Most business continuity plans are “completely outdated,” said the SecTor conference


Arguably the most dreaded task an information security professional faces is tearing down and replacing the IT infrastructure. But the Canada-based chief information security officer (CISO) of a global company says many executives face an even bigger task: dismantling and replacing their business continuity plan to accommodate a larger regional — or larger — IT to survive failure.

“We all, whether we want to admit it or not, have business continuity plans that are absolutely outdated and absolutely incomplete,” says James Arlen, CISO and chief information officer (CIO) at Aiven in Helsinki, a database-as- a service provider said the SecTor conference Thursday.

“The business impact assessments were done by people who didn’t understand the companies because they couldn’t get any of the business people to talk to you about what happens when their tools die. They do not care. They say, ‘Just make it work.’ The business side says to IT: “Computers are magic. Just click some things! That’s what you do over there.’”

The fact of the matter, Arlen says, is that applications today are dependent on other applications – particularly cloud apps.

James Arlen, CISO of database-as-a-service provider Aiven. ITWC photo

What infosec leaders need to do is carefully map these dependencies into a new continuity plan. Otherwise, he warned, they wouldn’t quite know what to do when a major cloud provider collapsed.

It happened, Arlen pointed out: In December 2020, Google applications that required Google OAuth authentication services – including Gmail and Workspace apps – were unavailable for 47 minutes.

When a power grid fails, utilities need to know how to bring the infrastructure back online. Similarly, Arlen says IT and infosec administrators need to know how to recover their infrastructure after a major disaster. But, he added, if they don’t have a full inventory of their hardware and software — including dependencies — every plan will be crippled.

What needs to be created is similar to what the utility industry is calling a black start plan – starting when the grid is black – said Arlen. He calls it a cyber black start.

Don’t think about changing your existing business continuity plan, he stressed. Start over. The existing plan can be used as reference material. “But you have to start over,” he claimed. “You have to think about it carefully when you walk. Putting together a Cyber ​​Black Start doesn’t take a few days or a few weeks or even months. It’s a year’s work.”

A dependency diagram or map — especially in a hybrid infrastructure — will be “almost frighteningly huge,” he warned. That’s because a large cloud-based application that your business relies on, for example, may itself rely on a platform-as-a-service provider.

How many Canadian organizations have outdated plans? Most medium and small companies, Arlen said in an interview after the speech.

“Most information security professionals don’t consider the interrelationships” of applications, he said. “In the last 10 years, a creeping complexity has emerged. It’s accelerated a lot in the last two or three years, especially because of the pandemic where they’ve been adding new systems without considering the impact of that and how employees will become dependent on them.” For example, video conferencing used to be “nice to have”. Today it is a must in many organizations. But few organizations have updated their continuity plans to reflect this, he said.

The result is that most organizations become “materially dysfunctional for a period of time” in a major internet crisis.

Many employees are now working from home, he noted. Do you know what to do if one morning you can’t log in as usual? Do you know the phone number for IT support? Does the organization have an alternative communication messaging system such as SMS text?

“We pat ourselves on the back and say, ‘We’ve done a business impact assessment and we’re fine for 24 hours,'” Arlen said in the interview. But an employee might think they’ve been fired because they can’t log in.

What to do?

First, Arlen says, infosec executives need to compile a complete list of IT resources — which, he said, they may think they already have, but chances are it’s not complete. Arlen’s team recently found that the company has 197 tools and services, directly or indirectly, including infrastructure and platform-as-a-service providers — and each has some data associated with it.

Businesses based in Europe have an advantage, he added: They must comply with certain provisions of the General Data Protection Regulation and maintain data flow diagrams of how personal data is moved internally. This helps to understand where and how applications and tools are linked.

Not GDPR compliant? Then start by making a list of known applications, then go to each business unit and ask if there is anything to add or delete. When you are sure you have all the apps and tools, start creating the dependency diagram.

Arlen cautions that some dependencies may only be discovered by browsing a product’s marketing collateral. Every tool has dependencies, and there may be latent dependencies that can only be found in marketing collateral or a SOC 2 report.

Playbooks are still needed, Arlen added. But they need to be updated regularly. And you might find that there are duplicates of the same playbook written by different people.


Comments are closed.