David Green, Team’s Consulting Services Manager talks about helping companies develop an Incident Plan to survive any type of disruption.
Try to think for a moment about which areas of your business can operate without IT. Chances are, it will be a short list. As organisations become increasingly digitised, we use IT to improve performance and reduce costs in every area. We use it to comply with regulations, gather information, and report results. Our IT dependence has increased drastically in the last few years, but not every organisation has fully prepared for service interruption.
The primary aim of any organisation must be its operational security – the ability to continue operations and production. But from dramatic disasters to everyday mishaps, IT can be interrupted. Whether flood, malware or power failure, that can mean production stops. So, what do you do next?
The worst time to decide how to handle an issue that halts production is when it has just happened. Does the overnight production team know when to disconnect from the network, or who can they wake up? In an emergency department, do the duty staff know how to work around a failure without putting patients at risk?
Much as IT departments aim to ensure availability, this is no ‘prevention is better than cure’ situation. No matter how well your environment is designed, there is never a guarantee. Human errors happen, new cyber-attacks emerge, and, sometimes, new projects change the landscape.
Operational security must be a consideration beyond the IT department. It is no longer just an IT issue, it is a business issue that should merit consideration at senior management and board level. Directors are ultimately held liable, so they should play a part in determining acceptable risk.
When I help organisations to assess operational security governance, the IT manager and CIO usually understand the issue only too well. My first task is often helping to translate that into the right language for other business leaders. They, after all, bear liability if operations grind to a halt, and the effects can be considerable.
New reporting requirements feed into the situation, making it more urgent to establish strong governance. Nobody wants to be known as the first organisation to fail in new mandatory reporting laws or financial industry regulations. No hospital or medical centre wants to make headlines for failing to protect patient data. With such far-reaching effects, this is an issue that anyone in a senior role should be questioning, because the penalties can affect them as individuals as well as their business as a whole.
I know from my own time as a CIO that it can be near-impossible to get on top of the policy development and operational security planning that is needed, at the same time as working on essential digitisation projects.
Much like any emergency plan, an operational security framework would have detailed instructions, in the form of an incident response plan, that can be followed to establish core functions and ensure personnel are able to complete tasks. Much of the planning phase entails me talking to people throughout an organisation. I document the complex hierarchies that exist – it is no good ensuring production if there is no way to pack or ship those products to customers.
Knowing what to do, and having been trained on how to react, helps everyone to respond appropriately. Technology, after all, is only one component. Staff training and culture are a key aspect of any framework, so making people aware of their responsibilities and risks will give them reason to focus. The time spent with different parts of the business early in the project pays off here – when we have listened and learned a out their roles, the people in production, customer service, accounts and the warehouse are more receptive to working together. Participation is key.
While we are in an era that makes us depend heavily on IT, it can also be something of a saviour. Cloud options abound, which means that with a solid plan, there is every opportunity to protect operations from the worst impact. A well-defined incident response plan does not have to incur major up-front cost – and the process inevitably unearths efficiencies that can aid the business over time.
Ultimately, though, an incident response plan is about protecting the organisation, its management, employees, customers and shareholders. It is about demonstrating that appropriate care has been taken to secure business operations and survive disruption. And even though you hope you never need it, when you do, you’ll be glad to be prepared.
Time to learn more about incident response plans, or preparing for mandatory breach reporting? Call for a chat with Team’s friendly specialists.