cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
j_M007
Community Champion

Business continuity and cybersecurity - which tail wags the dog?

Hello all.

 

The BC guys and gals often complain the security folks don't invite them to the party. Security folk complain about how BCP tries to be the directors in the crisis matrix. Nobody (particularly stakeholders and shareholders) wins when the bickering and dickering sours the matrix.

 

Does anyone have experience or ideas they might share as to how we can 'all just get along'?

12 Replies
rslade
Influencer II

> j_M007 (Community Champion) posted a new topic in Industry News on 03-27-2019

>   The BC guys and gals often complain the security folks don't
> invite them to the party. Security folk complain about how BCP tries to be the
> directors in the crisis matrix. Nobody (particularly stakeholders and
> shareholders) wins when the bickering and dickering sours the matrix.   Does
> anyone have experience or ideas they might share as to how we can 'all just get
> along'?

I go to the BCI Forum meetings here in town, and invite them to all of ours ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Some folks are wise and some are otherwise. - Tobias Smollett
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
dcontesti
Community Champion

 


@j_M007 wrote:

Hello all.

 

The BC guys and gals often complain the security folks don't invite them to the party. Security folk complain about how BCP tries to be the directors in the crisis matrix. Nobody (particularly stakeholders and shareholders) wins when the bickering and dickering sours the matrix.

 

Does anyone have experience or ideas they might share as to how we can 'all just get along'?



Have to agree that the bickering can actually be very damaging to the organization, sometimes more so than an event.

 

Having lived through several events, I did the following:

 

1) Set up quarterly meetings to discuss issues and concepts between the groups (sometimes this had to be monthly 😉 )

2) Ensured that Security folk were invited to DR exercises (in my case they owned authentication and authorization, the firewalls, and the proxy servers)

3) Asked both teams to review all documentation

4) Developed a organization chart for DR exercises showing all reporting lines

5) Asked the CIO of the organization to notate who was the lead and approve 1 thru 4.

 

Really cut down on the bickering about who owned what.  Maybe I was lucky but this worked for me.

 

Regards

 

d

 

 

j_M007
Community Champion

Yes I come from BC/DR background myself. When you talk security with some of those folk (not BCI or DRI particularly)m some of them get all prickly. 😉

j_M007
Community Champion

Yes get the C folks (CEO, COO, CFO) to put there their weight behind the CISO/CSO. CISO by the way is a humorous acronym for Francophone people, as it sounds like ciseaux or scissors! 😉

dcontesti
Community Champion


@j_M007 wrote:

Yes I come from BC/DR background myself. When you talk security with some of those folk (not BCI or DRI particularly)m some of them get all prickly. 😉


Ah no say, it isn't so.......

 

🙂

 

HTCPCP-TEA
Contributor I

In my experience I've always found that developing a good relationship between the two "teams" before any incident applies bears most fruit. That way, the events that come to pass mostly strengthen both parties, and weeds out the weaknesses.

 

Of course, the attitudes of individuals can have great bearing, but I find as long as roles and responsibilities are clearly defined, as mentioned already, then there is little to bicker about.

 

Most importantly, it's important to take away the perceived "importance hierarchy" when nasty issues arise. Better to have a common goal, a consensus if you will, that allows objection provided it's constructive and sensible. After all, we are all working toward the same rough objectives - one likely fails to exist in its entirety without the other.

MikeGlassman
Contributor II

I'm glad to say that we don't have that problem.

 

Since the Cyber division is a sub division of the IT department, all BC issues are automatically planned with security in mind, and nothing moves forwards without our stamp of approval.

 

This doesn't mean that we are "the powers that will", but that everyone understands that to have better BC, you need to integrate with security, and we understand and push the fact that BC is an inherent aspect of securing the enterprise.

 

Win win all round.

Sincerely,

Mike Glassman, CISSP
Iguana man
rslade
Influencer II

> HTCPCP-TEA (Contributor I) posted a new reply in Industry News on 03-28-2019

> In my experience I've always found that developing a good relationship between
> the two "teams" before any incident applies bears most fruit.

I really don't understand why there are two "teams." BCP is (used to be) one of
the CISSP domains. One of my standard conference presentations is a two-hour
workshop on a one-page BCP tool. (I've got a very similar one on IRP.) I also
work (volunteer) in emergency management, and there is all kinds of crossover.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Striving for excellence motivates you; striving for perfection is
demoralizing. - Harriet Braiker
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
j_M007
Community Champion

Well BC and DR are two aspects of security to be sure. But the BC and the DR worlds (which are also discrete!) have many compliance and statutory bells and whistles to ring and tweet.

 

Why make things easy when you can complexify the fuzzification?