The most challenging task for information security professionals is the one that involves ripping down and replacing IT infrastructure. However, the Canadian-based Chief Information Security Officer (CISO) of an international company says that many leaders must face a more significant task: Creating and replacing their business continuity plan to survive a regional or more enormous IT disaster.
“We all — whether we want to admit it or not — have business continuity plans that are wildly out of date, wildly incomplete,” James Arlen, CISO and chief information officer (CIO) at Helsinki-based Aiven, a database-as-a-service provider, told the SecTor conference Thursday.
“The business impact assessments were made by people who don’t know the businesses. You couldn’t get any business person to have a conversation about what happens when their tools stop working. They don’t care. They don’t care. Click some buttons! This is what you should do.'”
Arlen stated that applications today depend on each other, especially cloud apps.
Information security leaders must carefully map these dependencies in a new continuity program. He warned that if they do, they will know what to do if a primary cloud provider falls apart.
Arlen noted that it had been done. In December 2022, Google apps that required Google OAuth authentication services (including Gmail and Workspace apps) were down for 47 minutes.
Electric utilities must know how to restore power grids after they go down. Arlen stated that IT and infosec managers must know how to save their infrastructure from significant damage. He said any plan would be ruined if an IT or infosec administrator had a complete inventory of all their hardware and software, including dependencies.
Arlen stated that the plan must be similar to the Black Start plan, which the utility industry refers to as a starting when the power grid goes black. It is called a Cyber Black Start.
He stressed that you should keep your business continuity plan the same. Start fresh. You can use the existing plan as a reference. He said, “But you have to start again.” It would help if you took the time to think about it. Creating a Cyber Black Start will take a few days, weeks, or months. It takes a whole year of hard work.
He warned that a dependencies map or graph — especially for hybrid infrastructures — could be “almost frighteningly large.” That’s because a significant cloud-based app your firm relies on may rely on a platform-as-a-service provider, for example.
What percentage of Canadian companies have out-of-date plans? Arlen stated that most medium-sized and small businesses have outdated methods in a post-speech interview.
He said that most information security professionals need to consider the inter-relatedness of applications. Over the past 10 years, there has been an increase in complexity. It has accelerated significantly in the past two or three years, mainly due to the pandemic. They have been adding new systems to their operations without considering the consequences and how staff become dependent on them. For example, videoconferencing was once a nice feature. It’s now a requirement in many organizations. He said that only some organizations had updated their continuity plan to reflect this fact.
In other words, organizations that are in big trouble on the internet will be “materially dysfunctional” for a time.
He noted that many employees work remotely. Are they familiar with what to do if they cannot log in? Are they familiar with the number to call for IT support? Is there an alternative communication system, such as SMS text or SMS?
Arlen stated in an interview that “We pat ourselves on our backs and say, ‘We did a company impact assessment, and we are fine for 24 hours.'” One staff member might think their inability to log in to the system means they have been fired.
What should you do?
Arlen stated that infosec leaders must compile a complete list of IT assets. Although they may believe they have it, the chances are they don’t. Arlen’s team recently figured that the company, directly or indirectly, has 197 tools and services, including infrastructure- and platform-as-a-service providers — and each has some data attached to it.
European-based companies have an advantage, he said. They must comply with specific provisions of the General Data Protection Regulation and keep data flow diagrams showing how personally identifiable information is moved internally. This helps to understand how tools and applications are interconnected.
Do you not follow GDPR? Start by creating a list of all known applications. Next, go to each business unit to ask for additions or deletions. Once you are sure that you have every tool and app, you can start to create the dependency graph.
Arlen warns that not all dependencies can be found by looking at the marketing materials for a product. Every tool has dependencies. There may be latent dependencies that cannot be discovered in marketing materials or SOC 2 reports.
Arlen said that playbooks are still necessary. They must be updated regularly. You might also find duplicates of the playbook from different authors.
