Online MS in Cybersecurity from Drexel University
Drexel University’s online MS in Cybersecurity utilizes the College of Computing & Informatics and College of Engineering’s network of professionals to give students access to the latest research, tools and insights, and prepares students to meet the workforce needs through rigorous academic and experiential practical training.

Learn More

By Mick Brady

Business continuity (BC) and disaster recovery (DR) requirements have changed with the advent of cloud services, leading many organizations to reassess their programs. This presents an opportunity, suggested Wolfgang Goerlich, an advisory CISO at Cisco’s Duo Security. “It’s great to do the thing,” he said, referring to cloud continuity planning, “but what if we could do the thing and get more out of it?”

In addition to mitigating the impact of disruptions, a well-executed program can improve internal communications, strengthen team alliances, and even contribute to the retention of high-value staff members, Goerlich suggested in an ISC2 Security Briefing webinar. He expanded on his remarks in a recent interview with Cloud Security Insights.

The widespread adoption of cloud services in recent years prompted premature sighs of relief. Organizations expected cloud providers to keep their systems running or at least to minimize downtime in the rare event of an outage. “The cloud provider handles it all. That’s a very common attitude,” Goerlich said. “Up until the cloud provider doesn’t handle it … and suddenly our systems are deleted and we’ve got no way to recover.”

Where Shared Responsibilities Come In
Organizations typically don’t have to concern themselves with environmental recovery strategies. The cloud providers take care of getting everything powered back up and making sure the network is running. It’s the next steps that are the purview of the modern organization. A shared services model is necessary so the team on the ground can make sure applications are functioning and able to run critical processes.

Environmental disasters and cyberattacks have accelerated in recent years—more so amid the geopolitical unrest in recent months—but the shift to the cloud has reduced a variety of physical and cyber threats. Still, the cloud is not immune to risk. The goal of a BC/DR program is to resume normal operations as quickly as possible and minimize losses in the event disruption occurs, regardless of the cause. A good BC/DR plan doesn’t establish separate sets of procedures for responding to a fire, flood, tornado or ransomware attack. It considers threats by the effect they’re likely to have and groups them into recovery tiers.

DR needs to be bottom-up, Goerlich explained. “We need to understand each of the technology components, how we’re recovering, how we’re getting the work—but be very, very careful not to get lost in the weeds, which is easy to do when you’re looking at a lot of data. Try to roll these things into categories with very few proven strategies to recover.”

Those proven strategies include backups and region-to-region models. Manual/paper processes may enable critical operations to continue running as a last resort. If there are unavoidable losses, insurance coverage can reduce their impact.

Given the threat of attacks against providers, a multi-cloud model may be useful. “You’re balancing resources, time, effort and strategies, and always trying to figure out: Do I need to diversify? Do I need to bring things together? Do I need to simplify? Do I need to complicate, and where does it make sense to complicate? And those types of questions can really only be answered by the people who are sitting in the seat and have access to that data,” Goerlich said.

Don’t Give a Senior Team Member Junior-Level Tasks
It’s important to break down responsibilities so senior people aren’t doing junior tasks, Goerlich pointed out. Well-trained junior team members can perform analyses, gather inventory, keep schedules, conduct basic tests, and update procedures in documents, for example.

Senior staff should make strategic decisions, build relationships, champion the program, and communicate its goals and values to the executive team and board. It’s important to establish a reporting structure that will ensure support for the plan’s implementation.

A plan may look good on paper, but if it relies on the wrong technologies, it won’t hold up to scrutiny. The best way to ensure its effectiveness is to do a lot of testing. Recent research indicates that the organizations with the most success at continuing their business operations after an incident are the ones that do five or more BC/DR testing activities a month, Goerlich noted.

That could be a combination of discussions, paper reviews and tabletop exercises, among other options. One major drill a quarter and one tabletop a month might be adequate. “There’s no way I’ve got time to do five activities in a month,” Goerlich admitted.

If it’s challenging to find time to test a plan, it’s even more daunting to fix the problems the tests uncover.

“Changes, updates and reconfigurations may be needed. An organization should not test more than it has capacity to act on those test results,” Goerlich said. Given those limitations, it’s critical to “sequence out those activities so that perhaps in January you’re testing one component—in February testing another; in March, a third.”

Evaluating the technology should be a continuous process through all phases of implementation. It requires “strong partnerships between your security, IT and application development teams,” noted Goerlich. “The more people are on the same page with what’s changing and the more people are communicating and collaborating, the easier it is to update those requirements.”

Better Program, Greater Satisfaction

The bottom line is that to have a strong resilience posture it’s necessary to have a good BC plan that is:

  • owned by someone with authority and experience
  • thoroughly tested
  • regularly updated with relevant departments engaged
  • reported to the board or C-suite

The communications and collaboration skills required to build such a program are transferable throughout an organization. Further, a job well done also appears to be a job that’s more attractive. One of the findings of Cisco’s 2021 Security Outcomes Study is that organizations with very good BC and DR programs also excel at retaining security staff, Goerlich pointed out.

“My sense is that if you’re in an organization and you have a better understanding of the technology that you’re working with and a better understanding of why the technology matters to that organization and how it supports the mission of that organization, you tend to feel more committed,” Goerlich said. “You tend to feel more connected, and you tend to be a happier contributing member to the security team.”

Mick Brady is a technology communicator based in Southern California. Connect with her on LinkedIn.

ISC2 Webinar featuring Wolfgang Goerlich
January 20, 2022
“And the Clouds Break - Establishing Continuity & Recovery with Cloud Services”

Interview with Wolfgang Goerlich
Friday, March 18, 2022
Matthew Mors