{"id":2549,"date":"2025-03-31T06:30:00","date_gmt":"2025-03-31T06:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2549"},"modified":"2025-03-31T06:30:00","modified_gmt":"2025-03-31T06:30:00","slug":"how-cisos-can-balance-business-continuity-with-other-responsibilities","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2549","title":{"rendered":"How CISOs can balance business continuity with other responsibilities"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Cyber incidents, especially ransomware, are changing the way businesses assess risk and resiliency. As a result, what was once largely a CIO function is becoming that of a CISO, with them taking on more business risk responsibilities, including business continuity and third-party risk management, according to the IANS State of the CISO 2025 report.<\/a><\/p>\n

From a CISO perspective, business continuity has three main crossovers. The first is input into risk management in the security controls. \u201cIt\u2019s gathering all the information out of good business continuity and disaster recovery<\/a> and feeding that into other security components,\u201d says Wolfgang Goerlich, faculty at IANS Research.<\/p>\n

Secondly, infosec needs input in business continuity and disaster recovery (BCDR) for recovery and resumption of operations. Thirdly, more generally, cybersecurity needs to consider availability of business processes and systems. \u201cStrategically, we can provide a lot of value by understanding what the organization is doing,\u201d he tells CSO.<\/p>\n

Cybersecurity leaders must ensure a quick recovery of systems without reinfection<\/h2>\n

The challenge for CISOs is providing security while ensuring the business recovers quickly without reinfecting systems or making rushed decisions that could lead to repeated incidents.<\/p>\n

The new reality of business continuity is dealing with cyber-led disruptions. Organizations have taken note, with 46% of organizations nominating cybersecurity incidents as the top business continuity priority, according to Forrester\u2019s 2024 State of Business Continuity<\/a> report.<\/p>\n

In addition, almost two-thirds are increasing their business continuity (BC) budgets, showing the importance organizations are placing on developing mature programs and mitigating the risk of critical incidents such as a cyberattack.<\/p>\n

\u201cWith traditional business continuity, we had a handful of scenarios \u2014 power loss, equipment failure, fire, misconfiguration \u2014 and we had the same approach, which was to recover your last backed up image,\u201d says James Blake, VP of cyber resiliency strategy at Cohesity.<\/p>\n

With cyber incidents, however, it\u2019s necessary to understand how the incident manifested to ensure systems aren\u2019t recovered in a way that brings back the problems and risks re-attacked or reinfected leading to further down time, notes Blake.<\/p>\n

The complexity and prevalence of cyber attacks is drawing the CISO into BC planning and responsibility and Blake suggests a three-pronged response: catch the vulnerability, because that\u2019s the major way ransomware is getting in, continually adapt preventative rules to stop ransomware coming in again, and, of crucial importance, remove the artefacts of the attack. \u201cThe artefacts include the accounts created, security policies, other changed configurations, and ways they used to maintain persistence because if we don\u2019t take them out, we\u2019re just resetting the doomsday clock<\/a> to 23:59,\u201d says Blake.<\/p>\n

CIO-CISO divide: Who owns business continuity?<\/h2>\n

While CISOs may find that their remit is expanding to cover business continuity, a lack of clear delineation of roles and responsibilities can spell trouble.<\/p>\n

To effectively handle business continuity, cybersecurity leaders need a framework to collaborate with IT leadership.<\/p>\n

Responding to events requires a delicate balance between thoroughness of investigation and speed of recovery that traditional business continuity plan approaches may not fit.<\/p>\n

On paper, the CISO owns the protection of confidentiality, integrity, and availability, but availability was outsourced a long time ago to either the CIO or facilities, according to Blake. \u201cBCDR is typically owned by the CIO or facilities, but in a cyber incident, the CISO will be holding the toilet chain for the attack, while all the plumbing is provided by the CIO,\u201d he says<\/p>\n

CIOs won\u2019t typically investigate cyber attacks to the same degree as CISOs. After a cyber incident, there may be competing priorities with backup and remediation, for example. \u201cThey [CIOs] might have a slightly different use case for a backup product, but they don\u2019t operationalize the incident response, starting from remediation of the threat,\u201d Blake tells CSO.<\/p>\n

At the very least, the CISO needs a seat at the table during the incident response, but ideally the two teams need to be working in collaboration before, during and after. In Blake\u2019s experience, this is the defining feature of organizations that suffer the least amount of downtime. \u201cThey\u2019ve got that shared responsibility model between the two teams. They\u2019ve drilled down into how they hand off from one to the other and they have proper case management between the two so nothing\u2019s not missed,\u201d he says.<\/p>\n

It\u2019s becoming more common to be part of the CISO toolkit, but there\u2019s still a lot of back and forth around who should own BCDR and how widely it should be deployed, according to Goerlich. \u201cI\u2019ve been in organizations where BCDR was something done separately, where we were a partner, but not directly involved. I\u2019ve been in other organizations where I was the primary driver of the program,\u201d says Goerlich.<\/p>\n

Whether or not the CISO defines downtime metrics depends on who has responsibility for the program, says Goerlich. Either way, it\u2019s driven by the pain the organization feels according to the business impact analysis. For example, recovery time objective (RTO) will vary according to the industry and relevant considerations such as safety in manufacturing and healthcare and integrity or business process completion rates in financial services.<\/p>\n

\u201cWhen it comes to third-party risk and supply chain management, if it\u2019s the CISO\u2019s responsibility, it\u2019s taking all the work the CISO is doing and adding BCDR requirements to it and then re-auditing,\u201d says Goerlich.<\/p>\n

