As they relate to IT, the functions of business continuity
and information security have one common goal. That is to minimize the
losses and maximize the uptime of the organization's information systems
before, during, and after an emergency situation. Business continuity
and information security are interdependent and the teams must work well
together if this goal is to be met.
However, when it comes to the teams working together, there
tend to be various barriers to effective communication. Based on my experience,
the average information security professional often thinks 90 and sometimes
180 degrees out of sync with the average business continuity professional
which leads to communication breakdown and hinders overall IT progress.
The following are the best ways I've found to effectively work with us
information security types so that everyone is on the same page, systems
stay up and running, and customers are kept happy.
- Know Where They're Coming From
There's a wide range of information security expertise. Many information
security professionals are extremely technical and very specialized.
Unfortunately, these same people are often poor communicators and understand
very little about the business issues at hand. Others are all about
security policies and procedures and do understand the business side
of IT. They just know very little about technical security issues and
the technologies required for business continuity support. Once every
blue moon you may come across someone who has a good mix of both skill
sets. The point I want to make is to understand each individual's background
so you'll know how to communicate with them and what to communicate
to them to get your job done.
- Make It Known Where You're Coming From
Many information security professionals could not care less about what
you do. This is often an awareness and education issue. Once they are
given reasons to respect your duties and responsibilities and see you
more of an ally than a threat or nuisance, they may very well warm up
to what you do and come up with positive ways you can both work together.
- Know What Functions Of Theirs Are Related
To Your Duties
Part of this is understanding where each other is coming from. Don't
wait for a manager to set you both down and map it out for you. Investigate
this yourself. Get to know what they do on a daily basis and what they're
responsible for. A few areas that come to mind are network infrastructure
and perimeter security systems, data backups, failover systems, and
security incident response - not to mention all of the policies and
procedures that go along with each of these.
- Know Who To Talk To
This should come naturally once you get to know them and vice versa.
You'll not only need to talk with the business-savvy information security
professionals who may be in charge of policies, but also the techie
folks as well since they're often the only people in the organization
that know anything about your missioncritical computer and network systems.
- Know Your Key Allies In Information Security
This is not necessarily the same as who you should be talking to on
an ongoing basis. I'm referring to other key players in the information
security function - HR, legal, and upper management. They are often
the influencers or the decision makers and can help get things done
and push towards better working relationships between the two teams.
- Know What Questions To Ask
Whether you're talking to the information security doers or the decision
makers, it's critical to know what questions to ask of them in order
to maintain and improve the business continuity function. What single
points of failure exist from their perspective? (Note: this might be
different than what you have in mind.) What role(s) would they have
in the business continuity function if you have to invoke your plan?
Who can back them up if they're not available during a crisis? (Note:
all too often no one can.) Which behindthescenes systems are absolutely
critical to keep online during a crisis in order to minimize any security
- Know Where They Get Their Information And
Similar to the business continuity field, information security professionals
are a fairly tightknit group. They read the same magazines (Information
Security Magazine, SC Magazine, and other weekly IT-related magazines),
they subscribe to similar email lists from SANS, CERT, etc., browse
the same security portals (SecurityFocus, SearchSecurity.com,
etc.), and they attend similar conferences including CSI, RSA, MISTI,
and SANS. Not only knowing where they get their information, but learning
some of it yourself, can be very beneficial when you need to talk their
talk and figure out how to integrate your business functions with theirs.
Much of this information is free or very lowcost and I highly recommend
that you put this on your radar for your ongoing education.
You may not be able to gel with your information security
team members immediately. And, of course, as we've all experienced, there
is always at least one person who's seemingly impossible to work with.
However, I do believe that if you focus your efforts on these areas and
make it a priority to communicate where each of you is coming from, discover
what makes them tick, and learn what keeps them up at night, the business
continuity and information security functions can get along just fine.
After all, you really do need each other.
About the Author