As we are seeing right now, resilience is a valuable concept in business and life as a whole. It involves ‘bending not breaking’, in other words making or arranging things such that issues or incidents (such as pandemics) aren’t disastrous or terminal, although damage may be sustained. Resilient things aren’t necessary invulnerable but they are definitely not fragile. In the lingo, their performance degrades gradually or gracefully. Like the Duracell bunny, they just keep going.
In relation to information security, resilience is a form of control, a security approach supporting business continuity and information risk management. It is a very broadly applicable control. There are situations where resilience isn’t helpful but they are far outnumbered by those where resilience makes business sense. Examples:
- Resilient databases and other software applications are designed to trap and deal appropriately with data or system errors and attacks that might otherwise cause failures, security breaches and other problems;
- Resilient IT devices are physically robust enough to keep running despite various electrical problems, knocks and mechanical stresses, extreme temperatures, old age ...;
- Resilient communications mechanisms can be relied upon to ‘get the message through’ when other less-resilient methods slow to a crawl or stop working completely;
- Resilient facilities are barely affected by threats such as fires, floods and power glitches: vital characteristics of, say, communications hubs and crisis management centers;
- Resilient business processes exploit every opportunity to cope with challenges ranging from shortages of raw materials and workers through tough competition to global recession and war;
- Resilient people are less affected than most by crisis situations: somehow they have the physical and mental capacity to think more clearly and get on with important stuff when others are rendered incapable, perhaps literally falling in a heap;
- Resilient workforces extend the approach to the level of teams, departments, business units, organizations, perhaps even entire industries and nations. They have the resolve, determination and resourcefulness to make it through whatever challenges they face, often by pooling resources and helping each other out. Collaboration, teamwork and motivation are part of resilience.
Cost is probably the main issue with resilience: while basic approaches are essentially free or cheap, more sophisticated arrangements tend to require more substantial planning, effort and investment. Awareness secures the benefits of resilience with relatively little cost, for example by convincing workers that their own preparation, readiness and response to various crises has implications for their wellbeing and survival plus that of colleagues and the organization. We’re putting people into a more positive frame of mind. At least, that’s the plan!
Although security-aware workers are an important defensive control, in a truly resilient organization awareness and training are merely parts of a comprehensive suite of layered, overlapping and complementary information security controls – including incident, risk and business continuity management. The awareness materials directly address management and professionals as well as the general workforce since they have distinct roles in making the organization resilient.
This awareness module:
- Introduces the concept of resilience, providing general context and background information;
- Expands on the associated information risk and security aspects (e.g. resilient information systems are less likely to succumb to power cuts, hacks, viruses and bugs);
- Puts workers generally in a positive frame of mind, more resilient and willing to get through situations that might otherwise overwhelm them;
- Impresses on managers and professionals the value of proactively engineering things to maximize their resilience, especially business- and safety-critical things.
Consider your organisation’s objectives in relation to both resilience and awareness. Are there particular messages you’d like to put across, specific concerns or points to emphasize? Feel free to customise and elaborate on the materials: that's why we provide customer-editable files.
A timely awareness and training module about making the organization and its supply chains/networks resilient, robust, more able to survive severe challenges (such as COVID-19, ransomware incidents, privacy breaches ...) and emerge on the far side stronger than less reslient competitors.