topic Re: Business continuity and cybersecurity - which tail wags the dog? in Industry News

Business continuity and cybersecurity - which tail wags the dog?

j_M007 — Mon, 09 Oct 2023 09:09:52 GMT

Hello all.

The BC guys and gals often complain the security folks don't invite them to the party. Security folk complain about how BCP tries to be the directors in the crisis matrix. Nobody (particularly stakeholders and shareholders) wins when the bickering and dickering sours the matrix.

Does anyone have experience or ideas they might share as to how we can 'all just get along'?

Re: Business continuity and cybersecurity - which tail wags the dog?

rslade — Wed, 27 Mar 2019 20:08:04 GMT

> j_M007 (Community Champion) posted a new topic in Industry News on 03-27-2019

> The BC guys and gals often complain the security folks don't
> invite them to the party. Security folk complain about how BCP tries to be the
> directors in the crisis matrix. Nobody (particularly stakeholders and
> shareholders) wins when the bickering and dickering sours the matrix. Does
> anyone have experience or ideas they might share as to how we can 'all just get
> along'?

I go to the BCI Forum meetings here in town, and invite them to all of ours ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Some folks are wise and some are otherwise. - Tobias Smollett
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Business continuity and cybersecurity - which tail wags the dog?

dcontesti — Wed, 27 Mar 2019 20:56:22 GMT

@j_M007 wrote:
Hello all.

The BC guys and gals often complain the security folks don't invite them to the party. Security folk complain about how BCP tries to be the directors in the crisis matrix. Nobody (particularly stakeholders and shareholders) wins when the bickering and dickering sours the matrix.

Does anyone have experience or ideas they might share as to how we can 'all just get along'?

Have to agree that the bickering can actually be very damaging to the organization, sometimes more so than an event.

Having lived through several events, I did the following:

1) Set up quarterly meetings to discuss issues and concepts between the groups (sometimes this had to be monthly 😉 )

2) Ensured that Security folk were invited to DR exercises (in my case they owned authentication and authorization, the firewalls, and the proxy servers)

3) Asked both teams to review all documentation

4) Developed a organization chart for DR exercises showing all reporting lines

5) Asked the CIO of the organization to notate who was the lead and approve 1 thru 4.

Really cut down on the bickering about who owned what. Maybe I was lucky but this worked for me.

Regards

Re: Business continuity and cybersecurity - which tail wags the dog?

j_M007 — Wed, 27 Mar 2019 20:59:43 GMT

Yes I come from BC/DR background myself. When you talk security with some of those folk (not BCI or DRI particularly)m some of them get all prickly. 😉

Re: Business continuity and cybersecurity - which tail wags the dog?

j_M007 — Wed, 27 Mar 2019 21:06:25 GMT

Yes get the C folks (CEO, COO, CFO) to put ~~there~~ their weight behind the CISO/CSO. CISO by the way is a humorous acronym for Francophone people, as it sounds like ciseaux or scissors! 😉

Re: Business continuity and cybersecurity - which tail wags the dog?

dcontesti — Thu, 28 Mar 2019 14:51:11 GMT

@j_M007 wrote:
Yes I come from BC/DR background myself. When you talk security with some of those folk (not BCI or DRI particularly)m some of them get all prickly. 😉

Ah no say, it isn't so.......

🙂

Re: Business continuity and cybersecurity - which tail wags the dog?

HTCPCP-TEA — Thu, 28 Mar 2019 11:38:45 GMT

In my experience I've always found that developing a good relationship between the two "teams" before any incident applies bears most fruit. That way, the events that come to pass mostly strengthen both parties, and weeds out the weaknesses.

Of course, the attitudes of individuals can have great bearing, but I find as long as roles and responsibilities are clearly defined, as mentioned already, then there is little to bicker about.

Most importantly, it's important to take away the perceived "importance hierarchy" when nasty issues arise. Better to have a common goal, a consensus if you will, that allows objection provided it's constructive and sensible. After all, we are all working toward the same rough objectives - one likely fails to exist in its entirety without the other.

Re: Business continuity and cybersecurity - which tail wags the dog?

MikeGlassman — Thu, 28 Mar 2019 13:42:26 GMT

I'm glad to say that we don't have that problem.

Since the Cyber division is a sub division of the IT department, all BC issues are automatically planned with security in mind, and nothing moves forwards without our stamp of approval.

This doesn't mean that we are "the powers that will", but that everyone understands that to have better BC, you need to integrate with security, and we understand and push the fact that BC is an inherent aspect of securing the enterprise.

Win win all round.

Re: Business continuity and cybersecurity - which tail wags the dog?

rslade — Thu, 28 Mar 2019 17:18:04 GMT

> HTCPCP-TEA (Contributor I) posted a new reply in Industry News on 03-28-2019

> In my experience I've always found that developing a good relationship between
> the two "teams" before any incident applies bears most fruit.

I really don't understand why there are two "teams." BCP is (used to be) one of
the CISSP domains. One of my standard conference presentations is a two-hour
workshop on a one-page BCP tool. (I've got a very similar one on IRP.) I also
work (volunteer) in emergency management, and there is all kinds of crossover.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Striving for excellence motivates you; striving for perfection is
demoralizing. - Harriet Braiker
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Business continuity and cybersecurity - which tail wags the dog?

j_M007 — Thu, 28 Mar 2019 17:32:07 GMT

Well BC and DR are two aspects of security to be sure. But the BC and the DR worlds (which are also discrete!) have many compliance and statutory bells and whistles to ring and tweet.

Why make things easy when you can complexify the fuzzification?

Re: Business continuity and cybersecurity - which tail wags the dog?

rslade — Thu, 28 Mar 2019 17:53:04 GMT

> j_M007 (Community Champion) posted a new reply in Industry News on 03-28-2019

> Well BC and DR are two aspects of security to be sure. But the BC and the DR
> worlds (which are also discrete!) have many compliance and statutory bells and
> whistles to ring and tweet. Why make things easy when you can complexify the
> fuzzification?

Discretion (yes I know it's the wrong discreet) is the better part of ensuring the
enlargement of your corporate mini-empire. Yeah, I know BC is ensuring that
whatever happens *doesn't* interrupt your business, while DR is what you do
*after* your business has been interrupted, but so much of the analysis and so
many of the tools are the same that making a huge distinction between them is
another thing that drives me around the twist ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Great wits are sure to madness near allied. - John Dryden, 1681
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Business continuity and cybersecurity - which tail wags the dog?

j_M007 — Thu, 28 Mar 2019 18:22:42 GMT

I like to look at business continuity and security globally in the context of ERM or ORM (organizational risk management).

There are so many little bits and pieces of threats and vulns that can bite you in the @$$ ets

A BCP person can often broaden the scope of looking at the risks and work in conjunction with organizational security.

Thankfully, the BCDR community are wising up to cyber threats, supply-chain threats, and reputational risk from catastrophes either wrought by humans or (super)natural forces and are trying to have playbooks supporting or working in tandem with information security.

However, I still feel like the guy in Prufrock:

For I have known them all already, known them all:

Have known the evenings, mornings, afternoons,

I have measured out my life with coffee spoons;

I know the voices dying with a dying fall

Beneath the music from a farther room.

So how should I presume?

He knows how it's all going to go down! 😉

Re: Business continuity and cybersecurity - which tail wags the dog?

HTCPCP-TEA — Fri, 29 Mar 2019 13:52:32 GMT

I get you,

I don't understand why so many organisations have two teams rather than having it all in one either, but for whatever reason, that seems to be the norm these days.

But hey ho. I work with what I have in forn tof me, or try to change what's in front of me, given the chance.