As we enter another year of challenges to business, to cyber-survival, and to living in a time where past norms of operation seem more historical than current, one is left to question what is important, and within that set, what is feasible now? There are many voices aloft across social media channels, news channels, thought experts, and pundits, comingled with others representing their own solutions and approaches to problems they identify as vital for your business. Filtering this can seem daunting at first. But, there is a straightforward approach resting upon a foundation of fact specific to your own enterprise—your most recent risk assessment! You do have the results and findings of a risk assessment you performed in 2021, don’t you? If not, then your first concern is that fact alone, because it means you are “flying blind” in the cloud of change created by even a single year’s passage.
Letting Your Assessment Be Your Guide
This may seem such an obvious remark, but think about some of the guiding questions your risk assessment findings could answer. Among them, it will point out where your control strengths lie and where weaker ones make your company most vulnerable. Knowing this is vital to any improvement strategy where efficient direction of resources is a requirement (isn’t it always?). Your risk assessment may also point out compliance opportunities where relatively small adjustments in process or alignment with efforts outside IT or cyber concerns could provide leverageable results, streamlining efforts and fostering consistency across your enterprise. Such consistency becomes a lynchpin to resilience, as you’ll see later. Your risk assessment’s notice of strengths isn’t a finding in abstract, but tells you something about approaches and methods that work well within your company culture. Which controls are effective, which methods are most easily embraced across the company and what training is taking hold and expressing itself in practice and behavior. Given how much may have changed during the past 2 “COVID years” there may be useful insights to gain here. You may also have specific findings, remediation projects, and programs resulting from audits or regulatory reviews with direct relationships to these assessment findings. They further strengthen the leverage and value offered by your risk assessment.
Bending Not Breaking
This is the simplest definition of resilience. It implies flexibility, elasticity, and endurance. With respect to cyber risk and security this describes your ability to operate while experiencing consistent challenges, embracing disruptions where and when they occur, while continuing to deliver against your primary goals and obligations to clients, associates, and other stakeholders. More than thwarting or preventing attacks, it acknowledges the likelihood of the inevitable, and addresses how you will cope with challenges and changes, malice, mischief, and mistakes; disruptions of all sorts, great and small likely to occur over time. Your cyber risk program needs to include processes that offer you cyber intelligence. This is not some clandestine operation, but a practice based upon a triad of quality technical tools, skilled staff, and comprehensive processes. Those technical tools must enable you to track malicious actors, and identify threats and events effectively. There are many such tools on the market to help you monitor, detect, and identify suspicious and anomalous behavior in close to real time. You also need skilled staff to make knowledgeable use of this cyber information so they can act to restrict and contain any hostile action as much as possible. Next, you need processes so that actions follow steps and methods thought through before incidents occur. Those processes need to include specifications of roles, actions, methods, and tools. They should also specify communications channels. And lastly, they must include primary and secondary chains of command.
It’s necessary to assume in designing processes to address the unexpected, that one possible “disruption” will be to leadership at operational and perhaps at strategic levels. IT folk would consider backups of critical systems a key aspect of recovery planning. Management must consider backup managers and other leadership as equally important to the success of guiding the company through the unexpected and disruptive, if it’s truly to achieve a resilient capability. Succession planning is often positioned as a task for retiring executives or those transitioning after a merger or acquisition. But your operation’s ability to maintain consistent performance and adjust to changes, often under short timeframes and with diminished resources depends upon good leadership. Hoping for heroism is a faith based strategy unlikely to succeed. You need to identify key leadership roles, train for contingencies, and plan for retention if you wish to make resiliency a feature of your operation and a cornerstone of your operating strength.
Software and Hardware Resilience
One of the surest ways to promote resilience is to eliminate potential problems before they can occur. Those key software applications you rely upon to deliver services and product deserve some careful attention. How are they protected from intrusion by unauthorized actors? Are they monitored to detect and alert managers of all changes, intentional or not? Have you kept versions and any patches offered up to date? How are you managing access controls to these systems? Were default passwords present upon instillation replaced, and are they regularly changed several times a year? When staffing changes occur that impact access are these changed yet again? All these practices help assure your software systems are in the best possible shape to continue to function when other environmental or operational challenges arise. Some updates may have introduced support for remote management, which might become critical in emergencies. Also, periodically doing a full configuration review, scrubbing any settings no longer needed, updating or enabling new features, resetting permissions, and re-evaluating any add-ons that may have been applied in the past are all good practices to promote system resilience, whether for hardware or its resident software.
