Business continuity and disaster recovery (BCDR)—cybersecurity’s neglected middle children. BCDR gets no respect. It’s delegated down or relegated out. It’s practically a rite of passage for a junior security analyst to take on BCDR documentation.
So, you can imagine our surprise when disaster recovery was identified as the fourth strongest contributor to building a successful cybersecurity program. The Security Outcomes Study, Volume 2, found that BCDR showed significant correlations with positive outcomes, including:
- Gaining the confidence of executive leadership
- Obtaining peer support and buy-in for security
- Keeping up with the business
- Identifying and managing top risks
- Minimizing unplanned work and wasted effort
These findings left us puzzled. Although some of us who’ve long supported continuity and recovery cheered, we had questions. What makes BCDR effective? When does the program start showing results? Is it better to start bottom-up or go top-down?
These questions (and more) have been answered in our newly published Security Outcomes Study. And here, in Part 5 of our blog series, I’ll pull out some of the report’s most salient findings. But the bottom line is this:
Resiliency is finally bringing BCDR back into vogue.
Scope and scale of BCDR
Let’s dig deeper. What needs to be resilient?
A common line of thinking, stretching back to the days of recovering physical equipment in hot sites and cold sites, was that BCDR should focus only on the most critical systems. We churn our own butter. We walk uphill both ways to school. We recover top-tier assets. And guess what? We like it!
Keeping that in mind, look at the chart below. Here, we compare how many of the systems are recoverable to how well organizations are doing at achieving the continuity objective. Contrary to popular wisdom, the report finds, “There’s virtually no improvement in the probability of achieving this outcome until BCDR capabilities cover at least 80% of critical systems.”
This target scope is especially concerning for organizations with legacy use cases and edge cases.
A CISO recently told me that his infrastructure was like an ultimate brownie pan: all edges. I told him he’s not alone. The Security Outcomes Study found that “nearly 40% of in-use security technologies were considered outdated.”
In other words, the struggle is real.
Test that plan
Any security capability is only as strong as it is when exercised. So, say we get the scope right. The very next consideration should be how well we’re executing our plans.
The following chart hits this home by comparing the number of recovery activities performed by the success at achieving continuity. Five activities per month might seem high, but this figure includes walking through the plan, holding tabletop exercises, and doing live, parallel, and production testing. Use these five types of exercises to verify your plan and provide training.
The report also found that “organizations that regularly engaged in all five types of disaster recovery testing were almost 2.5 times more likely to successfully maintain business continuity than those who did none.”
And an additional way to keep the team sharp? Technical validation. Or, by another name, chaos engineering.
Some say chaos engineering is just the latest fad. But the numbers suggest otherwise. Here’s what the study found: “Organizations that make chaos engineering standard practice are twice as likely to achieve high levels of success for this outcome than organizations that don’t.”
Top-down or bottom-up?
So, we need a thorough scope. We need a strong plan. We need ample testing and validation. Sounds good, right? But where do we begin?
I believe that wherever a person sits in an organization, they can make a positive change for security. While BCDR has often been delegated down to junior professionals, that doesn’t mean these individuals haven’t done good work.
In fact, the report found that BCDR ownership is distributed evenly between the CIO, the CISO, and the non-technical members of the C-Suite. So, not only is bottom-up possible, it’s practically the norm.
However, here is the kicker. According to our report, businesses with “board-level oversight of BCDR are most likely (11% above average) to report having strong programs.”
Consider the strong outcomes we observed: gaining the confidence and support of executive leadership and peers, keeping up with the business, and working on the top risks to the organization. Board-level visibility is crucial.
So, what’s the answer? Top-down or bottom-up? How about top-down AND bottom-up?
“Operations residing within cybersecurity or specialized business continuity teams tend to report the best performance. Board-level visibility seems to be the rising tide that lifts all boats.”
So, what do we recommend?
With resiliency being a top priority in response to ongoing attacks and widespread outages in cloud services, establishing effective BCDR and maturing its capabilities should be a key component of 2022 roadmaps. How should you plot that roadmap?
Based on the Security Outcomes Study, we suggest that security teams:
- Elevate BCDR to a board-level conversation: Getting top-down support can move any initiative further, faster. Beyond that, placing continuity within the context of the organization’s mission and business-level objectives ensures the capability is focusing on the right systems and the right risks.
- Expand the BCDR scope: Starting with top-tier systems allows us to build our processes and train our people. But plan to expand that scope to at least 80% of those systems. Use a phased approach to demonstrate ongoing progress and build on early successes.
- Exercise, exercise, and exercise again: Execute at least five recovery activities every month, evaluating and testing various parts of the plan. Remember that continuity and recovery capabilities are only as strong as they are exercised.
- Integrate BCDR with broader security functions: The prioritization and risk-ranking of resources should be shared with other risk management functions. Similarly, tightly integrated asset management and threat management ensures all teams are working off the same playbook.
BCDR is a sleeper capability that delivers surprisingly strong outcomes. Tactically, one should use BCDR to improve resiliency in IT systems. Strategically, one should find ways to drive other programs through the viewpoint of what truly matters to the business.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels