Chapter 9 Embedding Cybersecurity and Business Continuity

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Unfortunately, some of any organizations’ greatest risks arise from individual users of information services within the organization itself. This chapter represents the final piece in the cybersecurity and business continuity jigsaw—that of embedding their culture into the whole organization, so that it becomes a part of everybody’s daily responsibility.

Additionally, we shall examine the need for skills training, in which the areas covered by cybersecurity and business continuity work require individuals who have received specific training.

General Awareness Training

One of the main benefits of embedding cybersecurity and business continuity into the organization is that it will spread the word such that the whole program of cybersecurity and business continuity work can be managed more efficiently. As staff become more aware of the need for it, they will naturally adopt a more pragmatic approach in the work they do.

It will help increase the resilience of the organization and improve its response capability, as staff will be better prepared.

Begin at the top. If the board-level executives are given even the most rudimentary training in cybersecurity, they will quickly come to appreciate its importance to the organization.

Additionally, it will instill confidence in stakeholders, including staff, suppliers, and key customers, all of whom will feel more confident in the organization’s ability to survive a disruptive incident.

Finally, because it will educate and inform all levels of staff, it will help minimize both the impact and the likelihood of disruptive incidents, again resulting in a more effective response to and recovery from them.

The first step is almost always to consult with senior management to establish what they feel would be an appropriate level of awareness, both for individual departments and for the business as a whole. Their views will drive the scope of the awareness program and also its objectives.

The next step is to assess the current level of cybersecurity and business continuity awareness. In organizations where the whole program is just beginning, this is likely to be very low, but in more mature organizations there may well be some knowledge and awareness of the key issues, which should be built upon.

Once we know the desired level of awareness as seen by senior management, and we know the current level, we can carry out a basic gap analysis which will provide us with an indication of the depth to which the program must go and also the degree to which specialist training may be required.

This in turn allows us to develop and deliver an awareness campaign, which will require ongoing monitoring to ensure that it is effective and to maintain the awareness momentum.

Now we have a starting point, we can begin to identify the main audiences for this work. There will be staff throughout the organization who will, although possibly not in a frontline response role, be supporting the incident response teams, and will require a basic knowledge of cybersecurity and business continuity and what the benefits to the organization are.

Suppliers may also be part of the audience, as will any third-party organizations, such as those that support the Information and Communication Technology (ICT) infrastructure, for example outsourced organizations such as cloud service suppliers.

As with any program of work, there must be strong objectives and a clearly defined scope, to ensure that we are designing and delivering the most appropriate type of awareness training to all parts of the organization. Once defined, these must be agreed with senior management, along with any targets that must be met.

Too much information at one time can be difficult to digest, and so it may be necessary to deliver the awareness training in a number of packages, each of which deals with a different aspect of cybersecurity and/or business continuity. The packages can then be distributed around the organization at suitable intervals.

Finally, the most appropriate method of delivery must be chosen. In fact, this is unlikely to be just one method, and there will be several different approaches, each designed to deliver a particular message to a particular audience, and there will be overlaps between these.

Moving on to the plan itself, developing the individual packages and the method of delivery might best be approached using a “storyboard” technique, similar to that used to develop screenplays for films and television programs. It doesn’t have to be complicated or detailed, but if each stage is portrayed as a frame or a series of frames, just like in a newspaper cartoon strip, the complete program will be simpler to understand and to modify.

Once the content of each package has been discussed and agreed, another brief meeting with senior management is recommended, not only to ensure that the proposed program meets with their approval, but also to avoid any conflict with other campaigns that they may be planning, such as a new product or service offering announcements.

Rather than putting the campaign out across the whole organization, it might be appropriate to run a pilot campaign on a small part of the business—for example, an office separate from headquarters, which will allow the response to be tested very quickly, perhaps using a web-based survey tool, and then permitting modification of the message or the method of delivery if necessary.

