“Protection in isolation is a brittle strategy.”
Journal for Homeland Security and Emergency Management “An Operational Framework for Resilience” Link
Last week, I attended and presented at the ISACA/ISSA joint conference in Phoenix. During one of the keynote sessions, the quote “Protection, in isolation, is a brittle strategy” was used to highlight the importance of recognizing no defensive or preventive measure is 100% effective. Organizations must be able to ‘anticipate, absorb and recover from negative events.’ This simple concept is usually ingrained in most risk and information security professional’s brain but so often it slips out of the picture when strategies are being put into place.
Today, we see much conversation around the importance of building safety nets for bad things that can affect an organization. In the past few weeks, Patrick Potter discussed the importance of Business Resiliency, Fran Howarth covered the perils of not being prepared for a data breach and Demetrio Milea outlined the human and process elements of Incident Response. Looking across the industry, the discussion of preparing for crisis events – whether it is a data breach, a natural disaster or a compliance violation – has been gaining momentum. With the firestorm (both internal and external) that immediately accompanies any negative event, the security, risk and compliance teams must be prepared to anticipate that impact and set in motion the right recovery efforts to absorb the event.
In Operational Risk Management programs, many times the “Lines of Defense” are termed First Line (Line of business and “frontline employees”), Second Line (Risk functions) and Third Line (Internal/External Audit). These lines provide the safety net when it comes to anticipating risks, implementing controls and evaluating controls. In Information Security, those lines equate to the First Line of IT Admins, Application Owners and End Users, Second Line of Security Operations and Third Line of Security Analysts and Crisis management. From an overarching perspective, Business Continuity and Disaster Recovery can also play a role if the situation warrants true continuity and recovery operations.
The point is that as an organization looks at risks and possible negative events, it is important to remember that the front line of defense can crumble quickly. The Second Line must reinforce and catch the pieces but a larger safety net has to be in place to absorb the overall impact. The Third Line of defense – whether it is business continuity, disaster recovery, crisis management, audit management or merely your A-team of gurus – has to be prepared, capable and enabled to recover the business.