What is the relationship between Security and Business Continuity?
- Security are focused on incident prevention and incident management.
- Business Continuity follows security, to get the business back up and running after an incident has occurred.
Feedback from BCP Builder Community on LinkedIn:
The Golden Triangle
- Risk management, security and business continuity are interrelated. All seek to promote an organizations will to survive. It’s a little triangle with each striving to fight its own corner (and of course, be at the top). The relationship can be described as:
- 1. Assess the risks
- 2. Deal with the security or other incidents
- 3. Continue the business.
- Start at any corner and visit the other two. You’ll get where you need to be, but business continuity is the holistic approach. It encompasses both the others and is the end result you want to achieve.
- Risk management traditionally wants to insure against the issue and sometimes a cash settlement is preferable. This is often linked to corporate insurance. Security can demonstrate their ‘value’ through reports and metrics. Business continuity (being all encompassing) has a problem articulating the value proposition. Risk management and security are not usually combined; business continuity often falls under one of them. This allows for the risk management or security groups to ‘run’ the process and relegates business continuity to a lower status and capability. The relationship is contentious at best.
- Security is one of the components of resilience. Business Continuity is the central component.
- Terrorist attacks, kidnapping and extortion. For every kind of incident, there is a specific risk mitigation plan. Such as, how fast an affected critical asset will be replaced after a terrorist attack. The same principle applies for a critical position inside a company. There are many potential scenarios: riots, demonstrations, road blockades, fraud.
Proactive and Reactive
- In general, business continuity is reactive while security should be proactive. It could be argued that every department is related to business continuity as they should have a business continuity plan in place that is reviewed on a regular basis and managed by the business continuity team.
- The purpose of security and business continuity is that the service continues to be offered. The objective of applying all security measures is to avoid incidents, or manage them in case of occurrence. If the incident is critical, the business continuity process is triggered. The business may continue in a degraded mode while ensuring a return to normal in a timely manner.
- Security has the aim to prevent incidents. Business continuity management will mitigate the impacts of the incident once it occurs. A good example is sabotage of local IT infrastructure. Security will try to prevent it from happening, ideally via a layered defense system. Business continuity will cover the loss of IT in the building via a business continuity plan: working from home or a backup site.
- Security as a discipline is focused on confidentiality, integrity and availability. Business continuity hones in on availability and recoverability.
- Ideally the disciplines should be working side-by-side and not in the traditional silos.
- Information security covers business continuity planning and disaster recovery as one of its domains. Be it Certified Information Systems Security Professional (CISSP) or Certified Information Systems Auditor (CISA).
- Security also includes privacy and non-repudiation. Information security is one of the hottest professional specializations around the world now, with business resiliency closely behind.
- Often there is very little relation between the two until after things go wrong.
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.