The program should also include a plan to introduce cybersecurity and business continuity awareness into staff induction training, and for those organizations that make use of centralized computer-based training, cybersecurity and business continuity could well be included in the mandatory packages that staff must undertake at regular intervals.

Finally, the plan should also consider the needs of key suppliers, who may play a significant role in the organization’s response to and recovery from disruptive incidents.

Now let’s turn to some of the methods we can use to deliver the content. The list isn’t necessarily comprehensive, but should provide some useful ideas.

Firstly, there are posters for office walls and desktop giveaways, such as coasters, key rings, memory sticks, and stress balls. Printing messages on these is not especially expensive, particularly if bought in bulk. Items that can be carried around are especially useful, as they can tend to become “objects of desire,” even if relatively low in cost.

If the organization operates them, the Intranet or company newsletter is an ideal method for reaching all staff very quickly, and additionally desktop and laptop computers can be configured to display a cybersecurity or business continuity themed background or screensaver.

The agenda for team meetings is always a good place to introduce the topic, even if it is just to say “Keep your eyes open for the cybersecurity or business continuity campaign,” and departments that have more expertise can run workshops on the theme. Examples of incidents that have caused grief to other similar organizations will help drive home the message.

Staff could be encouraged to look at books, periodicals, and journals on the subject, but it is probably fair to say this might work better for those staff actually involved in the process rather than for all staff, and the same applies to cybersecurity and business continuity-related websites.

A great way to make people feel engaged with the process is to encourage them either to observe a test or exercise, or for those with a deeper interest to deputize for someone in an exercise.

Finally, and most importantly, there is the need to provide structured information to all staff on what to do in the event of a disruptive incident. In some instances, this will be by a proactive message delivered beforehand, in others, it will be as a part of the incident response plan, especially in situations that are new to the organization, or are rapidly changing.

The outcome of the awareness campaign should be as follows:

There is a heightened awareness of the need for cybersecurity and business continuity within and across the whole organization. This may take several months and should not be hurried.
Staff across the whole organization and beyond should then have an awareness of the importance of cybersecurity and business continuity to the business, and that they should view it as an important aspect of their job.
There should be improved effectiveness in all cybersecurity and business continuity practices, and that this should become second nature to staff, such that other business practices improve as a result.
There should be an improved response to actual incidents—we hope they never happen, but if and when they do, all staff should be prepared and follow the guidance and advice given to them, while those involved in the actual response and recovery perform better through the support of the remainder of the organization.
There may even be a side-effect from the program of requests for input into business development by cybersecurity and business continuity practitioners, who are able to advise on how objectives might be achieved without placing the business at risk.
However, the security awareness training must not remain static—it must grow and develop as the threats and vulnerabilities change.

Skills Training

The awareness aspect is just one part of embedding a culture of cybersecurity and business continuity across the organization. The other is to ensure that those staff who will be required to be in the frontline in the event of a disruptive incident are fully trained in their role.

To begin with, we need to have a clear understanding of the training requirement, so first of all we must consider the following:

What specific skills training is required
Who requires to be trained
What are the training aims and objectives
Are there are any particular areas of concern
How should the training be delivered
What (if any) organization standards must be followed
How the training will be funded.

Typically, skills areas will include training on general cyber issues as well as on individual supplier’s technologies such as intrusion detection systems and firewalls. Also, aspects of disaster recovery, especially in high-availability solutions, will require very specific training courses. Business impact analysis and risk assessment are skills from which a number of people in the organization will benefit, as these skills are readily transferrable into other areas of the business.

Developing and implementing plans requires both a certain amount of skill and a degree of experience, as does the participation in tests and exercises, which can only really be gained by taking part, initially as an observer, and later as an active participant.

One of the most vital, and often overlooked, is communicating with the media, which should be undertaken by senior management or those likely to be confronted by the media in their response role.

