Overcome the Communications Gap of IT, Security, and Business with Business Impact Assessments

At Wavestone, one persistent issue we come across in many organizations is a disconnect between the Business, IT, and Security divisions of a company.

IT and Business both have very technical demands, but each typically misses the importance the other is trying to bring out, which often leads to a problematic communication breakdown. For example, when IT and Security raise red flags, Business doesn’t know why it should care. This results in a lack of full buy-in and support. Conversely, when Business needs something, IT doesn’t understand how to prioritize requests from needs.

At the end of the day, Business, IT, and Security have the same goal: they want business to continue and be profitable. How then can they work together in concert and ensure directions to those implementing tasks are clear and concise?

We recommend activating a heavily underutilized tool that can bridge the gap – Business Impact Assessments (BIA).

• An executive summary
• Methodology for data gathering and analysis (in the form of detailed questions in a survey format or interview conducted with various divisions)
• Detailed findings and data of various business units, including a full inventory of assets and a prioritized list of important business processes
• Charts and/or diagrams to illustrate impact on areas like Operations or Revenue
• Recommendations of steps to take for recovery

Thus, BIAs traditionally come into play as part of recovery efforts.

Many organizations already have Disaster Recovery (DR) and Business Continuity Plans (BCP) in place. However, both DR and BCP efforts tend to be IT-based and narrowly focused with limited Business input(s) unless a BIA was part of the delivery. A resilience plan can take the IT focus and incorporate more Business needs for a broader, more balanced approach to support business needs.

It can use DevSecOps as part of recovery efforts that use those systems/process(es) identified in the BIA in near-real-time to recreate the infrastructure of primary business requirements. This would reduce the overhead of backup solutions, give more agility to Incident Response Teams, and greatly reduce the impact on the Confidentiality, Integrity, and Availability of those systems/process(es) being affected. All of this with a priority set from what the Business has clearly communicated is important. To that effect…

Resilience, the Newer Way of Thinking

In a healthy business, building Resilience means growing beyond the traditional consideration of Availability to include Confidentiality and Integrity. However, for this to work, the process must involve the entire organization, and the clear communication of how everything interlinks and interacts, so all departments can be prepared for that ‘bad’ day but also use the BIA for BAU (business as usual) purposes.

Of course, you cannot neglect DR and BCP – they work hand in hand with Resilience planning to keep the business going and unimpacted. What a BIA does is play a dual role: it’s a proactive step where you have a plan set up early, looking at more than just the technical considerations, and you have a plan for what to expect and what to do beyond just a restore or configuration. It’s also reactive in an agile way, where you’re able to adapt when the worst hits, with an action plan that adjusts on the fly to real-world conditions based on agreed Business needs.

A Simple Equation to Unify Businesses Internally

By taking the same questions asked in the BIA and applying them to the risk framework, the BIA can then influence the overall BAU priority. A risk framework is typically based on risk = impact + likelihood, however, these concepts don’t usually get connected in a meaningful way for the business, or even IT in many cases. Have you ever seen the organization fumble around trying to figure out what patch to put in or just not put it in because ‘it’s difficult?’

Whenever you conduct a BIA, one of the outputs is effective tiering; you’ve taken the information collected and analyzed it so that you can properly identify and categorize priorities within your risk framework. This makes it easier to communicate why certain things are immediate priorities versus non-critical, to both IT and Business leadership.

Organizations are forced to critically think about what is truly important with questions like:

• Where do we need to put resources?
• Do we have the right workforce to manage the issue at hand?
• How long can operations continue without this system or process being active?
• How much data will be lost and how much can the business afford to lose in the event of an outage of this function?

When these questions are asked beyond a recovery-only perspective, even in day-to-day tasks, the status of business-critical functions is easier to discern. Tiering arranges the functions or processes in order of criticality, and the role each function plays in business continuity is clear. Subsequently, IT and Security can partner with Business to understand direction. IT also gains a more informed perspective when it comes to prioritizing security risks from the Business perspective.

As a summary, when used with Resilience in mind, a BIA gives the executive leadership actual input and understanding of IT and Security jargon, simplifies discussions around complicated frameworks, and sets up priorities for clear action plans.

• Executive input is critical for complete buy-in. Get contributions from the C-suite, including CFOs, CISOs, COOs, and, importantly, all the Business leads.
• Be clear on your scope and impact areas to examine before starting. Note that your company’s impact areas may be unique to your business and relying entirely on a template will not be enough. The scope should not be limited. You may need to bring in third-party advisors to gain a fresh perspective if your internal resources are not able to run this exercise.
• Use objective criteria to assess impact and do not rely solely on a limited number of managers’ opinions, who may be biased about how mission-critical their processes are. They will each tell you what is important to them in their area. You will not fail here from what knowledge you included but what you missed. Ensure the inputs are from managers who genuinely understand their area and have not delegated all of their decisions. You must get to the management layer that is ‘really’ running the show.
• Review your BIA regularly and keep it updated as your business changes and grows.
• Make sure to run the BIA through tabletop use cases where a consensus can be achieved from all leadership about the impacts of losing any asset.
• Store the BIA results securely but have them easily accessible to the relevant teams for reference purposes.

By leveraging the BIA this way, the C-suite and upper leadership can easily start prioritizing, communicating, and giving direction to everyone else. And when you turn the BIA into a core centerpiece of the policies that your organization revolves around, you can finally ensure that IT, Security, and Business work together to figure out the most important projects to pursue.