DevoteamInsightsCybersecurity prerequisites: Corporate Resilience & Contingency

Cybersecurity prerequisites: Corporate Resilience & Contingency

Authors

  • Frederik Helweg-Larsen
    Expert Director Devoteam Denmark

  • Kristian Bønnelycke Al-Bedri
    Crisis & Risk Management Consultant at Devoteam Cyber Trust

Share

When discussing “corporate resilience”, it can be confusing to understand what it means. People use different words and definitions, and even official standards aren’t always clear.

Why words matter

Many organisations, rules, and guidelines explain “corporate resilience” in different ways – sometimes, they contradict each other!  Before you start making your company more resilient, it’s essential to ask yourself these three questions:

  • What skills and tools do we need?
  • What do we call them, and what do we mean by that?
  • Does everyone understand these words in the same way?

Once you’ve answered these questions, you can start building a solid foundation. This article will help you understand the key ideas so you can make your company more resilient.

To help clear up the confusion, Devoteam created a model that shows the different parts of corporate resilience. But first, let’s define two important concepts:

  • Corporate resilience is a broad umbrella term encompassing the different activities that seek to bolster the organisation’s ability to withstand disruptions, encompassing most of the strategic activities described below.
  • Contingency plans are Formal procedures that seek to address disruptions to organisations by providing an alternative plan, commonly known as plan B. They are thus understood broadly as the different formal procedures developed to bolster corporate resilience. 

Now that we have defined these concepts let’s look at the different parts of our model: With these central concepts defined, we can begin diving into the different areas of the model presented below:

Cybersecurity prerequisites: corporate resilience model

Review of the prerequisites for resilience model

Phase 1 – Assess and Plan

This first phase is like laying the foundation for a strong house. You need to:

Developing contingency plans: Just like having a spare tyre in your car, you need a “Plan B” to deal with potential problems. These plans outline what to do in different situations, ensuring a coordinated and effective response. (Number 2)

Identifying potential threats and vulnerabilities: Imagine a Business Impact Assessment (BIA) as a detective searching for clues. It helps you find your company’s critical parts and potential dangers. This assessment determines how problems might affect your business so you can decide what to focus on and how to use your resources wisely. (Number 1)

Prioritising critical systems and processes: Based on the BIA, you can decide which systems and methods are most important for your business to keep running. This ensures that the most essential things are fixed first if there’s a problem. (Number 1)

Crisis management components
Corporate resilience: crisis management

Phase 2: Implementation

This phase focuses on putting the plans developed in the Assessment and Planning phase into action. Key activities include:

  • Establishing robust design and architecture: Imagine building a house with strong materials and a solid structure. Implementing things like backup systems, separate networks, and copies of important data is like using solid materials to make your company less vulnerable to problems. Cloud services that work independently of your primary systems can also make your company more resilient. (Number 3)
  • Implementing alternative services: Think of this as having a backup generator for when the power goes out. Developing alternative communication platforms, regular data backups, or other “Plan B” services ensures you can keep working even if your primary systems fail. These services can be on standby until needed, providing a safety net in case of problems. (Number 4)
  • Setting up incident and major incident processes: Having clear steps for handling everyday problems and big emergencies is essential. (Number 5) Think of it like having a first aid kit for minor injuries and knowing who to call in a real emergency. Incident processes deal with routine, local issues, while significant incident processes are activated when many critical systems are affected. (Number 5-6)
Daily operations
Blue boxes – daily operations

Phase 3: Test and Improve

Regular testing and continuous improvement are like regular check-ups for your company to make sure your plans are still working:

  • Regularly test the plans: Testing your plans is like having a fire drill. You practise what to do in a safe environment to prepare for a real emergency. Testing should be done using realistic and challenging scenarios, getting more complex as you improve. This ensures that your plans are practical and can be used effectively in real situations. (Number 7-8-9)
  • Adapting plans based on learnings: Each test is a learning opportunity. You should use what you learn to improve your plans. Regularly reviewing and updating them ensures they stay relevant and address new threats and vulnerabilities. (Number 8)
  • Ensuring continuous improvement: Building corporate resilience is an ongoing process, like staying healthy. You need to evaluate and improve continuously. By embracing a culture of constant improvement, your company can stay ahead of potential threats and maintain a high level of preparedness. (Number 10)
Cybersecurity prerequisites: qurple boxes
The prerequisites for contingency planning

Phase 4: Crisis Management

This phase is like calling the fire department when a fire breaks out. It’s activated when a disruption becomes a crisis and requires a coordinated and decisive response:

  • Activating IT crisis management involves activating a “war room” – a place where key people gather to manage the crisis. It should have a structured agenda and a clear division of roles. (Number 11) The IT crisis management team coordinates long-term efforts, prioritises tasks, and communicates with everyone involved. (Number 12)
  • IT service continuity: Keeping essential IT services running during a crisis is crucial. (Number 12) This might involve using alternative systems or data recovery methods to maintain critical operations. (Number 12-13)
  • Business continuity: Business continuity plans outline how the company will continue operating if normal processes are disrupted. These plans should be developed by people who know the specific work processes well and address each business area’s unique needs and rules. (Number 13)
  • Corporate crisis management covers the entire organisation’s crisis management efforts, led by the CEO or another designated crisis manager. Corporate crisis management deals with a broader range of crises, including those unrelated to IT, such as natural disasters or pandemics. (Number 14)

Phase 5: Recovery and Learning

The focus after a crisis shifts to restoring normal operations, evaluating the response, and identifying areas for improvement:

  • Restoring normal operations: Once the immediate crisis is over, returning to normal operations as quickly and efficiently as possible is the priority. This might involve repairing damaged infrastructure, recovering data, and resuming critical processes. (Number 15)
  • Evaluating the response: Conduct a thorough review of how the crisis was handled to identify what worked well and needs improvement. (Number 15) This evaluation should involve everyone affected and be used to update and improve the crisis management plans. (Number 15)
  • Identifying areas for improvement: The recovery and learning phase provides an opportunity to learn from the experience and make changes to strengthen organisational resilience further. This includes updating plans, addressing vulnerabilities, and improving communication and coordination processes. (Number 15)

By following these five phases, companies can proactively build resilience and be better prepared to withstand disruptions, recover quickly, and learn from their experiences. Remember, building corporate resilience is an ongoing journey that requires a commitment to continuous improvement and adaptation.

What you can do today

You now understand the different elements of building corporate resilience. But remember, knowledge is more powerful when it’s shared. So, our immediate recommendation is to focus on these simple steps:

  • Share your knowledge to create a common understanding,
  • Identify and commit to areas that are relevant to your company,
  • Develop a strategic plan to address your chosen capabilities and ensure effective execution across your company.

Recommendations for inspiring reading material:

  • The Checklist Manifesto, Atul Gawande
  • Battle Mind. At præstere under pres, Merete Wedell-Weddelsborg
  • First aid, redcrossfirstaidtraining.co.uk/
  • Five-paragraph order, United States Army.

Crisis management phases

Our experts can help you.

Contact our experts today to make the best of corporate resilience and contingency planning.

Get in touch