CRO - Not just for City Planning?

Just a few short years ago “convergence”, in the Cybersecurity world, was bantered about as a single word descriptor for the union of physical and logical security. It was inevitable that we would want to correlate who is logged onto our network and when they arrived or left our buildings. From this revelation came the birth of the Chief Security Officer (CSO).

Another convergence is now the buzz in our journey toward Cybersecurity. It may very well be time for another revelation in that IR and BCP are naturally tied to one another in more ways than simply the occurrence of an event. From a Cybersecurity management perspective the big question is, does this beckon for the creation of a Cybersecurity Chief Resilience Officer (CRO)?

Back in the 1960’s and 1970’s, we went through great pains to ensure we backed up our systems on tape drives, disk packs, what ever we could to save our work, critical digital assets and livelihood from disasters. As we were called to employ our back up tapes we realized that the back ups were only part of the complex puzzle. We matured Disaster Recovery (DR) into Business Continuity Planning (BCP) and eventually, Business Resiliency Planning (BRP). This allows us to prepare a comprehensive set of decision making tools and plans for what might happen.

In the current threat landscape, data breaches and intrusions are more prevalent than ever. This has highlighted the need for a well planned, orchestrated and in some cases pre-scripted, incident response plan.  We need to define steps to take, what talent pools are necessary to respond, whom to notify and how to minimize the impact on our business. This necessitates that we prepare a comprehensive plan for what will happen.

Both BCP and IR planning are closely tied to business and technology, but both have very different resource needs. Successfully crafting these plans will take expertise from very different parts of an organization. The BCP is, by definition, a business plan. Therefore deep business prowess is required. The IR plan, on the other hand has deep technical aspects and legal ramifications that require very specialized IT and legal resources. The breadth of specialties necessary to develop and maintain these plans only compounds the challenge in keeping these plans truly alive in an organization. These plans need to feed and grow off one another.

An incident that requires attention may also have a direct impact on an organization’s ability to continue to do business securely. The fail over techniques or out of band data processing capabilities defined in a BCP may be appropriately invoked, or some notification trees developed in the BCP may very well be used in the IR plans.

Once the correlation between the planning processes are articulated, it become apparent that the convergence of the two disciplines augments the effectiveness of both.

I would venture to say that, with the current pace of IR that has become necessary, and the severity of impact to a given organization is realized we will start to see these two activities being headed up by a common lead within very large organizations (not just business, not just IT). So... maybe the CRO is not just for city planning anymore.