A Guide to Digital Operational Resilience for Security Managers
Security staffers have their hands full maintaining cyber resilience amidst a deteriorating cyber environment. But the jobs not done yet. There’s also digital operational resilience (OpRes) to keep an eye on.
How do Security Managers go about achieving it? Read on to find out.
Digital operational resilience & why it’s needed
Well, digital operational resilience, the ability of a business to build, assure, and review its operational integrity and reliability, is only secured when a business boasts the full range of ICT-related capabilities needed to address the security of those network and information systems that support the continued provision of a business’ services and their quality even through disruption.
Complicating matters, this acute focus on ICT-related capabilities itself stems from the fact that those capabilities are under threat like never before. Why’s that?
The big story is that pandemic-era policies, such as remote work, led to the rapid increase in ICT risk vectors, with untrained employees left to their own devices.
Not only did risk vectors multiply, but individually they became fare more serious, as well.
Achieving digital operational resilience with ICT risk management
How, then, to ensure that individual risk vectors don’t turn into major ICT incidents? That’s the role of digital OpRes programs, to be spearheaded by Security Managers in coordination with various other lines of the business.
What do these programs entail?
Well, digital operational resilience is highly site-specific. But in any organization, ICT risk management will be a key component of ensuring digital OpRes.
To address ICT risk, like risk more broadly, businesses should consider putting in place an internal governance and control framework to ensure its effective and prudent management.
Tasked with developing, maintaining, and updating such a framework would be the management body of the business. And here, specific duties delegated to that body might include:
- Put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity, and confidentiality of data
- Set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation, and coordination among those functions
- Bear the overall responsibility for setting and approving the digital operational resilience strategy, including the determination of the appropriate risk tolerance level of ICT risk of the entity
- Approve, oversee, and periodically review the implementation of the entity’s ICT business continuity policy and ICT response and recovery plans, which may be adopted as a dedicated specific policy forming an integral part of the entity’s overall business continuity policy and response and recovery plan
- Approve and periodically review the entity’s ICT internal audit plans, ICT audits, and material modifications to them
- Allocate and periodically review the appropriate budget to fulfil the entity’s digital operational resilience needs with respect to all types of resources, including relevant ICT security awareness programs and digital operational resilience training and ICT skills for all staff
- Approve and periodically review the entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers
A further requirement might also include keeping up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on operations, including by following specific training on a regular basis – with that training being commensurate to the ICT risk being managed.
Of course, there’s more to digital OpRes that Security Managers should know than ICT risk management. What else is there? Download our Guide to Digital Operational Resilience and the Software Capabilities Needed to Achieve It to find out.