While reading IT Grundschutz, the German information security baseline standards, and in particular the BSI standard 100-4 on Business Continuity Management, I've been thinking about a curious gap that I believe has opened up between the fields of information security and business continuity.
The way I think of it, 'resilience' (and related concepts such as 'over engineering', redundancy, automated failover and so forth) is very definitely an integral and essential part of 'business continuity' (in other words, keeping vital business operations running as near normally as possible, despite whatever threats and vulnerabilities might materialize). Keeping unauthorized users out of the applications, systems and networks, preventing data and systems corruption (including that deliberately introduced by corrupt fraudsters, as well as incompetent or indolent users, designers, administrators, developers and managers), avoiding unplanned and unwelcome changes, avoiding/neutralizing malware and maintaining adequate IT performance and capacity are, for me, all important business process resilience controls, and are therefore all valid aspects of 'business continuity'.
Avoiding or at least reducing the extent/impact of incidents, crises and disasters has got to be better than recovering from them, surely?
However, most 'business continuity' standards are purely concerned with 'Assume a disaster has happened: we need to prepare ourselves to cope with what happens next'. They talk about timely resumption and recovery, all post-event of course, while most information security standards major on maintaining confidentiality, with a few token nods towards data, network, application or sysem integrity but very little in the way of process or personal integrity and even less about availability, other than referring to 'business continuity' (often meaning IT Disaster Recovery in fact) as if that settles the matter.
Most organizations I've worked with seem to separate information security from business continuity management, in the same way that most separate physical from information security, and have other stovepipes for fraud, risk management and compliance.
So what on Earth happened to resilience? Where did it go? Have you seen it, hiding in a corner somewhere? While I totally support the need for contingency planning to prepare the organization to cope more effectively with disasters that result from the failure of preventive controls, I strongly suspect that many organizations would be better off diverting some of their not inconsiderable business continuity budgets towards resilience and prevention, or at the very least creating a more coherent strategy linking information security with business continuity through their common interest in resilience.
I'd be especially interested to hear from anyone who is familiar with standards, guidelines etc. that cover resilience (as outlined above) in some detail, whether they claim to cover information security, business continuity or something else entirely. Go on, give us a clue about where to find the missing field.
... 97, 98, 99, 100, coming, ready or not!
PS A well-written piece on Investing in software resiliency by Dr. C. Warren Axelrod,
U.S. Cyber Consequences Unit, lays out several aspects of resilience, including a number of availability threats, software development process issues and of course a range of IT resilience controls such as fault tolerance and failure recovery, system fail-over and recovery and restoration. Even cloud computing merits a mention. However, once again, business continuity and the wider aspects of identifying and maintaining critical business functions are largely implied.