- Security TWENTY
- Women in Security
All companies need a business continuity manager, writes Yusuf Ukaye, pictured, Business Continuity/Disaster Recovery Specialist at IT Specialists (ITS) UK.
Companies have never faced such a complex blend of challenges as they do now, from evermore involved regulatory hurdles, global weather incidents, cybersecurity scares and even Brexit. Given this huge range of threats to monitor, it’s no surprise that the role of the business continuity manager has come of age to cope with the onslaught, moving beyond their traditional role as a cost centre and into a more central role in business strategy.
The oldest truisms are the best, and the same goes for business continuity. Knowing your enemy (a la Sun Tzu’s “The Art of War”) is all very well, but the logical follow-on is perhaps even more important: know your colleagues and your business inside out. This may be BC 101, but it’s an essential starting point to mapping the unique risk profile of any scale of enterprise. Get the whole organisation involved by understanding what makes everyone tick. This process starts by analysing a department’s importance and understanding how soon each department and function must be up and running in the event of a disaster. If the business expects critical applications to be back up and running within four hours, for example, will the IT department be able to respond in this time?
It’s key to remember that the business continuity industry is fast-paced and dynamic, so it’s essential to consult the various departments before, during and after the initial planning phase. Best practice is always evolving, and so are the type and nature of threats to your business – business continuity is certainly not just about writing a plan and then sitting in a room that has your title on the door. Once you’ve constructed a plan, it’s time to define the metrics with which to test it, and then begin in earnest. The most brilliant plan is worthless if it can’t be implemented in the real world, and it’s fundamental to find this out well in advance.
Testing and scenario planning will generate the feedback to prove – or disprove – whether your initial understanding has gotten to the core of what makes the business tick. In addition, regular testing and exercising will give an organisation the ability to further encourage leadership and increase employees’ awareness of the threat landscape that exists. This internal education piece of the puzzle is best approached on as many levels as possible to ensure maximum uptake.
Part of developing a culture of business continuity involves periodic scenario-based testing, which is critical to ensuring key employees understand how they should respond in the event of a disaster. Desktop exercises are simple ways to evaluate how to respond to specific scenarios. For example, with flood risk increasing throughout the UK, having employees play out a flood scenario can help you identify how effective your business continuity plan would be in that situation. Employees can talk through various issues, such as deciding when it’s unsafe to commute, communicating with coworkers and customers, and accessing critical applications.
To ensure the technical functions will work as planned, desktop exercises ought to be regularly complemented with disaster recovery tests. For example, Rentsys Recovery Services, ITS’ sister company in the US, conducts semiannual tests of a predetermined critical technology component, such as alternate internet connectivity, critical applications and data, and redirection of inbound or outbound calling. At least annually, the company performs a full business continuity test under real-world conditions. These tests not only help identify technical challenges but help employees become familiar with what to do in a disaster scenario.
Behind every good plan are the people to carry it out. There will be a minimum number of individuals with appropriate skills and knowledge required to perform business activities and maintain the confidence of the supply chain. External factors such as supply chain vulnerabilities are especially easy to overlook or understate in the planning phase. Inspiring internal stakeholders to respond to any incident with passion and skill by being empathetic and being able to relate and build those relationships is a key skill for the successful business continuity manager. The business continuity manager is a responsive, proactive and innovative individual, both approachable and highly tech-savvy. This last asset is particularly important, as cybersecurity and information assurance are becoming increasingly core to 99 per cent of business operations, which in turn is why culture-driven business continuity is changing. For example, a company historically would have had no social media policy integrated with business continuity planning, but in 2016 that is a grave error. The management of social media in the event of an incident is a central part of mitigating and managing reputational risk to the organisation.
Understanding, planning and people are three of the most essential tools in the business continuity toolbox, but the fourth has to be harnessing technology effectively. From planning and strategy tools through to essential data recovery and backup, there’s a plethora of brilliant technology aides out there, and just as important as using them is knowing which ones aren’t relevant to a given scenario. Managing data is a big challenge, and sometimes outsourcing is a must, especially for SMEs or indeed larger enterprises that don’t have endless budgets.
Keeping your business systems online and operational is usually extremely important. Considering a disaster recovery as a service (DRaaS) solution is an increasingly popular trend, and taking advantage of hybrid cloud infrastructure can be essential to some risk profiles. A key benefit of hybrid technology is that not only is critical business data backed up in the cloud (thus mitigating local incidents, both technical and physical), but also on local dedicated hardware, so restoring data doesn’t need to be downloaded from the cloud. Used wisely, hybrid clouds can provide the certainty that your data and IT environment are protected without draining your IT resources. Of course, this is just the tip of the business continuity iceberg, but in ensuring that there is a solid base of business continuity awareness running through an organisation, it’s certain that better risk management and organisational resilience will follow.
About the writer
Since 2011, Yusuf Ukaye, DBCI, has been speaking to businesses about business continuity issues, including BS 25999, ISO 22301, business continuity software, work area recovery and disaster recovery as a service (DRaaS). He is the business continuity product specialist for IT Specialists (ITS). Yusuf is part of a panel talking about the “Professional development new skills for a changing landscape” at the annual business continuity sector event, BCI World, in London on November 9, from 11am.