Business continuity and cybersecurity have very much in common. There is preparation, we have to prepare for it. You need to have the management commitment in place and the common goals how to protect the enterprise and reduce the impact on the enterprise.
How can we get the top management commitment?
That’s a tricky question. A million dollar question! There are two ways: first of all we can say that the regulations need to be observed, maybe we can also motivate management to show proactive governance, being a proactive company management, and not just reacting when something happens. I keep saying it’s not just following policies, but we also need captains who can weather the storm.
Where do you find the link between Cybersecurity and Business Continuity?
I think it’s with the impacts! If cyber threats can bring down a company for an unlimited length of time and create an impact of thousands or hundred thousands of dollars or euros, then we think of business continuity. It’s a similar impact as when you think about a fire or an explosion. Today, the same impact is achieved with cyber-attacks as well, but nobody hears, nobody notices anything… but the damage happens! So, it’s a completely new dimension of threats. Normally, we have three dimensions that we operate in, but now we also have the information domain, and there is also a war out in the frequency domains, so we have a total of five threats, and we invented two new dimensions of threats.
How can threats be prevented by implementing ISO 27032?
Standards are a good way to attack complex situations. As we’ve heard during ISO 270032 training, it’s the complexity that should be taken into account. You need human resources, you need commitment, and you need technical equipment. You have to correctly set it up, and the standard gives guidelines how to handle these complex situations. Otherwise you get lost and don’t know where to start. As you get the standard, attend a training course, raise awareness and knowledge, you are much better prepared to know where to start and who the players are. That’s important in maintaining such an approach, as this is really a complex undertaking. It’s a project, it has a start, but in business continuity we say it’s not a project because it never ends… It has to follow the evolution and the development of the organization. Maybe even also in cybersecurity, because things are much more dynamic.
In business continuity with conventional threats, we can make a list of problems we may encounter that might be subjective as well, but with cyber security threats, there are people out there who think about new threats 24 hours a day. So, we need to be prepared for the things we may not be able to think of.
Speaker
Wolfgang H. Mahr
CEO and owner of governance & continuuuity; he offers both world-class consultancy services and training courses based on standards such as the ISO 22301, 22313, 27001, 28000. Wolfgang has more than 20 years of Swiss and international experience in ICT consulting and project management mandates and during the last 15+ years specialized in Business Continuity Management (BCM).