Where Does Business Continuity Fit in?
Business continuity is a process that is designed to reduce organizations’ business risk arising from unexpected disruption of critical functions/operations. Business continuity must enable a business to continue operations in case of a disruption and also ensure that any interruption to information systems that occurs does not cause an unacceptable level of damage. Business continuity is not the same as disaster recovery, the latter of which deals with catastrophes such as a heavily damaging fire in a building that houses an organization’s computing resources. Still, business continuity and disaster recovery have much in common to the point that they are widely (albeit somewhat incorrectly) viewed as the same function.
Business continuity is one of those “funny” areas, however. In some ways it belongs in information security, as the issues business continuity staff face are often closely related to the set of issues security incident response staff face. This is particularly true when certain kinds of attacks, particularly denial of service, violation of integrity, or similar types of attacks, occur. Both functions focus on unexpected events that can cripple the business process. Both necessitate the use of human and material resources to support critical functions and operations, and they also utilize a similar type of planning, testing, and management oversight. Finally, many common tasks are performed in connection with both.
In other ways business continuity is more closely aligned with IT operations. Business continuity requires invoking special operational procedures that must remain in effect until things are returned to normal mission status. Mmany if not most of these procedures really have little or nothing to do with security.
Where does business continuity belong? In the majority of information practices with which I am familiar, it is not part of the information security function, nor is the information security function part of business continuity. But when integration between these functions is achieved, there are many significant benefits, the chief of which is eliminating gaps between the information security and business continuity function that lead to unidentified risk. If this risk were to materialize, it could result in an extremely significant negative impact on an organization. Additionally, the fact that there is likely to be overlap between business continuity and security incident response with respect to objectives and procedures for handing denial of service and integrity problems suggests that integrating these two functions is wise from the standpoint of efficiency. Furthermore, integration allows both functions to draw into the types of experience that staff from both functions have, thereby greatly improving the robustness of the response capability. Similarly, integrating both functions is likely to provide a broader range of experience to members of these functions. The overall expected outcome, therefore, should be and often is potential cost savings and considerably greater efficiency.
Where does business continuity fit in? It needs to fit in where it most efficiently belongs, but before senior management makes up its proverbial mind, hopefully it will consider the case for partially or even wholly integrating it and information security.