Rona Young, Head of Global Marketing & Communications
I recently joined Dionach, an independent information security consultancy, after spending most of my career managing crisis communications (reputation protection) and marketing operational risk management services within HSE consultancies.
Simply put both operational and technical risk management have real similarities in emergency response, business continuity planning and disaster recovery. They should in effect work more closely in order to provide organisations a consistent and comprehensive approach to protect themselves.
In the operational risk management world they use the term ‘ALARP’, the acronym for assessing risks to ‘As Low As Reasonably Possible’, if not able to eradicate them completely.
Cyber security management uses a similar risk process assessing the likelihood and impact of an attack on both internal and external systems and services.
Business continuity planning and preparedness is a must for any company to ensure they minimise disruption and thereby prevent loss of customers, suppliers, services, assets and ultimately reputation. This is where I see a more joined up process is required.
Our reliance on fully functioning IT systems is fundamental in day to day operations let alone when things go wrong. Whether an incident is a cyber-attack or an operational emergency it is essential critical IT systems can still perform.
Within each organisation information security teams should work hand in hand with business continuity teams. By combining these specialist skills companies will best protect their assets.
Throughout my working life running training exercises I have challenged senior management teams not to just think floods and fire when managing risk. Incidents come in all forms and whether it is visible, such as a force of nature, pandemics, fires/explosions or the hidden types such as financial discrepancies, tampering of research or cyber-attacks, companies should always prepare to expect the unexpected.
Information Security teams use independent penetration testing to understand vulnerabilities within infrastructure and applications which may be exploited as part of an attack but are there effective plans in place to identify an attack and then how to respond? The average number of days before an attack is discovered is around 270 days.
Operationally business continuity and emergency response teams regularly test their plans and procedures using simple table top exercises through to simulated emergency exercises.
By joining up the operational and technical teams to practice how best to respond to a cyber-attack and manage the continuity of the business will minimise service disruption and help protect company reputation.