History has taught security teams that crisis situations can happen at any time and more frequently than anyone can anticipate. However, when a crisis does occur, organizations find themselves in a situation where survival is the main focus — the unprecedented disruption caused by the COVID-19 pandemic being a perfect example.
Given that the only constant in today’s world is rapid change, business goals should revolve not around survival alone, but thriving during increasingly turbulent times. This is why business leaders must look beyond the immediacy of areas like business continuity and disaster response to building a resilient organization that can withstand both constant change and unexpected disruption.
Digital technologies, such as integrated business management systems, can help security teams achieve resilience at scale, but success requires the alignment between business culture and digital transformation. With an integrated approach to business management, that goal becomes much more attainable.
What is a resilient organization?
Disruption, whether caused by economic uncertainty, cybersecurity incidents or a top employee suddenly leaving the organization, is inevitable in any business. Resilience is not just a personality characteristic — companies too can develop a resilient corporate culture and operational environment. A resilient organization is one that is well-prepared for change, whether that change presents itself as a challenge or an opportunity. To that end, a resilient organization can:
- Act in advance by planning new business models, diversifying supply chains and investing in distributed work capabilities to keep operations running smoothly.
- Adapt to sudden and unexpected shifts in the market, such as growing talent gaps and changing user demands and expectations.
- Keep the trust of stakeholders and users with robust incident response measures and efficient mitigation strategies in the face of a disaster.
Many conversations around organizational resilience revolve around areas like backup and disaster recovery, which is perhaps unsurprising given the enormous reliance on IT systems and data. However, achieving true organizational resilience goes further by incorporating strong leadership and governance, an adaptable business culture, and the ability to maintain consistently high-performing operations through practically any eventuality.
Here is an overview of the key areas you need to focus on to achieve organizational resilience:
#1. Business continuity
Business continuity refers to the continuation of mission-critical operations in crisis situations. Business continuity management starts with identifying the potential threats facing an organization, the likely impacts they could have on operations, and documenting the most suitable ways to minimize those impacts. Business continuity plans must be regularly tested and updated and accompanied by regular training — otherwise, the plan is nothing more than a document.
#2. Crisis communications
The ability to communicate crisis management plans on a strategic level is every bit as vital as the plans themselves. Depending on the specific threats and impacts and the operations they concern, crisis management communications may be handled at a senior management level or at a departmental level. This area ultimately focuses on which security leaders are responsible for what in the event of a crisis.
#3. Operational environments
As businesses enter into an increasingly knowledge-based economy, it stands to reason that organizational resilience comes down to how a company protects, governs and manages its informational resources. Thus, stakeholders must have a clear picture of their operational infrastructure and which measures are in place to protect it. This stage concerns the design, implementation and maintenance of mission-critical operational environments, such as data centers and other essential facilities.
#4. Human resources
Organizational resilience tends to place a huge emphasis on the role of technology, but it is ultimately people who really dictate how resilient a business really is. Thus, human resources teams must also be prepared for unexpected disruptions, especially in a time of widening skills gaps. Resilience is as much about culture as it is about technology and innovation. Fostering a culture of continuous learning and personal accountability are, therefore, essential.
#5. Incident response
Incident response incorporates elements of crisis management and communication, backup and disaster recovery, and the optimal assignment and scheduling of people, finances and assets. In other words, it is about knowing exactly what to do during an incident. However, incident response should not be confused with business continuity. Rather, it is a part of business continuity, in that it addresses the immediacy of sudden and unexpected disasters.
#6. Information security
Many incidents take the form of information security threats, such as cyberattacks, information leaks and data loss. Since every business can be defined by the collaboration of people, assets, finance and time to generate information, it is clear that information is the most crucial asset of all. To ensure resilience and continuity, security teams need to know where organizational information lives, which controls are in place to protect it, and how much they can afford to lose, should the worst happen.
#7. Governance and compliance
One of the key purposes of organizational resilience is to empower businesses to consistently achieve their goals. This demands the ability to address ambiguity and act with integrity. For this to happen, businesses must take a cohesive approach to governance and compliance to grant themselves full visibility and control over their operations, information and infrastructure. This will allow them to better align areas like risk management and business continuity with their unique operational characteristics, priorities and goals.
Why every business needs an integrated approach to resilience
Organizational resilience ultimately comes down to a company’s ability to maintain its control over its resources — people, assets, finances and time. However, to achieve such a degree of control, businesses need total visibility into their information and operational environments.
In the era of highly distributed computing, increasingly complex technology environments, and constantly evolving market dynamics, maintaining that visibility is harder than ever. As a result, many organizations suffer from a silo mentality, where a lack of a unified corporate culture and an integrated technology environment makes it difficult — or even impossible — to share critical information.
This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.