Your “ART-ful” Enterprise: Security and Resilience

Cybersecurity(Own)As discussed previously (in “Security and the ‘ART-ful’ Enterprise” and “Your ‘ART-ful’ Enterprise: Security and Agility“), to become more “ART-ful,” your enterprise must become more agile, resilient, and trustworthy. This post digs a bit more deeply into what business resilience (or its less common synonym, “resiliency”) is, why it matters, and how to achieve and sustain it.

As is true with business agility, business resilience is a much broader and deeper consideration than many typical discussions of the subject seem to indicate.Those discussions tend to focus on disaster recovery and business continuity (DR/BC) tactics and tools. However, true business resilience is more than disaster recovery, and even more than business continuity. True enterprise resilience is a strategic focus on maintaining operational integrity, and restoring it as quickly and completely as possible after any disruption – planned or unplanned, minor or catastrophic.

ISACA (formerly the Information Systems Audit and Control Association) is a membership organization that provides certifications, information, and guidance focused on auditing controls for computer systems. In 2009, the ISACA Journal published an article called “Key Considerations for Business Resiliency.” That article provides both a comprehensive definition and a significant caveat for those pursuing business resilience (or resiliency).

“Business resiliency is the maturation and amalgamation of the individual processes of crisis management, incident response, business continuance and disaster recovery into one succinct set of processes and capabilities that work collectively, instead of independently. This combination allows organizations to have minimal disruption in the event of a business-impacting incident that affects the entire organization, instead of focusing on incidents that involve specific information infrastructure areas.

“When evaluating these capabilities, it is important to understand that they are only as effective as the proactive planning and considerations that go into their development. Too often, planning accounts for only the most obvious considerations and does not incorporate crucial and essential considerations that have a greater effect on the business.”

Resilience Defines the Bottom Line

As the ISACA quote above states, resilience includes multiple other elements beyond DR/BC. Despite the inclusion of “BC” in the description and intent of most DR/BC plans, these tend to focus on “DR” and IT. True resilience, however, focuses more on the needs of and effects upon the business. The goal of true resilience is to enable the business able to avoid threats, disasters, and disruptions, and to recover rapidly and seamlessly from those that cannot be avoided.

A specific focus area for resilience plans and strategies is the availability of essential IT and business services. And small-seeming differences can mean a lot. For example, the difference between 99-percent availability and 99.9-percent availability is the difference between just more than 10 minutes and 1.68 hours of downtime every week. And most IT service level agreements (SLAs) focus on availability levels of 99.99 percent, or “four nines,” and 99.999 percent, or “five nines.”

These differences merely hint at the range of options available to those seeking to balance availability with cost, since higher availability almost always requires higher investment in infrastructure. IT decision makers are often significantly challenged by the need to associate costs with availability levels in ways meaningful to their business colleagues.

This challenge is a primary driver behind the growth of enhanced reporting and “chargeback” and “showback” features in IT infrastructure and service management offerings. However, these can only improve the presentation of relevant information. They do nothing to make the underlying infrastructures and the services they enable more available, resilient, or robust. Such features can and should be included in resilience strategies and solutions, but they cannot and should not stand alone.

How to Achieve and Sustain Resilience

There is one thing you must do and keep doing to start down the path toward true enterprise resilience.

Patch everything. All the time. Starting now.

To make your enterprise truly resilient you need a firm, reliable foundation of security. The successful laying of that foundation begins with patching. Why is this step so critical to effective security and enterprise resilience? Here are just a few reasons.

According to the Verizon 2015 Data Breach Investigation Report, “Many existing vulnerabilities remain open, primarily because security patches that have long been available were never implemented. In fact, many of the vulnerabilities are traced to 2007 — a gap of almost eight years.”

And according to Gartner analyst Anton Chuvakin, “Although patching has been ‘a solved problem’ for many years, even decades, a lot of organizations struggle with it today – and struggle mightily. …in the darkest woods of IT, patching third-party applications on a desktop remains a significant challenge for many organizations.”

By the way, according to the National Vulnerability Database managed by the National Institute of Standards and Technology (NIST), some 86 percent of reported vulnerabilities come from third-party applications. So even the most robust patching of operating systems is inadequate to assure that your environment is secure enough to be truly resilient.

Do whatever it takes to ensure that all of your enterprise’s critical applications, operating systems, servers and user devices are patched and updated consistently and in a timely fashion. Then, begin to take the following actions.

(Credit where credit is due: the following recommendations are adapted and expanded from an August 2013 blog post by Jenny Juliany, VP of solutions architecture and co-founder of Intréis, where we both worked before ServiceNow acquired that fine organization. Thanks, Jenny!)

Plan. To make and keep your enterprise as resilient as possible, you and your team must develop and implement a comprehensive, business-centric plan for achieving and sustaining the resilience levels your business demands. Whether described as “high availability,” DR/BC, or otherwise, the goals of your plan should be the same – maximum resilience. And that plan requires a well-thought-out planning lifecycle, which in turn depends upon a formal, detailed policy for DR/BC.

Analyze. Your plan should also be based on a business impact analysis (BIA) that maps out all critical processes, systems, and services, their owners, and their interdependencies. You and your team should then establish formal recovery time objectives (RTOs) and recovery point objectives (RPOs) for all critical business functions and supporting services. In addition, all of your service level agreements (SLAs) should be closely aligned with these objectives.

Engage. To be as successful as possible, your plan must also include specific guidance for keeping the constituents IT supports engaged and informed about efforts to maximize resilience, security, availability, and recoverability. Such “marketing” and “sales” efforts may be unfamiliar territory for many in IT. However, they can be essential in gaining support from and eliminating objection or obstruction by those constituents.

Update. Finally, a comprehensive plan must also include specific recovery and continuity plans and procedures. It must also include processes for testing these regularly, and for regular review of all relevant policies, plans, processes, and procedures.

No enterprise can be fully agile or trustworthy if that enterprise is not sufficiently resilient. In fact, insufficient resilience can kill an enterprise in the face of a major disruption or disaster.

Begin by patching everything, all the time, starting now. Then, assess whatever current DR/BC resources and efforts are in place at your enterprise. Evaluate and triage these, then build upon them to reach and maintain the levels of resilience you, your constituents, and your enterprise want, need, and deserve.

Next up: trustworthiness, perhaps the most critical determinant of your enterprise’s ability to compete and succeed. Meanwhile, your thoughts and reactions are welcome.