Using Business Impact Analysis to Enable Cyber Resilience
Today’s organisations comprise an intricate network of supporting businesses and digital infrastructure that enable business operations. Tools are now so interconnected that disruption to one could have a domino effect, impacting the wider business. And, as the threat landscape continues to evolve and become more complex, organisations face an increased risk of a business disruption. This risk can come from various sources, such as internal and external IT, SaaS applications, supply chain partners, and IT service providers. So, having the proper safety protocols in place is vital.
Unexpected cyber incidents and subsequent digital disruptions can have potentially catastrophic repercussions on the enterprise mission, from failure to deliver services to data loss and halting of operations to falling foul of regulators, repetitional damage and disruption to the supply chain.
Despite many high-profile cyber-attacks making global headlines and boards the world over waking up to the threat of a cyberattack, many struggle to move beyond the dated perception of cybersecurity as a cost centre.
Executives, unable to see the ROI or fully comprehend the criticality of cyber resilience, leave security leaders contending with tightened purse strings and relying on operational cyber security metrics to convince the leadership of what should be a strategic imperative.
Understanding the true value of cybersecurity investment
So, how do we elevate the cybersecurity investment conversation? Firstly, security leaders must determine what functions are mission-critical to the business. They must then understand the possible risk scenarios that could jeopardise those functions. It’s essential to know what you’re protecting and why? This, in turn, will help you to understand who threatens you and what techniques, tactics and processes (TTPs) they are likely to use.
We recommend that security and risk managers use a Business Impact Analysis (BIA) model to determine the potential impact of a cyber incident. A BIA is an enterprise-wide initiative that aims to deliver three key outcomes:
Business-wide agreement on critical business functions, infrastructure, and applications.
A prioritised list of business-critical functions for recovery.
Understanding the impact on the business should any of these functions go down.
By understanding the outcomes of the BIA, businesses can develop a security program that prioritises critical functions to monitor and the controls required to protect them. This approach will help organisations protect their “crown jewels” or mission-critical systems. A bonus by-product of a comprehensive BIA is that it can also increase efficiency and safety by identifying duplicate or underused applications or assets for possible retirement.
Failing to fully scope or define mission-critical components of the business or understand incident ramifications can lead to over or under-investment, disorganised priorities, or unsuitable recovery requirements. It could also lead to an overabundance of misplaced confidence in the business’s incident response capabilities.
Using Business Impact Analysis to drive cyber resilience
Gartner describes BIA as the “centre of the universe” regarding all resilience activities. Gartner recommends that organisations undertaking BIA do the following:
Develop a set of risk tolerance levels across multiple risk impact categories, including financial, brand and reputational, legal and regulatory, life and safety, and productivity. This holistic approach enables informed decision-making and helps organisations maintain a balanced risk posture in the face of diverse challenges.
Formulate a prioritised list of business functions by criticality, ranging from mission-critical to deferrable.
Chart a dependency map of other business functions, facilities, workforce, applications, IT services, third parties and vital data.
Establish collaboration between business and IT through joint sponsorship and project management for accurate and valuable results. This ensures that criticality designations are unbiased and balanced across different areas.
Once the BIA results have been validated and approved, the next crucial step is to implement them. The IT teams can evaluate their recovery abilities based on the BIA results, pinpointing areas that need improvement. This assessment will guide the implementation of essential processing, backup, and recovery solutions to address these gaps.
Similarly, management will need to assess their capability to support remote work when the primary production location cannot be accessed. This evaluation ensures that necessary measures are in place to enable seamless remote working and maintain operational efficiency.
Clear scoping leads to a clear mission, enabling effective direction of cybersecurity investments. Demonstrating resilience, ensuring continuity, and quantifying cyber investments become achievable through these efforts. For professional guidance, consider engaging an independent third party like Adarma to support your organisation in this process.
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at firstname.lastname@example.org
To hear more from us, check out the latest issue of ‘Cyber Insiders,‘ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new Podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on Twitter and LinkedIn.
An error has occurred, please try again later.An error has occurred, please try again later.