Cody Burrows
Cody Burrows

At Wavestone, one persistent issue we come across in many organizations is a disconnect between the Business, IT, and Security divisions of a company.

IT and Business both have very technical demands, but each typically misses the importance the other is trying to bring out, which often leads to a problematic communication breakdown. For example, when IT and Security raise red flags, Business doesn’t know why it should care. This results in a lack of full buy-in and support. Conversely, when Business needs something, IT doesn’t understand how to prioritize requests from needs.

At the end of the day, Business, IT, and Security have the same goal: they want business to continue and be profitable. How then can they work together in concert and ensure directions to those implementing tasks are clear and concise?

We recommend activating a heavily underutilized tool that can bridge the gap – Business Impact Assessments (BIA).

 

Conducting a BIA helps the business determine what the important key activities and resources are, by measuring the impact of failure or loss of those resources. A BIA report usually includes the following:
  • An executive summary
  • Methodology for data gathering and analysis (in the form of detailed questions in a survey format or interview conducted with various divisions)
  • Detailed findings and data of various business units, including a full inventory of assets and a prioritized list of important business processes
  • Charts and/or diagrams to illustrate impact on areas like Operations or Revenue
  • Recommendations of steps to take for recovery

Thus, BIAs traditionally come into play as part of recovery efforts.

Many organizations already have Disaster Recovery (DR) and Business Continuity Plans (BCP) in place. However, both DR and BCP efforts tend to be IT-based and narrowly focused with limited Business input(s) unless a BIA was part of the delivery. A resilience plan can take the IT focus and incorporate more Business needs for a broader, more balanced approach to support business needs.

It can use DevSecOps as part of recovery efforts that use those systems/process(es) identified in the BIA in near-real-time to recreate the infrastructure of primary business requirements. This would reduce the overhead of backup solutions, give more agility to Incident Response Teams, and greatly reduce the impact on the Confidentiality, Integrity, and Availability of those systems/process(es) being affected. All of this with a priority set from what the Business has clearly communicated is important. To that effect…

Resilience, the Newer Way of Thinking

In a healthy business, building Resilience means growing beyond the traditional consideration of Availability to include Confidentiality and Integrity. However, for this to work, the process must involve the entire organization, and the clear communication of how everything interlinks and interacts, so all departments can be prepared for that ‘bad’ day but also use the BIA for BAU (business as usual) purposes.

Of course, you cannot neglect DR and BCP – they work hand in hand with Resilience planning to keep the business going and unimpacted. What a BIA does is play a dual role: it’s a proactive step where you have a plan set up early, looking at more than just the technical considerations, and you have a plan for what to expect and what to do beyond just a restore or configuration. It’s also reactive in an agile way, where you’re able to adapt when the worst hits, with an action plan that adjusts on the fly to real-world conditions based on agreed Business needs.

A Simple Equation to Unify Businesses Internally

By taking the same questions asked in the BIA and applying them to the risk framework, the BIA can then influence the overall BAU priority. A risk framework is typically based on risk = impact + likelihood, however, these concepts don’t usually get connected in a meaningful way for the business, or even IT in many cases. Have you ever seen the organization fumble around trying to figure out what patch to put in or just not put it in because ‘it’s difficult?’

Whenever you conduct a BIA, one of the outputs is effective tiering; you’ve taken the information collected and analyzed it so that you can properly identify and categorize priorities within your risk framework. This makes it easier to communicate why certain things are immediate priorities versus non-critical, to both IT and Business leadership.

 

Organizations are forced to critically think about what is truly important with questions like:

When these questions are asked beyond a recovery-only perspective, even in day-to-day tasks, the status of business-critical functions is easier to discern. Tiering arranges the functions or processes in order of criticality, and the role each function plays in business continuity is clear. Subsequently, IT and Security can partner with Business to understand direction. IT also gains a more informed perspective when it comes to prioritizing security risks from the Business perspective.

As a summary, when used with Resilience in mind, a BIA gives the executive leadership actual input and understanding of IT and Security jargon, simplifies discussions around complicated frameworks, and sets up priorities for clear action plans.

 

BIA Best Practices

Here are some considerations to have in mind when running your own BIA:

By leveraging the BIA this way, the C-suite and upper leadership can easily start prioritizing, communicating, and giving direction to everyone else. And when you turn the BIA into a core centerpiece of the policies that your organization revolves around, you can finally ensure that IT, Security, and Business work together to figure out the most important projects to pursue.

 
 

To learn more about integrating a BIA into your business functions and solving the age-old communication problem, speak with Wavestone’s experts.

SCHEDULE A CONVERSATION

Cody Burrows

Cody Burrows is a veteran of the US Navy with over 15 years of experience in cybersecurity, leadership, threat/vulnerability identification, architecture, assessment, and implementation. Throughout his career, he has served as a main director, advisor, and/or team manager, reporting directly to the CSO and CISO and developing penetration testing processes and scripts for product solutions in cyber defense and other areas. As an expert in product road mapping and enhancement, change management, and innovation, Cody regularly designs and implements cybersecurity solutions in the financial, pharma, academic, leisure, defense, military, and government contracting sectors.

5 Actions to Improve Your Data Loss Prevention Efforts

May 26, 2022

Take care of these five factors to ensure your data loss prevention efforts succeed, prevent data leakage, and protect your critical and sensitive business data.

Losing the Cyber Talent War? Try These Moves to Get Back on Top

May 18, 2022

Learn about the critical moves that HR must make in the hiring, training, retaining, and upskilling of cyber talent necessary for a robust cybersecurity strategy.

Have a Question? Just Ask


Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.

Ask Wavestone