Posted on Jun 8, 2015

How to Leverage Business Continuity for Security

CISOs: Use Business Impact Reports To Prioritize Risk

There are a few themes we see emerging for security professionals, especially those leading the charge, (we're talking to you, CISO). One theme is that operating a more risk-aware security organization requires an understanding of what to prioritize. A related theme is: How do you actually prioritize security risks based on how it will impact the organization as a whole (rather than only in IT)?

To arrive at this place, a security leader needs to have an understanding of all the business functions of all the departments. Beyond the functions, CISOs need to have a handle on the impact of security events on the systems of those business units.

In a large, global company, this is no small task.

The Solution? Find Reporting Tools Already In Use

Reach across disciplines and find those groups that are already capturing this kind of impact information, and leverage the hell out of it.

With more and more emphasis on business metrics in security contexts, it can be very challenging for security pros to get their heads around how to begin the prioritization process. An excellent article by Tony Martin-Vegue, Sr. Manager, Cyber-Crime & Business Continuity, at mega-clothing retailer, Gap Inc.,  offers some insightful advice. Martin-Vegue writes:

Most medium-to-large companies have a separate department dedicated to Business Continuity... [O]ne of the core functions of these departments is to perform a business impact analysis on critical business functions. For example, the core business functions of the Accounting department are analyzed. Continuity requirements are identified along with impact to the company. Many factors are considered, including financial, revenue stream, employee and legal/regulatory impact.

A compounding issue, however, is actually identifying all the risk in an organization given the rise of shadow IT where business units begin using third party systems, such as SaaS or cloud applications, to enable some business need they have identified. Security teams are likely not going to be shutting these operations down in 2015,  but will have to find ways to make them less risky to the organization.

CISOs will need to work closely with business continuity professionals to discover and audit those kind of rogue systems, and to understand their impact in a security context. This will certainly help CISOs who now have more attention with executive boards than they ever have had before.


Learn How SecurityScorecard Works

Security Research in your Inbox

Thanks for siging up for the newsletter!

Our Platform

Learn How It Works

Find out how we use open source intelligence, proprietary and open data feeds, and deep machine learning systems to correlate, attribute, and prioritize risks.

Learn About the Platform

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!