContinuitySA.

She says cyber resilience was chosen as the theme for this year's Business Continuity Awareness Week because of the growing threat of cyber crime, but an integrated response is vital.

"While we need to place more emphasis on making cyber systems more resilient, we do need to guard against seeing these initiatives in isolation," she notes.

The enduring lesson of business continuity's maturation over the years is the importance of looking at the organisation's risk holistically, and then developing a business continuity plan based on that assessment. Risks and their impacts have always been interrelated, and that interrelation has grown over the years. Properly understanding a risk, and how to respond and recover from it, requires knowing how it affects the rest of the organisation's processes and people.

In fact, this growing interrelationship is in large measure driven by the growing dependence of business and society on ICT for virtually every aspect of their functioning. It is another clear reason to treat cyber risk, and thus cyber resilience, as part of the overall business continuity effort.

Most organisations would accept this view, but in practice, too many of them continue to see cyber risk and resilience as purely technical issues, the domain of the CIO and the IT department.

"Obviously, technology has a critical role to play in securing ICT systems, but it is far from the only role-player. Arguably, it should not even be the main one," she argues. "IT professionals are unlikely to be risk management experts, and they are obviously not fully conversant with the minutiae of the business processes themselves, and how they interact with each other."

For example, she continues, IT professionals may effectively protect the enterprise systems while inadvertently leaving a "back door" open via an insecure mobile app or cloud service. And spending on the IT disaster recovery plan might not take into account the relative importance of the various business processes.

It is thus vital that cyber risk is integrated into the overall enterprise risk management process, and thus into the business continuity plan, to ensure the organisation is truly cyber resilient, Bodenstein concludes.

The concept of cyber resilience is being more fully explored during Business Continuity Awareness Week (15-19 May). Visit www.bci.org for further details and to see when ContinuitySA will be presenting Webinars. In addition, Continuity Mozambique will be hosting open days during this week, where clients can make an appointment to visit the site and view the backup facilities. For more information, please contact Cindy Bodenstein at ContinuitySA: +27 11 554 8000, www.continuitysa.com.