CIO-CISO divide: Who owns business continuity?: While CISOs may find that their remit is expanding to cover business continuity, a lack of clear delineation of roles and responsibilities can spell trouble.To effectively handle business continuity, cybersecurity leaders need a framework to collaborate with IT leadership.Responding to events requires a delicate balance between thoroughness of investigation and speed of recovery that traditional business continuity plan approaches may not fit.On paper, the CISO owns the protection of confidentiality, integrity, and availability, but availability was outsourced a long time ago to either the CIO or facilities, according to Blake. “BCDR is typically owned by the CIO or facilities, but in a cyber incident, the CISO will be holding the toilet chain for the attack, while all the plumbing is provided by the CIO,” he saysCIOs won’t typically investigate cyber attacks to the same degree as CISOs. After a cyber incident, there may be competing priorities with backup and remediation, for example. “They [CIOs] might have a slightly different use case for a backup product, but they don’t operationalize the incident response, starting from remediation of the threat,” Blake tells CSO.At the very least, the CISO needs a seat at the table during the incident response, but ideally the two teams need to be working in collaboration before, during and after. In Blake’s experience, this is the defining feature of organizations that suffer the least amount of downtime. “They’ve got that shared responsibility model between the two teams. They’ve drilled down into how they hand off from one to the other and they have proper case management between the two so nothing’s not missed,” he says.It’s becoming more common to be part of the CISO toolkit, but there’s still a lot of back and forth around who should own BCDR and how widely it should be deployed, according to Goerlich. “I’ve been in organizations where BCDR was something done separately, where we were a partner, but not directly involved. I’ve been in other organizations where I was the primary driver of the program,” says Goerlich.Whether or not the CISO defines downtime metrics depends on who has responsibility for the program, says Goerlich. Either way, it’s driven by the pain the organization feels according to the business impact analysis. For example, recovery time objective (RTO) will vary according to the industry and relevant considerations such as safety in manufacturing and healthcare and integrity or business process completion rates in financial services.”When it comes to third-party risk and supply chain management, if it’s the CISO’s responsibility, it’s taking all the work the CISO is doing and adding BCDR requirements to it and then re-auditing,” says Goerlich.In one case, he assisted a bank to audit its SLA, starting with matching its internal SLAs to the service providers SLAs and then conducting spot visits with some of those service providers to see if they could deliver on those SLAs. “Many of them weren’t as prepared as they said, many had strategies that were ineffective, and many had things the sales team was promising, that the technical team was unaware of or unable to respond to,” he says.The confusion about who owns ultimate responsibility for business continuity and disaster recovery is part of the ongoing CISO struggle to become a true business partner.”When you’re doing business continuity, you have to understand the business processes, and that takes you out of technology. A lot of good BC work is not tech work, it is business process work,” he tells CSO.
Quantifying business continuity effectiveness: BC programs are foundational not only to help the organization maintain their vision and brand promise, no matter the crisis, but mitigate financial and operational risks and comply with regulations.However, some industry data shows a difference between self-assessment and actual performance, suggesting there’s a critical gap between perception and reality in continuity programs. Some 95% of organizations overestimate their cyber resilience capabilities and it leads to business continuity disruptions as well as ransomware payments, according to the Cohesity Global Cyber Resilience report 2024.The time taken to recover data and restore business processes after a cyberattack was outside of the targeted optimum recovery time objective in almost all cases, while half had simulated a cyber event or data breach in the past six months.It shows that there’s a need for objective measurement and realistic assessment. For CISOs, they need to have input into how much time is allocated for investigation and remediation to securely recover from a cyber incident. “If your RTO is two days, with a cyber incident, you’re not going to achieve that without a huge amount of investment because you’ve got those additional steps,” says Blake.Because of the time required to investigate and the need to refer to trusted sources and configurations, rebuilding rather than recovering and cleaning can save time and ensure safe recovery, according to Blake. Nonetheless, it requires a level of maturity that not all organizations and CISOs have achieved. “Organizations can typically do some elements of a rebuild for not much more effort than a traditional volume recovery and cleaning,” he says.Organizations with mature BC programs experienced fewer critical risk events, according to the Forrester report. However, mature BCDR programs require incremental improvements. CISOs can develop their approach and deepen their involvement as the organization moves along the maturity scale.At a low maturity level, CISOs will want to start by making sure the systems and the BCDR work are unified between IT and security, says Goerlich. His advice is to adopt a maturity-scale mindset, taking a risk-based approach and starting small. “Meet the business where it is and slowly improve the security posture and the continuity and recovery capabilities,” he says. “Don’t jump into trying to do everything because you’ll just burn yourself out.”Keep in mind that the scenarios and strategies are very dependent on technology and the threat. Then move to map out the functions, the threats and strategies to recover. “You can reduce what seems like a large number of things you need to do down to a much more manageable portfolio of continuity and recovery responses,” Goerlich says.Finally, it’s understanding BC is more than just another compliance exercise to delegate. Continuity and recovery can be very strategic because it provides insights into what matters to the business and who matters to the business. Aim to have some ownership and responsibility. “If not, CISOs really missing out on the strategic input and the ability to use this function to elevate your voice within the organization,” he says.
Resilience is more than just recovery: The Forrester survey found developing a more integrated approach to operational resilience is a high priority for organizations, especially in North America at 46%. Resilience is thinking beyond traditional recovery models toward a security strategy based around minimizing vulnerabilities, adapting in real time, and maintaining operations despite ongoing threats.Goerlich says resilience is a combination of disaster recovery, business continuity, high availability, and incident response. “Resiliency is the overall umbrella term for all these capabilities to deliver that top line goal of protecting the organization’s ability to achieve its mission,” he says.For CISOs, there’s an opportunity to flex their cyber muscles when it comes to cyber risk, business continuity and going further to adopt the goal of organizational resilience.As a financial services organization, Bread Financial operates in one of the most highly regulated industries and CISO Gaurav Kapil says its cybersecurity posture aligns with NIST CSF. The Recover function provides the continuity and resilience element. In practice, this includes tabletop exercises, targeted recovery operations focused around critical business operations and standing up the right functionalities to absorb and defend against attacks.”Today, a lot of bad traffic comes through bot traffic, so having capabilities to detect and mitigate that in an autonomous way is one of the key functions a cyber program needs to provide that level of cyber resilience and continuity of function,” Kapil says.These capabilities are essential to provide resilience, which needs to be the overarching goal in the design of a cyber strategy. Kapil believes the notion of continuity is a little dated because it assumes that when something goes wrong, some services have to be shut down and then brought back online to continue functioning. Instead, with resilience, the goal is to develop systems that have the ability to absorb and deflect any anomalous activities within their environment.”In my mind, it’s no longer about conventional disaster recovery and business continuity planning, it’s more about business and tech resilience where you expect certain things to go wrong and you’re engineering your resilience thinking into the design itself.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3855823/how-cisos-can-balance-business-continuity-with-other-responsibilities.html