One other obvious practice is the backup. Periodic backup of data, applications and system software is a basic best practice. But it’s all pointless unless you also periodically test the validity of these backups by restoring the systems that them. This is a central and key point often ignored until they are needed and fail. The value of backups is in their ability to recover. The process alone is just theater if it doesn’t yield useful artifacts. On the hardware side, fail over systems, redundant hardware, off premises virtual machines synched to production, and many other strategies provide resources to sustain and recover from incidents. Backup planning should also include power and other environmental requirements. Systems don’t operate in a vacuum. Backup power is something that also needs periodic testing. First, you need to ensure your backup resources are functional. Second, they need to be measured so you know how much they can provide for how long, presuming no relief. And, third, that you have primary and secondary resources trained to enable and manage these backup resources.
Clouds to the Rescue
Cloud computing is a contemporary technology offering solutions to many of these needs. It’s often physically spread across a wide and diverse array of geographies, making its operation less likely to reside in proximity to your incident. Much of its resources are designed to be virtualizations of hardware and software, making the expansion and contraction of capabilities flexible to your needs as they change, for as long as they are needed. Security can be configured rapidly to address your needs, and can be bolstered quickly in response to events. This can include heightened and more granular monitoring and alerts as well as more direct barriers to potential intruders. It’s important to have these resources set up, at least in some minimal form, while “the sun is shining” so they mimic a basic digital twin of your operation that can be vetted and tuned before it’s needed in some substantial way. Then, if called upon, only the scale of service requires alteration, and staff will be familiar with its remote management processes, tools, and methods.
Third Party Resilience—Your Business Is Not An Island
For all these things, one must ask, “how are your most important third party service providers handling resilience?” Few firms are so vertical in design and execution that no consideration is needed. Do you have alternates at the ready if an important partner fails? What if they fall victim to a ransomware attack? Or are subject to extreme weather? Political upheaval, or a pandemic? How will you operate without them for some period? Have you worked to maintain relationships with secondary partners to assure they can and will accept the additional demand upon them if you need their services? Will their security practices comply with or compromise your own? Do you have the processes and relationships in place to streamline the migration of work? If alternates are not an option, how will you operate without them? Third party risk management (TPRM) is more than assessment and compliance. What will you do if the disruption (theirs) becomes a long term or even permanent one? Planning for these possibilities now will make responses actionable and with forethought, avoiding reactive thinking and possible compounding of your issues during an event.
The Hidden Roadmap to Success
At the start of this article I noted the value of risk assessment findings. Now here’s an exercise specific to making your governance, risk, and compliance (GRC) tools even more useful. You’ll need 3 columns on a piece of paper or spreadsheet. First, make a list of your company’s top 5 goals for this year. In the next column, for each goal map the important findings from your last risk assessment that currently do or may impact the achievement of each goal. Note that a finding may appear against more than one goal. In the last column, align any planned responses, remedial projects, or decisions regarding those findings in the second column. If resilience isn’t a concern anywhere, add a 4th column now and consider this discussion. Where are there additional concerns? How can addressing them be incorporated into the details of column 3? This exercise helps you identify exactly which findings offer the greatest threats to your company’s goal achievement for 2022. Further, it offers you some insight into where enabling resilience is most critical to assuring success. It also provides the business context to executive management to explain where, how, and why resources are needed so that they can make informed decisions to support your efforts to manage risk and resilience effectively.
Now keep in mind that your GRC has data from more than your IT or cyber risk assessments. It could be used to manage compliance reviews, operational, legal, and financial risk, audit findings, and serve as a single authoritative point repository for risk management data across the company. This would allow you to have a wider range of findings to map into your analysis. The business environment today is far too complex and diverse to manage on the back of an envelope or in a spreadsheet anymore. GRC tools provide the ability to gather, analyze, and communicate actionable information about risk more effectively and completely than ever before. They provide essential tools to understand your current position, share that understanding in a relevant business context with leadership and other stakeholders, while providing a clear roadmap to address concerns, navigate around obstacles, and avoid needless mishaps.
Once, many years ago, I bought a used car whose speedometer was broken and failed to go above 20 mph after I left the dealership. I never realized how disabling the loss of that single metric was to operating a car. Got it repaired in a hurry! In like manner, operating a company without a GRC is similar. You need to know all the critical metrics of your operation, including risk and resilience. The car had no backup way to measure and report speed. GRC tools and resilience are key attributes of sound operation. Be prepared. Be safe. Be resilient. Be successful.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.