Integrate cybersecurity practices into a business continuity program

Paul Kirvan explains why your business continuity program must mesh with your information security and corporate cybersecurity strategies.

You might think that cybersecurity is strictly the province of the information security department. From a technical...

perspective, your information security staff provides the first response to and resolution of security breaches. While this is the normal process, if the breach has an operational impact on the business and its ability to function normally, the emphasis may need to shift to business continuity.

In situations like that, a true cybersecurity strategy should acknowledge and embrace the linkages between information security and other departments, such as business continuity, disaster recovery, emergency management and enterprise risk management. Your business continuity program must do the same.

Learn how to leverage your business continuity and disaster recovery activities with those of information security and corporate cybersecurity strategies. The challenge is to define the circumstances under which cybersecurity activities should launch relevant business continuity responses.

The business continuity-information security relationship

Both disciplines are concerned with protecting the organization. Information security focuses partly on the organization's network perimeter, strengthening it as much as possible while still permitting approved information to pass through. It also ensures the confidentiality, integrity and availability of information through proactive and reactive measures, such as intrusion detection systems (IDS) and intrusion prevention systems (IPS); systems that analyze data passing through firewalls and IDS/IPS devices with the goal of identifying malicious code or other suspicious anomalies; and specialized tools that identify various kinds of malware, such as viruses, worms, spam, denial of service, or DoS, attacks, and many others that may exist inside firewalls.

Regrettably, InfoSec teams do not partner with and share information with the business continuity and/or disaster recovery teams as often as needed. This may be due to historical differences and operational methodologies and philosophies, but in today's highly complex IT world, fraught with an enormous variety of potential cybersecurity breaches, those differences must be replaced by collaboration.

Case study: Target

Despite what may have been published officially, Target's business suffered a major impact when it was hacked back in December 2013. Millions of credit cardholders -- both with Target and other card services -- had their data stolen by hackers. True, the situation was supposedly addressed by Target's IT organization, but what was the real damage from a business perspective? Will Target's millions of cardholders and customers remain loyal to the company? How much damage was done to the Target brand? What needs to be done to assure Target's customers that their personal data is safe and will not be stolen by others in the future? These are tough questions, to be sure.

From a business continuity perspective, Target should have activated its business continuity program as soon as they became aware of it. Assuming Target's BC program partnered with the company's social media, information security and public relations teams, these four functions should have met and established a game plan almost immediately after the breach was revealed. Knowing that any kind of security breach would hit the social media sites and go viral almost immediately, these groups would have had plans in place to minimize the damage to Target's reputation, and would have identified both cybersecurity strategies and business continuity actions to restore confidence in the company as quickly as possible.

Tips for integrating cybersecurity strategies with business continuity

Here are some recommended actions for optimizing the relationship between information security and business continuity (BC).

First, establish an information sharing partnership between BC and InfoSec teams; identify scenarios in which a cybersecurity breach translates into a business impact; and at what point in time such a transition can happen. Then, define:

  • how and when information security engages BC;
  • procedures BC launches to protect the business, its reputation, brand, supply chain and other key business attributes;
  • how BC and InfoSec will communicate with each other during the incident;
  • the circumstances in which the event can be considered addressed, the threat neutralized, and the business returned to normal;
  • the optimal time frames for the above activities;
  • the points in which both BC and InfoSec can stand down;
  • issues to be addressed in the after-action report.

With those tasks completed, you will be able to determine how cybersecurity strategies can be enhanced with post-event BC inputs and establish how lessons learned from the incident can improve future responses by both BC and information security. Following an event:

  • update cybersecurity strategies and plans, as well as BC plans based on lessons learned from the event;
  • schedule joint exercises with information security and BC to validate plans and collaboration activities;
  • establish regular joint meetings with information security and BC to exchange ideas, share information, discuss plans and identify ways to synchronize emergency response activities in a real incident.

Issues the business continuity team should address

First, it is important to understand the techniques, systems and procedures that protect the organization's information security perimeter. You should also be aware of the importance and use of antivirus software and other network analysis devices, such as IDS and IPS. Understand also the techniques used to analyze breaches. Finally, knowledge of key issues associated with recovering networks and systems, testing them for proper operation, cleaning and disinfecting workstations and other network-attached devices, and launching stronger preventive measures is critical.

These actions can help BC professionals effectively synchronize with their information security counterparts.

  • Jointly provide regular briefings to senior management so they are aware of what is happening with the relationship with BC and information security and of the benefits that collaboration provides to the organization.
  • Consider using an executive dashboard system to keep management updated.
  • Collect data from network logs and other devices that describe what happened before the breach, what occurred during it, what was done to stop it, and what happened following its termination.
  • Determine what business information was lost, stolen, damaged or otherwise compromised, as well as the impact on the business.
  • Notify key clients and stakeholders of compromised systems and/or information as soon as possible, reassuring them that you have the resources to minimize any further exposure.
  • Document any and all actions performed for future audits.
  • Attend tests of network security systems to understand how preventive measures work.
  • Partner with information security to educate employees about the importance of network security and BC and how they work together to minimize the destructive impact of future cybersecurity events.

An effective cybersecurity strategy involves BC, disaster recovery and related activities. Business continuity professionals must be more informed about their information security peers, and must bridge traditional gaps between the disciplines to establish a more collaborative environment based on teamwork and information sharing.

Next Steps

Getting management buy-in for a business continuity program

Measuring business continuity program success

Develop an emergency evacuation plan strategy for your BC program

Dig Deeper on Disaster recovery planning - management