Sustaining resilience across organisational borders

The previous four articles in this series dealt with designing resilience into your environment, monitoring and responding to events and recovering from business service being disrupted by an incident. In this final article, we discuss organisational structures that will help you achieve and sustain resilience. Attaining and sustaining operational, including cyber, resilience requires influence and collaboration that crosses company organisational boundaries.

 

Cyber incident and resilience best practices

 

Resilience best practice is a business imperative, and it should be managed as one. That means it isn’t the sole responsibility of IT.

 

Business resilience is becoming a priority that’s increasingly directed from the top. In recent years, threats and demands from malicious actors and unplanned interruptions of business services have spotlighted the increasing vulnerability of, and negative impacts on, organisations when it comes to cyber-incidents.

 

Such incidents ought to lead to a greater board focus on cyber-resilience, response and recovery. These areas are receiving funding, spawning independent organisations, and seeing implementation of specialised protection and monitoring systems.

What does an operational resilience program office do?

 

An outage is an outage, whether the result of malware, human error, technological failure or natural disaster. Businesses would do well to think about setting up an operational resilience program office, encompassing preparation, protection and practice for all aspects of operational resilience (including cyber-resilience). This should be established and headed by a C-level executive – perhaps the CISO, but with an expanded mission. 

 

Under the direction of a Chief Resilience Officer, an operational resilience program office coordinates efforts across departments to establish resilient business and IT services capable of:

 

• Business service availability: meeting or exceeding business service delivery requirements
• Business continuity planning: sustaining uninterrupted business operations under threat, disaster or emergency situations
• Scalability: scaling to meet the organisation’s business requirements
• Information security: protecting the organisation’s information assets
• Cyber-resilience: protecting against and (when needed) responding to malicious acts
• Recovery: recovering business services after an incident, from any cause, has interrupted service delivery

 

An operational resilience program office is the resilience champion for the entire organisation, providing an end-to-end cross-organisation focus on resilience. It is responsible for:

• Identifying and reporting the business impacts of resilience risks
• Identifying risks to resilience and proposing mitigation actions
• Developing and communicating resilience strategies
• Assessing cyber-resilience maturity
• Anticipating, protecting, responding and recovering from any disruption including those caused by cyber-attacks such as ransomware
• Overseeing business and IT recovery plan preparation and currency for both conventional and cyber-recovery of business functions
• Designing, collecting and reporting resilience metrics
• Developing resilience policies, plans, procedures and training
• Coordinating rehearsals that validate resilience plans, procedures and recoverability

Effect resilience behavior across the organisation

 

The above list can represent high-value, high-priority activities for the company, given the excessive costs, widespread effects – not least of which is bad publicity – and increasing incidence of outages. The Chief Resilience Officer role links the executive management resilience directives to the parts of the businesses responsible for cyber-resilience systems. The operational resilience program office lets you manage and co-ordinate the adoption of effective resilience behaviour across the organisation.

 

Kyndryl’s role

 

Kyndryl understands the importance of security and resilience. We have more than 30 years of designing, building, managing and recovering IT operating environments, including from the latest types of threats and multi-stage attacks. Our more than 7,500 skilled cyber-security and resilience employees have addressed resilience, response and recovery issues through preparation, protection and recovery activities for many customers. We stand ready to assist you to be resilient to “cyber-geddon.”

 

---

 

Bob Pitcole - Executive Consultant, Kyndryl Security & Resiliency Servces