With business continuity, CISOs must navigate a complex mix of security, business priorities and operational resilience — often without clear ownership of the process.
Excerpt from: How CISOs can balance business continuity with other responsibilities
While CISOs may find that their remit is expanding to cover business continuity, a lack of clear delineation of roles and responsibilities can spell trouble.
It’s becoming more common to be part of the CISO toolkit, but there’s still a lot of back and forth around who should own BCDR and how widely it should be deployed, according to Goerlich. “I’ve been in organizations where BCDR was something done separately, where we were a partner, but not directly involved. I’ve been in other organizations where I was the primary driver of the program,” says Goerlich.
Whether or not the CISO defines downtime metrics depends on who has responsibility for the program, says Goerlich. Either way, it’s driven by the pain the organization feels according to the business impact analysis. For example, recovery time objective (RTO) will vary according to the industry and relevant considerations such as safety in manufacturing and healthcare and integrity or business process completion rates in financial services.
“When it comes to third-party risk and supply chain management, if it’s the CISO’s responsibility, it’s taking all the work the CISO is doing and adding BCDR requirements to it and then re-auditing,” says Goerlich.
In one case, he assisted a bank to audit its SLA, starting with matching its internal SLAs to the service providers SLAs and then conducting spot visits with some of those service providers to see if they could deliver on those SLAs. “Many of them weren’t as prepared as they said, many had strategies that were ineffective, and many had things the sales team was promising, that the technical team was unaware of or unable to respond to,” he says.
The confusion about who owns ultimate responsibility for business continuity and disaster recovery is part of the ongoing CISO struggle to become a true business partner.
Read the full article: https://www.csoonline.com/article/3855823/how-cisos-can-balance-business-continuity-with-other-responsibilities.html
Wolf’s Additional Thoughts
I grounded my security program at Munder Capital on our BCP/DRP. In my current role as CISO of Oakland County, I’m again involved in the continuity and recovery program. These provide a rich set of inputs on what matters to the organization, allowing for informed and intelligent risk management. Don’t overlook it.
This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.