I frequently observe organizations that underestimate the value of embedding Operational Resilience into normal business operations and either completely neglect this or only limit this to information security. However, the impact of a significant event or incident can still be extremely impactful, even if your information systems and processes are not directly affected.
Think of your business operations as being like driving a vehicle. Your business mission would be to safely use your vehicle(s) to get your driver, passengers, and any precious cargo from point A to point B. In achieving this business mission, there are many things that need to be considered, e.g.,
- Best route.
- Driver fatigue.
- Vehicle condition.
The vehicle is your business infrastructure, which contains many valuable working parts (some more important than others) and with several ‘rules of the road’ that need to be adhered to.
Now, when planning your journey, you might wish to consider what threats might impact your capability to complete your journeys.
- Do you check and plan for a tire/tyre blowout and the potential implications or impact that might be associated with the different scenarios of suffering a blowout or puncture?
What is Operational Resilience?
Most people reading this blog will appreciate that the Financial Services industry has an obligation to ensure that their critical systems remain resilient, e.g., European Regulation on digital operational resilience for the financial sector (DORA). In addition, on 31 March 2022, certain UK Financial Services organizations will need to be able to demonstrate that their important business services are operationally resilient, as detailed in the Regulators’ announcements:
Yes, for any security professional it seems strange that there needs to be a legal requirement to encourage Financial Services organizations to maintain resilient systems.
However, what about other industries, such as Manufacturing?
In July 2020, the United States’ Cybersecurity & Infrastructure Security Agency (CISA) went as far as to create a 5-year plan, entitled the Securing Industrial Control Systems: A Unified Initiative. Now, in this 5-year plan, they write about the importance of maintaining the security and resilience of Industrial Control Systems (ICS).
The Basel Committee on Banking Supervision define Operational Resilience as being:
This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimize their impact on the delivery of critical operations through disruption.
In the context of operational resilience, the Committee defines tolerance for disruption as the level of disruption from any type of operational risk a bank is willing to accept given a range of severe but plausible scenarios.”
A much simpler and concise description would be:
The ability to effectively predict, plan for, respond to, and minimize the impact of adverse events or incidents.
- Respond to.
- Bounce back.
Maintaining a Secure & Resilent Motor Vehicle Analogy
Okay, so if you are relient on your motor vehicle to get you from point A to point B, you will need to ensure that you understand the threats, vulnerabilities and associated impacts to that vehicle, so that you can employ suitable measures to help protect and maintain the operability of the vehicle, e.g.,
- Secure the keys/fob.
- Secure the doors/windows.
- Regular maintenance.
- Drive to conditions.
- Obey road safety rules.
- Prepare for your journeys.
Preparing and Responding to a Tire/Tyre Blow Out
As an example, before you set off on that journey, there are a number of things you might want to consider:
- Have you given any thought to the scenarios that might be associated with a tire/tyre blow out?
- Have you checked the condition of your spare tire/tyres?
- Have you checked that you have all the tools (vehicle jack, wheel brace, etc.) you need to change the wheel?
- What are your contingency plans, in the event that you are unable to change your wheel?
- Do you need roadside assistance/recovery?
- Does your mobile phone have sufficient charge?
- If the weather is cold, have you packed a warm jacket?
- If the weather is wet, have you packed a raincoat?
All of these examples are components of Incident Management (IM), Business Continuity (BC) and Disaster Recovery (DR) – each being seperate but complimentary domains of operational resilience.
Business Value of Operational Resilience
Recent (non Cybersecurity/Information Security) events have demonstrated the importance that operational resilience provides to your business.
- COVID19 required organizations to quickly adapt their business operations to a remote working model.
- A a global organisation, the potential impact of the sanctions on Russia are yet to be felt.
- Imagine if you were a global manufacturing business with premises in Russia, how might these sanctions impact your business?
Did your business identify these non-security related events and did you plan to invoke your IM, BC and DR for such events?
Prior Planning Prevents Poor Performance
If you value your business (motor vehicle) and want to safeguard its operability, it is important to ensure that it is well maintained and operated safely, and securely. Consider the value of incorporating operational resilience into a your key business functions.
Check out some of the available operational resilience frameworks and see how these could enhance your business and to help protect your business from such future events, e.g.,
- CERT Resilience Management Model (CERT RMM).
- BIS Principles for Operational Resilience.
- NIST SP 800-160 Vol. 2 Rev. 1.
- ISO 22316:2017(en). Security and resilience — Organizational resilience — Principles and attributes
Operational resilience should never be seen as something that your business should be pressed into doing (being compliant) but should understand the value this can bring to help your organization avoid or ‘Bounce Back’ from impactful events or incidents.
It should never have come to the stage where legislation is needed to encourage businesses to take operational resilience seriously. A proactive organization should be prioritizing operational resilience capabilities so that they can quickly identify any upcoming potentially impactful events/incidents and be appropriately prepared to respond to such events/incidents.
Much like someone suffering a blowout during the drive, they hope that this will never happen but should ensure that they have everything they need to respond to and deal with such an event/incident.
Businesses that do not have suitable operational resilience capabilities may find themselves coming to a grinding halt and being ‘stranded at the side of the road’.