BCP. Three little letters that, unfortunately, strike mind-numbing boredom into most CIOS’s. The truth is, Business Continuity Planning isn’t synonymous with the excitement that is typically found in the Information Security world.
There aren’t nation states trying to subvert your controls, or insiders trying to get away with industrial espionage, or some faceless hactivist group trying to devalue your brand. No – BCP is about people and process – not the ever-waging war of Good vs. Evil.
If you believe that, you’re missing out on one of the most transformational tools you’ll ever have in your CISO Utility Belt.
In many of today’s enterprises, BCP falls between the cracks of Disaster Recovery (DR), which is typically an IT function focused on backups and recovering hardware and applications, and Physical Security, the folks who are generally responsible for premise security and executive protection. BCP however, when looked at from a security perspective, provides a wealth of information that every CISO can use to enhance their programs.
Business Continuity Planning, by definition, anticipates business disruptions and plans for the rapid restoration of business functionality in the event of said disruption. While BCP has little to no technology requirements (it relies on the DR plan for technology restoration), the information gathered as part of the BCP program is an invaluable resource when communicating information risk to the business owners.
The foundation of a BCP program is the BIA – The Business Impact Analysis. In most cases, a BIA is done for each revenue generation stream within the company and tends to vary from the formal business lines defined by the org chart.
The BIA focuses on people and the environment needed to perform their daily duties. Whether it’s a supplies delivery from a business partner, the ability to send an email, or even getting the days mail to process receivables, the BIA is focused on functionality – not technology.
As such, an expected outcome of the BIA is the amount of revenue that can be lost over a given time during a business-impacting event. It codifies the maximum amount of lost revenue that is acceptable for the business, and the types and amounts of resources required ensuring that maximum is not surpassed. Because the BIA is revenue driven, it provides an amazing resource for the CISO on which to build a revenue-protection based Information Security program.
All too often, I hear my peers struggling on how to associate a ROI with their security spend. My question to them is, why would you? While I agree we need to develop a financial model that articulates security improvements and risk reduction, saying we need a return on Information Security spend is like asking The President to provide an investment return on the USS George H.W. Bush, our newest Navel aircraft carrier. Any number that’s put forth is so full of fluff and guesswork, its virtually useless. Would the country be ‘as safe’ if the ship wasn’t built? Who knows?
We can however, based on the results of the BIA, associate a revenue protection model that is rather easy to associate to information security. Now, with the information on hand, we can evaluate a revenue stream in a particular business line, associate a level of risk to the revenue, not the underlying technology, and provide a commensurate level of protection mechanisms to it.
While there are a number of benefits to this approach, not the least of which is the business owners being the drivers of the process, the most relevant benefit is the ability to have some very basic risk discussions with those who are responsible for the revenue. You can, in many cases, get down to the amount of revenue generated per hour by the business process, which is an amazing discussion when you’re looking to protect something as critical as a company’s billing system or ecommerce web site.
You will notice your discussions go from technically focused ‘wizardry’ to a fundamental discussion about economics. “Should we spend $100,000 in capital/$20,00 in annual OpEx to protect a $50,000/month revenue stream?” Possibly. “Should we spend $2.5 million in capital / $300,00 in annual OpEx to protect an annual revenue stream of $1 billion?” Of course we would. It’s these types of examples that provide the CISO with a platform to articulate a revenue protection model rather than a futile search for an acceptable return on investment.
As an aside, another incredibly valuable tidbit that comes out of the BIA effort is a concise list of single points of failure. How many times are you able to point at a device, an application, or, in some cases, a person, and be able to clearly articulate the reason you consider it such a high risk? Most organizations have a distinct lack of understanding of such failure points and a CISO’s ability to relate them to downstream revenue goals demonstrates a programs maturity that is not often found in today’s enterprise.
Today’s CISO should look at the organizations BCP effort much like they do Policies or Awareness Training – critical, albeit pedestrian functions of a successful enterprise-wide Information Risk strategy. A successful security program is dependent on well written polices and a proactive awareness program. A mature security program can associate risk to any revenue stream within the company and be able to articulate the decision behind the types and levels of controls in place to anyone within the organization.
So, the next time the opportunity arises, do yourself a favor and volunteer to own BCP. You wont regret it.