I started in IT back in the pre-Internet ‘dark ages’, over 35 years ago. In those days we were literally in the basement and nobody really knew what we did, we were the geeks of ‘IT Crowd’ cliché. When there was a major system outage it could take us down for hours, but the business sailed on as if nothing had happened. As time moved on, the technology moved forward and IT became more and more important to the company. Now an outage caused real issues and could have a very real detrimental impact if systems were unavailable, even for a short time. However, we were still in the basement, service desks were not something we did and to the business we were viewed variously as:
- a cost;
- something that supplied something that did something else they needed;
- something that stopped them from doing other things they wanted to do;
- a black art; or simply
- a pain!
Then for me something massive happened: I discovered ITIL® and IT Service Management (ITSM). I was directed to create and implement a service desk and to put in ITIL processes (oh how the new ITIL Practitioner would have helped me then but that’s another story!). As anybody who has done this will testify it’s a long and complicated journey, talking to the business, understanding its needs and delivering on its requirements. Moving forward again and IT is now an integral part of business, driving forward innovation and helping to deliver that competitive edge that in turns grows value and reputation. Typically IT is now a vital component of the enterprise and the first point of contact has gone from ‘complaints desk’ to a true ‘service desk’. One significant change has been in the culture: we now understand our role better, we understand the business strategy and priorities, we empathize with the business and realize our true value in the supply chain. We have also moved away from just being seen as ‘technology’ to a service-based imperative. Services and service providers are the future and they will come to dominate our world in both our personal and professional lives.
However, with regards to cyber security we are - to some extent - still back in the old days. We have teams that are still considered by many as ‘geeks’, they reside in a (metaphorical) basement and are still often seen as displaying some of the same attitudes outlined in the bullets above. After all who wants a 10 character multi-format password that’s impossible to remember?!
Having now read the RESILIA™ Cyber Resilience Best Practices book and undertaken the foundation exam what excites me is the journey that cyber security - or more accurately cyber resilience, a term reflecting the necessity of managing an enterprise-wide response to your cyber risks that balances people and processes with technology in an integrated strategy - is now making. As with the old IT, cyber resilience in many organizations can still be very technology biased. Organizations are continuing to invest in and deploy multiple layers of intelligent technical controls but successful attacks continue to evolve, adapt and grow. There’s something missing.
As an example - it doesn’t matter what or how many locks you have on your office door, or how many security passes, keypads, or even retina or fingerprint scanning you install - if your cleaner props the door open when they go out for a coffee then you do not have a secure system! Likewise a long and complicated password becomes less effective if it is written down and stuck to the inside of a laptop.
We have learnt, the hard way, in ITSM that you need to take the business with you, instigating a culture change from top to bottom. We need to instil in the workforce that they, not technology alone, are in the front line in the battle against the hackers. To engage all our people by providing simple and practical guidance in, for example, what safe passwords are and what to do when you suspect you’ve been targeted with a phishing attack is essential. It goes a long way in better protecting your organization’s most precious information and reputation. The statistics show that the vast majority of successful attacks succeed because they exploit our human vulnerabilities, not finding the flaws in IT systems. If you promote and reward ownership of this responsibility within the workforce and explain why you need them to do the things you ask them to do, it will provide ample dividends.
Treating cyber resilience as a service is to me a very good way forward. To maximize the value of a service you need an effective service management system (SMS). If you have ITIL within your organization then you already have an SMS that can be used. The chances are that the idea of a service culture and its benefits to all business strata are already clear. ITIL has a lifecycle approach and embedding a cyber resilience element to this through RESILIA is a natural fit and works very well.
All of the service lifecycle stages lend themselves to incorporating cyber resilience. From the initial strategy through to operations and continual service improvement (CSI). It would take considerable time to detail all of the synergies, however I will pick out a few highlights for me:
- Configuration management database (CMDB) and asset management: To fully protect your environment you must know what assets you have and their relationships. Patching of hardware/software, have you done them all? If a change is made will other configuration items (CIs) be affected because of a relationship?
- Event management: Increase in locked passwords and failed logins. Two examples of event management that can feed directly into cyber resilience monitoring.
- Change management: An obvious one but the process is there to make use of and incorporate cyber resilience controls into any standard changes.
- Incident management: Again obvious perhaps, but have you fully trained your service desk staff on what is, or could be, classified as a security incident? What they should do when it is detected it and what is the correct escalation path?
- ITSCM linked to business continuity: This, to me, is one of the fundamental issues we face as a business. If we want to be totally secure we should pull up the drawbridge and not interact at all with the outside world. This is not, of course, a viable option as today we all have to interact with digital technologies. What we must understand is that when we do so, we inevitably make ourselves more vulnerable to attack; it is now not a case of if we are attacked but when. So if we have developed business and ITSM continuity plans for what happens if a building burns down or we have a flood, it follows we should also plan for the impact of a successful cyber-attack. Looking back we often find that more financial and reputational damage is done to a business after the attack when it has to admit that it has little idea of what has been compromised, whether it was encrypted, the type of data that was lost etc. RESILIA describes how companies can plan for this and have a coherent, enterprise-wide, strategy to manage and mitigate this risk.
So I think with the critical importance of cyber resilience now and in the future, business leaders need to fully engage with the highly professional technical teams down in ‘the basement’. Get them and their message out into the wider business; get the ‘what’s in it for me’ message out to the customers, both internal and external, and move the whole mindset of organizations into the world of integrated service management.
After all we’ve done it before…
See our RESILIA and ITIL sections for more information.
More AXELOS Blog Posts from Phil Hearsum
Understanding the difference between outputs and outcomes in ITSM
Building on the foundation: Why take ITIL® to the next level
Ask AXELOS - Creating value not cost in ITSM
Why Global Businesses Need to be Aware of Cultural Differences in ITSM
ITIL® at 25: The Past, Present and Future of ITSM