These are perilous times. Still, despite mounting challenges, IT leaders are expected to keep vital systems functioning reliably, efficiently, and securely regardless of the challenges posed by economic, environmental, societal, political, and other threats. Making a strong commitment to resilience is the only guaranteed way to ensure that an IT organization has done all it can to prepare for the worst.
In an era when cybercrime has become increasingly sophisticated, and business processes are rapidly transforming, IT resilience is more critical than ever, observes Ram Parasuraman, executive director, data resiliency, at IBM. Preparedness against cyberattacks and better transparency on incident response has become a corporate board level priority, he notes. “By preparing for data recovery in case of an attack or network interruption, organizations can proactively mitigate risks and ensure business continuity.”
A standardized and consistent approach to risk management enables organizations to identify and analyze risks with as little bias as possible, says Brett Tucker, an adjunct faculty member with Carnegie Mellon University’s Heinz College of Information Systems and Public Policy. “The goal of any risk management program is to prioritize risk and associated response plans in a manner that optimizes the use of limited resources.”
Standardization also means that every part of the organization should follow the same analysis steps. “Furthermore, risk professionals in the organization must be consistent in their treatment, so that one risk does not overshadow others without adequate evidence, qualification, and quantification,” Tucker states.
Reaching for Resilience
Enterprises are currently struggling to cope with the mounting financial impact of business interruptions created by ransomware and other advanced cyberattacks and data breaches. Parasuraman points to a recent IBM security report, which revealed that the current average cost of a data breach reached an all-time high in 2023 of $4.45 million; with expectations that cyberattacks will cause up to $10.5 trillion-a-year in damages by 2025.
The first step in building a cyber resiliency plan should be designating responsibility. “Once responsibility for the program is determined and funded, and authority is communicated, the program leads can begin work,” says Ben Saine, principal consultant with technology research and advisory firm ISG. He recommends starting by identifying and prioritizing critical assets and business functions.
The ideal resilience plan should be multi-layered and include deploying an infrastructure that supports data resilience requirements at both the hardware and software levels, Parasuraman says. “Data storage systems lie at the heart of efforts to build IT environments that are resilient to logical data corruption in all its forms.” Protective measures should include technologies designed to avoid downtime, ensure access to critical applications, middleware, and data, and maintain user productivity.
A resilience plan should actually be a collection of plans, including cybersecurity, incident response, disaster recovery, and business continuity — all working together to ensure that the enterprise is ready to respond to the biggest threats, Saine says. The plan should include threats that, if successful, would cause the most damage, including lost revenue, angry customers and/or damaged reputation. “The final plan should include specific activation, execution and close-out steps, along with clearly defined authority structures,” he adds.
A resilience plan should also provide the foundation for a systematic and detailed approach to risk identification and analysis. “For example, organizations may apply value-stream mapping as proposed in OCTAVE FORTE,” Tucker says. “Value stream mapping decomposes organizational strategic goals into critical services that are supported by high value assets.” These assets typically include people, technologies, information, facilities, and the third-party providers necessary to coordinate service deliveries.
Once a service is decomposed into its critical assets, an analyst may explore specific failure modes, vulnerabilities, impacts, and threats. All of these elements may then be integrated into a single risk register, Tucker says. “This rigorous approach may also lead to revelations of risk interdependency,” he warns. “Interdependent risks can share response plans, so organizations may address multiple risks with just one response plan.” In any case, a resilience plan should include discussions related to organizational resilience governance, risk appetite, and policies and procedures, Tucker advises.
Risk professionals, technologists, security operations personnel, financial specialists, communications, disaster recovery, and cybersecurity engineers should all participate in the resilience planning discussion, Tucker suggests.
Parasuraman recommends securing commitments from leaders across the enterprise, beginning with IT and product engineering teams all the way up to the C-suite. Meanwhile, recognize that security teams are integral to monitoring threats, thwarting attackers, and building and maintaining incident response plans. “Storage administrators should also be involved to ensure that backup systems are in place across an entire IT stack, from on-premises systems to data and apps running in different cloud environments,” he recommends.