Some training will be focused purely on the IT and security functions within the organization, while other training will cover all staff who are taking an active role, including those carrying out the business impact analyses and risk assessments, those involved in developing the business continuity strategy, and those developing the solutions and responding to incidents. In some organizations, departments (usually human resources) maintain a skills matrix. If such is available, it may make the job of identifying who has and has not any formal training in these areas easier.

We need to understand what the training aims and objectives are. We must know whether the organization intends to develop experts in its field, or whether it is simply seeking to bring essential staff up to a baseline level, and what the critical success factors are.

We also need to understand whether there are any particular areas of concern, such as areas where the skill requirements are high and the skills available are low. One solution to this might be to outsource the particular function, another might be to recruit additional staff who have the appropriate skills, while a third would be to identify existing suitable staff for further training.

Some people fare better in a classroom environment, while others find studying alone, online, or in small groups away from a formal environment easier to manage, especially if time constraints apply to their roles and being away from the office for a course must compete with day-to-day work. The choice of method of training delivery might incorporate both formal and informal techniques, tailored to either the individuals concerned or to the subject matter.

Next, we need to consider whether there are any company standards to be followed, such as the use of particular training organizations, remembering of course that cybersecurity and business continuity skills may not lie within an existing training supplier’s portfolio.

Finally, we need to discuss how the training will be funded, by department, or centrally, perhaps from the overall cybersecurity or business continuity budget agreed at the beginning of the program.

Importantly though, there should be some way of evaluating how successful each aspect of training has been, so that a high standard can be maintained. Feedback from students is vital, and will contribute to the concept of continuous improvement.

The methods of training will include information gleaned from both cybersecurity and business continuity websites, which are an ever-useful source of good practice and novel ideas. They will often describe events as they happen, and provide background information on what went well, and what could have been done better.

Conferences and seminars are also a great way to learn about new developments in this field, including new or updated standards, meeting other practitioners, both experienced and novice, and sharing thoughts and experiences.

There may be organization-approved training courses in some of the areas we have discussed, especially in the business impact analysis and risk assessment area, as this is a very common requirement for larger organizations where risk management techniques are already in common use, and those that are in a highly regulated environment. Options exist both for classroom and computer-based training according to individual needs and preferences.

Books, periodicals, and journals are also a very helpful source of information. Some books take a very specific line, such as business continuity in the ICT environment, while others are more general in nature.

As we mentioned earlier, industry sector cybersecurity and business continuity working groups are a great way to meet other professionals, and especially those in your own area or sector.

Once the organization has an approach that appears to be successful, it may again be appropriate to run a pilot program in a key area of the business, asking the staff involved to be honest and to critique the training, and then to take the learning from that into the main program. Once the organization has developed the overall training program, it will need to assess the costs and timescales for this.

It is at this point that you may need to obtain senior management support, so you must be prepared to show that the training is relevant, cost-effective, and timely. This will lead you into agreeing the source of funding, which as we mentioned earlier might lie with individual departments or cost centers, or may come from the central cybersecurity or business continuity budget, provided that funds were set aside for this when the original program was approved.

We have spoken before about continuous improvement, and the training area is no exception to this. After any pilot schemes have run, and at regular intervals, staff should be encouraged to provide feedback on the training they have received. This will allow the organization to ensure that less adequate training is replaced with more relevant and higher-quality learning, and that new developments are taken into account.

When discussing the aims and objectives with the users, it was suggested that some critical success factors might be set. Now is the time to review these and decide what is working well and what areas may need to be improved.

Summary

This final chapter has not only discussed the benefits for embedding a culture of cybersecurity and business continuity into the organization, but also examined the need for both general cybersecurity and business continuity training, and specific training, especially in technology areas.

The remaining parts of the book are Annexes, which provide

more detailed information on controls.
Information on Standards—both national and international—and Good Practice Guidelines.
a brief bibliography.
a glossary and definitions of terms used in both cybersecurity business continuity, and disaster recovery.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 9 Embedding Cybersecurity and Business Continuity

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 9 Embedding Cybersecurity and Business Continuity