Blog

Business Continuity – The Light in a Time of Darkness

Jun 21, 2021

SSCP_Blog6_Twitter_Banner_1024x512 As a security practitioner, perhaps you have found yourself in meetings about Risk Management. Or, perhaps, you are part of the incident response team, where you are responsible for everything from preparation, through post-incident reporting. The common thread that runs through risk management and incident response are the “what if this happens” scenarios.

Whatever your involvement in these preparatory exercises, the overarching concern of all involved is: When will the business be up and running normally again?

When confronted with such dire circumstances, the realization of the need for Business Continuity and Disaster Recovery becomes as important as the business itself. These are no longer “what if” moments. When a business disruption occurs, it becomes a “what now” moment. When the lights on your business go out, now is not the time to search for the flashlight.

No shortage of real-life examples

It is not too hard to find examples of business-disrupting events. From the DYN DNS attack of 2016 to more recent attacks, such as the ransomware attack against IT service provider Cognizant , every day, the news is teeming with new events that should give any business owner pause. It is easy to think that businesses are under constant attack. However, not all business disruptions are caused by malicious acts. Adverse weather conditions, health emergencies, and even something as simple as an accidental cut of a fiber cable by a construction crew can also bring a business to a halt.

Business Continuity, or Disaster Recovery

One of the first points to clarify is that these two terms are not the same. Business continuity is the practice of restoring business operations to a normal state after a disruption. Disaster Recovery is the specific practice of restoring IT functions to a normal state.

One way to distinguish the two, is to think of the “B” in Business Continuity as “The Big Picture”, meaning that it pertains to the entire business entity. “B” is for Big.

Both Business Continuity and Disaster Recovery are intertwined, however, when thought through, it is easy to see how certain areas of Business Continuity do not involve Information Technology. A shutdown of a business location due to a weather event would not necessarily involve IT. The same is true of a supply chain failure. If, however, your supplier is a cloud-based data facility, then the supply chain problem becomes both a Business Continuity and a Disaster Recovery operation.

It Doesn’t Start With a Plan, It Starts With A Policy

Any type of continuity or recovery strategy must start with a policy. Too often, plans are drawn up with the best intentions, but they lack the required input from the business leadership. Planning requires commitment from the highest levels of the organization due to cost. The more robust your response; the costlier it becomes. For example, while the idea of a real-time, active mirror site (known as a “Hot Site”) sounds incredibly attractive, it is the costliest option available. The various other options, such as a cold site, a warm site, or a hybrid setup, which all require cost considerations.

In order to anticipate the cost ramifications, a policy needs to be set whereby the expectations are clearly defined. This is where the interconnection of incident response, and risk management factor into the formulation of the plan. It is the moment where “what if” meets “what now”. Most importantly, this is not a single-department endeavor. This policy development requires participation from all sectors of the organization, and it benefits tremendously with the inclusion of a trained security practitioner in the organization.

What’s the Potential Impact?

The way that a Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) expand on risk management and incident response is by contemplating the impact to the business from a particular event, or a set of events. Once expectations are agreed to, a Business Impact Analysis (BIA) must be performed. Within the analysis, each business function must be assigned a criticality level, indicating the Maximum Tolerable Downtime (MTD), and Maximum Tolerable Period of Disruption (MTPOD). Both of these subjects lead directly into the approaches to Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

Understanding the RTO and the RPO

The Recovery Time Objective (RTO), and the Recovery Point Objective (RPO) are key pieces to the expectation management of the business.

Most business leaders ask the question “when will it be fixed?” The security practitioner recognizes this as the RTO. The RTO is the amount of time expected to restore a business function. Within the Disaster Recovery realm, this can be quantified through testing. For example, how long does it take to get a failed accounting system operational? That can be empirically tested and verified. In the Business Continuity realm, this can be more difficult to quantify.

The RPO can be thought of as a stopping-the-clock situation. This is where your recovery is supposed to replicate a point in time from when the disruption occurred. For example, if your business is not a real-time operation, then your RPO can be very wide. If you only take snapshots or backups of your data every twelve hours, then your RPO can only reflect that last backup. However, if you are running transactional systems, then your RPO will be much shorter. This is an often overlooked topic, and it is vital to state this expectation clearly in the policy. Failure to formally memorialize this expectation can mean the difference between a successful recovery operation, and a perceived failure. The RPO will always be part of a Disaster Recovery operation. Rarely is a Business Continuity scenario tied to an RPO. If your business is evacuated, no one needs to consider restoring the work to a particular point in time.

To tie these thoughts back to the Maximum Tolerable Downtime (MTD) consideration, it is important to note that RTO and RPO must be less than MTD, or the entire plan will be deemed a failure. A trained security practitioner is the best person in the organization to help the business leadership make sense of this acronym soup in a way that turns the conceptual into a viable plan of action.

Things you can touch, and those you can’t

In any crisis, there are tangible and intangible consequences to consider. As mentioned earlier, expectation management is an important part of the policy. Likewise, the tangible and intangible results of a disruption should also be included, if not in the policy, at least in the discussions when creating the policy.

Some of the tangible consequences of a business disruption include increased processing time, loss of revenue, failure to meet service level agreements, and lost productivity. These can all be calculated in hard numbers, and, as such, some samples of such measurements should be included in the preamble to any continuity policy and plan.

The intangible outcomes are less easy to quantify, however, they should not be overlooked, as they can be as damaging to an organization as the measurable ones. These include loss of customer confidence, the effect on employee morale, negative public relations. These all are dependent on how the organization’s leadership responds to a business disruption. As demonstrated in one of the most ill-famed breaches in history , a failure to respond correctly can result in a negative aftermath. Conversely, a correct response can elevate a corporate image.

So Many Perpetually Moving Parts

From this short overview of Business Continuity and Disaster Recovery planning, it is easy to see that it is a big job, requiring not only a broad understanding of all the components that go into such a project, but also specialized training in Risk Management, as well as Incident Response. While each area of the creation and maintenance of such a plan requires participation from multiple departments, a security practitioner is best equipped to put all the parts together. (ISC)2‘s Systems Security Certified Practitioner (SSCP) training is the perfect path towards achieving the necessary skills to function as a valued participant in all phases of the business continuity and disaster recovery operations in any business.

Most important to note is that these plans are not a “set it and forget” it project. Throughout the lifecycle of the business, these plans must be constantly updated to stay current with the overall business environment, as well as the individual organization’s development. There are various types of exercises for testing a plan, and those exercises should be overseen by a security practitioner.

Shared responsibilities

Even though the responsibility to restore normal operations may fall heavily on the technical teams, the security practitioner is a vital part of the pre-disaster planning as well as ongoing maintenance of the plan. The responsibility of the security practitioner extends not only to predict what could go wrong now and in the future, but also formulating how to resume normal operations.

To learn more about the need for business continuity and disaster recovery, read our white paper, How You Can Become a Cybersecurity Hero .

How SSCP Certification helps

There is no better way to showcase your technical skills and security knowledge than achieving the Systems Security Certified Practitioner (SSCP) certification. Whether you are an experienced security professional or just starting out in the captivating world of cybersecurity, the (ISC)2’s SSCP certification is the ideal way to enhance your ability to implement, monitor and administer security procedures and controls that ensure the confidentiality, integrity and availability of any organization.