Security & Business Resilience / Trends Column

Budgeting for the Impossible: Enterprise Resilience Means Business

During the past decade, enterprise resilience has become a hot topic.

July 1, 2013

“What happens when fire strikes the manufacturing plant of the sole supplier for the brake pressure valve used in every Toyota? When a hurricane shuts down production at a Unilever plant? When Dell and Apple chip manufacturers in Taiwan take weeks to recover from an earthquake? When the U.S. Pacific ports are shut down during the Christmas rush? When terrorists strike?” The Resilient Enterprise

During the past decade, enterprise resilience has become a hot topic. Its meaning has grown from the original “business continuity and disaster recovery” moniker associated with IT data crashes. Today, the enterprise is viewed as an organism facing myriad risks including physical and logical, manmade and natural, external and insider. The scope of planning may be as local as the home office or as far reaching as the global supply chain.

Fusing these disparate and siloed plans into an actionable enterprise resilience program may be an organization’s greatest challenge. Far from security’s role in event response, the new goals of identifying and mitigating risks opens the door to discussions of preparing for and preventing the highly likely to making crystal ball forecasts of the unforeseen.

Enterprise Resilience’s broad definition includes business continuity, emergency management and disaster recovery for both physical and logical infrastructure and workforce protection. Revenue continuity is at the heart of the organism to remain open or get back up and running ASAP. Budget is the brain balancing necessity against luxury. As one CSO shared in the early days of our Security 500 Survey, “We plan for the worst case but get budget for the best.” Justifying enterprise resilience plans and programs is a significant challenge. Guesstimates of the actual costs of a disaster will vary widely, even after an event has occurred.

Since 9/11, the scope of security has expanded beyond its walls. Both the physical and enterprise perimeters are gone as organizations have taken a broad role in their communities. Enterprise resilience has become an all-hands-on-deck exercise where social media has changed communications and altered our definition of first responders. The complexity of resilience planning has increased as have the available resilience tools and resources.

As Duane Ritter, Vice President of Corporate Security at Cox Enterprises shares,

“Anticipating potential business interruptions and working to mitigate those threats from happening supports the business organizations to remain operational and reach their goals. Resilience and strategies and preparedness drills are critical for success. Accurate risk assessment and being prepared are the biggest contributions we can make to the organization and our people.”

 

The race is afoot as leveraging technologies and best practices to continuously identify threats and vulnerabilities, update and test resilience plans and communicate and drill with your stakeholders never ends.

And perhaps the most important learning among leaders is that the planning experience is more important than the actual plan. Because the interaction among your stakeholders through training programs and table top exercises creates relationships, identifies risks and reveals vulnerabilities. Creating the structure that facilitates the critical planning process to achieve successful execution is important for a successful outcome.

An interesting resource is The Resilient Enterprise(MIT Press) by Yossi Sheffi, in which he demonstrates how enterprises facing interruptions fare far better through resilience planning than the actions taken during a crisis. And further, your resilience program creates measurable benefits for your organization every day, disaster or not. 

While most enterprises recognize that the investment in enterprise resilience is necessary, having a metric to show ROI benefits regardless of an interruption is a plus. CSOs are engaging their peers from legal, human resources, marketing communications and IT to create a holistic plan and response program for their enterprise. The use of mass notification technology to inform stakeholders has become a best practice for leading risk management and resilience programs.

David Shepherd, Chief Executive Officer of the Readiness Resource Group, an enterprise resilience consultancy shares, “You really do not know how well any plan will work until it is put to the test in a live situation.” Which can raise the logic of the brain above the desires of the heart in the C-suite: If you don’t know how well the plan will even work why invest so heavily in it?

An example is having a four person team, each with an area of expertise and responsibility. During drills, these four are together, in communication and leading the resilience process. Now tell one of the four, “You are not here, and you are out of communication with the group.” Then ask the three remaining leaders, “now what?”

That enterprise resilience drill works for everyday operations, not just during disasters.

The answer to “why invest in a strong enterprise resilience plan?” may be because the best plans have a measurable return to the bottom line.   

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

THE MAGAZINE

Security Magazine

April 2014

2014 April

In the April issue of Security magazine, read about integration partnerships and their growing success. The Boston Marathon bombing has changed the way integrators look at security for sporting events, see where they are one year after the tragic incident. Read about the 2014 RSA conference and this year's theme of "Threat Intelligence. Also, read about the latest products and news in the security industry.

Table Of Contents Subscribe

Background Checks

Who conducts background checks on new employees and contractors in your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13