How Cyber Security Is Shaping Enterprise Resilience

By |2019-11-26T17:44:42+00:00November 26th, 2019|0 Comments

For many years the practice of Business Continuity (BC) was reasonably straight-forward, if often misunderstood. To most corporate employees, it was viewed as what we do when things go badly wrong with IT or premises.  They believed it had little to do with the success or failure of day to day operations. To most staff members, their only real contact with BC was if they were interviewed for a Business Impact Analysis (BIA) or invited to participate in a BC Test. I even had friends who, (jokingly I hope), claimed all I did was plan for things that would never happen.

The growth and corporate awareness of cyber risk has changed all that. Now if a new business acquaintance asks me what I do for a living, they almost always assume I am talking about some type of cyber security. I have to explain that there are many other risks which organizations and individuals need to prepare themselves for if they really want to become resilient. What about climate change for example? Although they accept this in principle, soon they are asking me about Artificial Intelligence, The Internet of Things, the Dark Web, Crypto Currencies, Block-chains, Data Breaches, GDPR, and the safety of driverless vehicles. So, in most people’s minds the biggest risks we now face are our inability to manage and control what is happening to our lives – developments that we do not fully understand or necessarily desire.

Consequently, explaining what a resilience professional really does for a career is still tricky in “elevator pitch” terms. Clearly most of us are not experts in all (or any) of these highly complex technical subjects. However it is still our responsibility to protect our organizations against almost anything that might go wrong. One analogy that seems to work is to compare ourselves to the conductor of an orchestra; we certainly cannot play all of the instruments, but we know how they must work together to create the best musical outcome.  The conductor has both the technical knowledge and interpersonal skills to make that happen.

Similarly, a resilience professional can bring the various business areas together to jointly deal with any serious risk of disruption. The C-Suite certainly own cyber security while information security specialists provide all the detection and protection that is technically available to them. However, no one pretends that any organization is 100% secure – so the organization has to be agile and responsive to threats. Individuals need to understand their personal data protection responsibilities, business managers need to know in detail how their departments should respond to a potentially disastrous cyber attack. Other key players including IT, HR, Finance, Communications, Facilities, Legal, and Procurement must have their roles mapped out. Bringing this all together so that it works “on the night” is the job of the conductor, in our case the Resilience Manager.

This is why cyber has totally changed our perception of resilience. Severe physical disruptions tend to be more obvious, have a clearer escalation path and thankfully are relatively rare. Cyber attacks are invisible, often have taken hold before you even know about them and happen many times every day to every organization. Most attacks fail as security intercepts them; others are relatively harmless although embarrassing but the one major one that gets through can be fatal. Suddenly resilience specialists are not dealing with unlikely events but with everyday issues.

To facilitate this change, one concept that has gained traction recently is the idea of Business Resilience as a Service – something that makes it a “go-to shop” for a whole range of business risk solutions. Typically, modern businesses use a raft of technologies that are highly interweaved and where constant change is endemic. Resilience professionals are no longer able to just write and test plans which are relatively static. Transformational change is too rapid for that approach and organizational agility is going to be the new benchmark for successful businesses. Enterprise Resilience as a function is going to be a very central part of that new landscape.

I argue that the ever present threat of cyber attack has fundamentally changed business perception of all key resilience disciplines. This is having a major influence on the resilience profession itself. BC is rapidly becoming Enterprise Resilience and it will only work if the professionals in these roles are able to build good relationships with a wide range of other people. These include other resilience professionals, business managers, system users and key support areas like HR. For international firms, these relationships might also have to be across different countries, cultures and languages. As argued in our conductor analogy, the ability to influence, inspire, motivate and sometimes befriend, sometimes chastise talented and experienced musicians is not to be under-estimated. Soft skills are at least as important for a conductor as technical competence and exactly the same principle applies to the resilience professional of the future.

Recommend0 recommendationsPublished in Enterprise Resilience

About the Author:

Lyndon Bird has worked exclusively in business continuity since 1986 as a consultant, presenter, educator, author, and business manager. He has spoken at and chaired conferences throughout the world and has contributed features, articles and interviews to most leading business and specialist publications. He has been interviewed by major broadcasters, including the BBC, Sky News, Bloomberg TV and CNBC on a wide range of continuity and resilience topics. Lyndon Bird is currently Chief Knowledge Officer for DRI International, chairs the DRI Future Vision Committee and is primary author of the annual DRI Resilience Trends and Forecast Reviews. After a decade in DR and BCM consulting, he helped found the Business Continuity Institute to promote and develop the discipline as an accepted professional field of work. He later became Chairman and International Technical Director of the Institute. He was voted BCM Consultant of the Year in 2002 and given the BCM Lifetime Award in 2004 by UK publication Continuity, Insurance & Risk. He is has edited the peer reviewed professional publication “The Journal of Business Continuity and Emergency Planning” for over 10 years. He was a member of the original BS25999 Technical Committee that wrote the standard that formed the basis for ISO22301. As well as his own writings, he has always been keen to give opportunities for others to develop and publish new concepts and ideas. His edited book "Operational Resilience in the Financial Sector" brought together many experts from around the world to discuss a diverse range of risk and resilience topics.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.