A great deal has been written about the convergence of information and physical security.1 Much of my career experience has bridged information security, business continuity management, and IT disaster recovery, which exemplifies convergence in a somewhat related manner. For many years, I have said that these were all parts of the same thing. If an organization experienced downtime due to a logical cause we called it information security; if the cause was physical, we called it disaster recovery.
Downtime Caused by Cyberattacks
Cyberattacks have confused the matter. It is clear that they are a cause of system unavailability, with some indication that cyberattacks have overtaken physical events as a source of downtime.2 As a result, the attention of both business and IT management has been split. On the one hand, they are seeking methods to speed recovery of systems and data, a function of IT operations. On the other, they are pursuing ways to keep the business going while the systems are being recovered, i.e., business continuity management. Information security enters the picture only insofar as it has failed to prevent an attack.
Of course, downtime has always been a business continuity issue.3 Many cyberattacks, particularly those involving ransomware, result in far more extensive outages than those caused by weather and fires, measured not in hours-to-days but days-to-weeks-to-months. Organizations that can withstand some downtime often find lengthy periods without systems and the data they produce to be intolerable—though they might have to tolerate it, or cease operations.
To summarize, cyberattacks are bad things. Some of them cause downtime, which necessitates a response from the organizations supported by the downed systems, both to recover the systems and sustain themselves in the meantime. The questions I would like to deal with are: Who is responsible for recovery, in the broadest sense? What skills and experience do they need? And finally, why has this proven to be so difficult?
Cyberattacks and the Business Continuity Management Function
For many decades, planning for the organizational response to downtime has fallen to an organization’s business continuity management function. This makes sense, as the people in this function have experience in planning for returning to “business as usual” after disruptions. There are many scenarios in which disruptions make BAU, as it is termed, possible only with the prior acquisition of resources and acceptance of a period of less-than-usual operations. Most of these turn on the failure of critical resources, which definitely include information systems.
Simply put, cloud computing has sped up recovery to the point that planning to send backup tapes to a distant location and starting from scratch no longer makes sense.However, in my experience, the scenarios business continuity managers have often focused on are the loss of working premises and the utilities that support them. In practice, that meant the loss of office buildings where information-oriented work is performed. Less attention was paid to the unavailability of facilities such as factories, warehouses, or theaters. If those buildings were destroyed or rendered unusable, relocating to another location or working at home were not meaningful alternatives.
Similarly, the failure of information systems was often not addressed. In part that was because it was the IT function that maintained disaster recovery (DR) plans, to restore the systems as quickly as possible, often by relocating to a commercial hot site. Technological changes have reduced the importance of DR planning from a business continuity perspective. Simply put, cloud computing has sped up recovery to the point that planning to send backup tapes to a distant location and starting from scratch no longer makes sense.
The reluctance of business continuity managers to step up to IT failures has left them unprepared—or unwilling— to deal with extended outages that do not permit BAU. There is no “usual” when downtime extends to weeks or more. This leads to effective abdication of responsibility for cyberrecovery from business continuity management to the IT function.
Business Continuity and the IT Function
However, IT personnel generally do not have the same skills as business continuity managers. They do not have the tools and techniques for assessing the risk of downtime, nor its impact,4 nor for finding workarounds and alternatives to the information systems user functions rely on.
Some literature on cyberrecovery has been published, often by companies that make products that (oh, just coincidentally) might be used to recover systems following attacks. The most notable guidance that I have seen comes from the US National Institute for Standards and Technology (NIST). Entitled “Guide for Cybersecurity Event Recovery,” it is to my reckoning a primer on business continuity management for IT specialists. It does provide an overview of what should be in a cyberrecovery plan but very little on how to get it there.
A Combination of Talents
The ideal planner for recovery, in both the technical and business senses, from a cyberattack, would have a background in data center operations, with a deep knowledge of IT infrastructure and experience developing and maintaining application systems. This person would also know how to calculate the impact of disruptions, how to write plans for the continuity of operations, and how to test these plans to ensure that they work. Oh, and be faster than a speeding bullet and able to leap over tall buildings in a single bound.5
Or maybe a cooperative effort is called for from many functions, of which IT operations and business continuity management are in the forefront. There is also room at the proverbial table for IT auditors, information security professionals, and risk managers.6 And of course, business leaders ought to have a say.
This combination of talents should be obvious, and I have seen some organizations that are treating cyberattacks as an enterprise-wide threat calling for an enterprise-wide response. But sadly, I have also encountered many organizations that do not have this mentality and thus approach the problem differently. Most commonly I find that while lip service may be given to the need for many contributors, the responsibility is actually given to IT alone. For a long time, too long, anything that touched upon computers and data was left for the IT function to sort out. The implication has been that system availability should be as automatic as switching on the lights or turning on the faucets. Systems are only noticeable when they are not there.
It is not that IT should be uninvolved in cyberrecovery; it is just that they cannot solve an enterprise-wide problem by themselves. While many IT professionals have sound business skills, if they are asked to solve a problem in a system-reliant business, they are likely to do so by implementing even more systems.
Then if a cyberattack requires use of the alternatives, they would be required both to recover the affected systems and operate the other ones. This would just place even more stress on the most stressed part of the organization.
If the other functions do not insist on being included in defining solutions, IT must learn to refuse to do so on its own. Saying “no, we will not” is not generally how IT (or any other organizational unit) has been raised, nor should any of them refuse to come out and play. Some tasks are beyond the capability of any one function, and I maintain that cyberrecovery is one of them. IT can be a sturdy midfielder and do some scoring, but the businesspeople are the strikers, with security playing defense and tending the goal.7 It will take the whole team.
Endnotes
1 One example among many comes from an authoritative source, the US Cybersecurity & Infrastructure Security Agency (CISA), “Cybersecurity and Physical Security Convergence Action Guide,” 5 January 2021
2 Risk & Insurance, “Cyber Attacks Top Cause of IT Downtime for UK Businesses,” 1 October 2024
3 I have dealt with this in the past. See, Ross, S.; “It’s About (Down) Time,” ISACA Journal, vol. 5, 2022
4 Ross, S.; “Cyber Impact Analysis,” ISACA Journal, vol. 5. 2024
5 For readers not from my geography nor my age cohort, I’m talking about Superman. Not Shaw. Not Nietzsche. The Man of Steel from radio, television and the movies.
6 In other words, all ISACA’s most populous constituencies.
7 Here is an American using a sports analogy with reference to football, but not the American version. How about that!
STEVEN J. ROSS | CISA, CDPSE, AFBCI, MBCP
Is executive principal of Risk Masters International LLC. He has been writing one of the Journal’s most popular columns since 1998. Ross was inducted into the ISACA® Hall of Fame in 2022. He can be reached at stross@riskmastersintl.com.