In one case, he assisted a bank to audit its SLA, starting with matching its internal SLAs to the service providers SLAs and then conducting spot visits with some of those service providers to see if they could deliver on those SLAs. \u201cMany of them weren\u2019t as prepared as they said, many had strategies that were ineffective, and many had things the sales team was promising, that the technical team was unaware of or unable to respond to,\u201d he says.<\/p>\n

The confusion about who owns ultimate responsibility for business continuity and disaster recovery is part of the ongoing CISO struggle to become a true business partner.<\/p>\n

\u201cWhen you\u2019re doing business continuity, you have to understand the business processes, and that takes you out of technology. A lot of good BC work is not tech work, it is business process work,\u201d he tells CSO.<\/p>\n

Quantifying business continuity effectiveness<\/h2>\n

BC programs are foundational<\/a> not only to help the organization maintain their vision and brand promise, no matter the crisis, but mitigate financial and operational risks and comply with regulations.<\/p>\n

However, some industry data shows a difference between self-assessment and actual performance, suggesting there\u2019s a critical gap between perception and reality in continuity programs. Some 95% of organizations overestimate their cyber resilience capabilities and it leads to business continuity disruptions as well as ransomware payments, according to the Cohesity Global Cyber Resilience report 2024<\/a>.<\/p>\n

The time taken to recover data and restore business processes after a cyberattack was outside of the targeted optimum recovery time objective in almost all cases, while half had simulated a cyber event or data breach in the past six months.<\/p>\n

It shows that there\u2019s a need for objective measurement and realistic assessment. For CISOs, they need to have input into how much time is allocated for investigation and remediation to securely recover from a cyber incident. \u201cIf your RTO is two days, with a cyber incident, you\u2019re not going to achieve that without a huge amount of investment because you\u2019ve got those additional steps,\u201d says Blake.<\/p>\n

Because of the time required to investigate and the need to refer to trusted sources and configurations, rebuilding rather than recovering and cleaning can save time and ensure safe recovery, according to Blake. Nonetheless, it requires a level of maturity that not all organizations and CISOs have achieved. \u201cOrganizations can typically do some elements of a rebuild for not much more effort than a traditional volume recovery and cleaning,\u201d he says.<\/p>\n

Organizations with mature BC programs experienced fewer critical risk events, according to the Forrester report. However, mature BCDR programs require incremental improvements. CISOs can develop their approach and deepen their involvement as the organization moves along the maturity scale.<\/p>\n

At a low maturity level, CISOs will want to start by making sure the systems and the BCDR work are unified between IT and security, says Goerlich. His advice is to adopt a maturity-scale mindset, taking a risk-based approach and starting small. \u201cMeet the business where it is and slowly improve the security posture and the continuity and recovery capabilities,\u201d he says. \u201cDon\u2019t jump into trying to do everything because you\u2019ll just burn yourself out.\u201d<\/p>\n

Keep in mind that the scenarios and strategies are very dependent on technology and the threat. Then move to map out the functions, the threats and strategies to recover. \u201cYou can reduce what seems like a large number of things you need to do down to a much more manageable portfolio of continuity and recovery responses,\u201d Goerlich says.<\/p>\n

Finally, it\u2019s understanding BC is more than just another compliance exercise to delegate. Continuity and recovery can be very strategic because it provides insights into what matters to the business and who matters to the business. Aim to have some ownership and responsibility. \u201cIf not, CISOs really missing out on the strategic input and the ability to use this function to elevate your voice within the organization,\u201d he says.<\/p>\n

Resilience is more than just recovery<\/h2>\n

The Forrester survey found developing a more integrated approach to operational resilience is a high priority for organizations, especially in North America at 46%. Resilience is thinking beyond traditional recovery models<\/a> toward a security strategy based around minimizing vulnerabilities, adapting in real time, and maintaining operations despite ongoing threats.<\/p>\n

Goerlich says resilience is a combination of disaster recovery, business continuity, high availability, and incident response. \u201cResiliency is the overall umbrella term for all these capabilities to deliver that top line goal of protecting the organization\u2019s ability to achieve its mission,\u201d he says.<\/p>\n

For CISOs, there\u2019s an opportunity to flex their cyber muscles when it comes to cyber risk, business continuity and going further to adopt the goal of organizational resilience.<\/p>\n

As a financial services organization, Bread Financial operates in one of the most highly regulated industries and CISO Gaurav Kapil says its cybersecurity posture aligns with NIST CSF. The Recover function provides the continuity and resilience element. In practice, this includes tabletop exercises<\/a>, targeted recovery operations focused around critical business operations and standing up the right functionalities to absorb and defend against attacks.<\/p>\n

\u201cToday, a lot of bad traffic comes through bot traffic, so having capabilities to detect and mitigate that in an autonomous way is one of the key functions a cyber program needs to provide that level of cyber resilience and continuity of function,\u201d Kapil says.<\/p>\n

These capabilities are essential to provide resilience, which needs to be the overarching goal in the design of a cyber strategy. Kapil believes the notion of continuity is a little dated because it assumes that when something goes wrong, some services have to be shut down and then brought back online to continue functioning. Instead, with resilience, the goal is to develop systems that have the ability to absorb and deflect any anomalous activities within their environment.<\/p>\n

\u201cIn my mind, it\u2019s no longer about conventional disaster recovery and business continuity planning, it\u2019s more about business and tech resilience where you expect certain things to go wrong and you\u2019re engineering your resilience thinking into the design itself.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Cyber incidents, especially ransomware, are changing the way businesses assess risk and resiliency. As a result, what was once largely a CIO function is becoming that of a CISO, with them taking on more business risk responsibilities, including business continuity and third-party risk management, according to the IANS State of the CISO 2025 report. From […]<\/p>\n","protected":false},"author":0,"featured_media":2541,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2549","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2549"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2549"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2549\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2541"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2549"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2549"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2549"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}