Project Management for BCM for Cyber Security Incidents Response
This chapter discusses how a typical cyber security incident response or CIR is implemented from a BCM perspective.
Usually the CIR initiative is often regarded as part of the cybersecurity jurisdiction. This should be corrected, as CIR belongs to the business. It should be implemented as a BCM-supported project.
The maintenance process of the CIR and the continuity of the critical business function by an organisation will assume continuous improvement. In the BCM planning methodology, the project management ends as with the program management phase.
The Project Management Institute describes projects as temporary endeavours to create unique products or services.
In this case, the end product of CIR for the organization is a comprehensive CIR plan. The CIR plan can be broken down into smaller components (projects) by utilising project management practices.
Dividing the implementation plan (Olsen, 2014) allows for increased efficiency in allocating resources, standardization among projects, and an increased likelihood of the final product, the CIR, being completed successfully on time and within budget.
1. Strategic Guidelines for CyberSecurity
An organization has to establish strategic guidelines to provide direction and guidance for their employees to be conscious and aware of cyber security threats. It should be aligned with the organization’s mission and vision so that support from all employees is obtained. Hence, goals must be set so the organization knows what to aim for regarding protecting itself against this impending threat. With cyber security becoming a concern among organizations,
it is crucial not to get ahead of ourselves. Cooperation from every employee within the organization must be achieved to ensure the smooth implementation of the cyber security program. The key is considering the integration and coordination with the existing BCM arrangements. This may result in the re-alignment or prioritization of activities when a CIR is activated.
These are some of the strategies to be adopted:
- Establish a front-line defence
- Be prepared to defend a spectrum of cyber security threats
- Develop a collaborative model within a similar industry
1.1 Establish Frontline Defence
The main objective of implementing a cyber security program within the organization is to protect oneself from potential cyber security attacks that can disrupt critical operations.
- Enhance and improve mitigation measures within the organization; and
- Ensure that every employee has to be responsible for preventing and responding to a cyber security attack, and response measures have to be developed.
Employees need to understand that through this process, they are aware of the organisation's vulnerabilities and threats and think of innovative ways to reduce them. At the same time, relevant information can be exchanged among the different business units to find interdependencies or ways to collectively incorporate functions to defend against cyber security attacks.
From a BCM perspective, there is a need to understand what the CBFs need to be continued should there be a cyber security attack on their organization.
1.2 Be Prepared to Defend the Full Spectrum of Threats
Once measures have been developed to mitigate and respond appropriately to cyber security attacks on the critical infrastructures or networks within an organization, it needs to be audited by qualified cyber security professionals and, if possible, be based on international standards to prove their effectiveness and relevance to emerging threats. The constant need from a BCM perspective to focus on the CBFs that an organization requires to consistently provide products or services for their customer cannot be disrupted for a prolonged period. Based on some pre-defined simulations of various threats, organizations can identify which of the CBFs are affected and develop appropriate procedures to respond to them effectively to minimize damage caused. The organization can strive to be more resilient to cyber security attacks.
1.3 Develop a Collaborative Model Within an Industry
Organizations in the same industry should collaborate in tackling the issue of cyber security. Every cyber security attack should be taken seriously and a learning opportunity to rectify certain aspects of the cyber security plan within an organization. Information regarding best practices can also be exchanged among the organizations so that collectively as an industry, they can strengthen themselves against cyber criminals.
2. Project Charter
A project charter is a document that delineates the roles and responsibilities, outlines project objectives, identifies key stakeholders, and authorizes a project manager.
It lays out the boundaries and anchors the organization to focus on executing processes to achieve the pre-defined objectives. In a cyber security context, with the goal of effective cyber security incident response (CIR), the organization aims to include every process, employee, facility, and infrastructure with CIR practices from the beginning.
In the context of BCM (SANS Institute, 2013), the scope should include the IT team responsible for cyber security to have their roles and responsibilities identified to complement the BCM and the team developing the CIR plan.
The purpose of incorporating cyber security into every organisation component is because of the increased dependency on technology. Organizations are utilizing more technological infrastructures or facilities as technology advances.
A data breach's cost is significantly higher than implementing security controls. Therefore, as organizations (Richter, 2014) want to minimize the impacts of a cybersecurity incident, the need to practice cybersecurity activities as part of their daily operations is increased.
3. Identify Stakeholders
Different organisational stakeholders can influence a project's progress and outcome. Additionally, specific stakeholders are not as interested as others in the project. Whether a BCM or CIR plan is being developed, identifying stakeholders is crucial (SANS Institute, 2013) in determining if a project will succeed or fail.
The different stakeholders have different concerns voiced to the organization, which will be prioritized according to the importance to address. For example, addressing the sponsor's concerns is more important than customer concerns. If it is achievable, the organization will aim to satisfy all of the identified stakeholders.
For cyber security, the organisation's leadership is expected to play an active role compared to the other traditional project. Senior management should be cautioned that the management of this cyber security program is not the responsibility of the designated team responsible for cyber security.
Related Topics for CIR Project Management
Do You Want to Continue BCM Training onsite or online?
![[BL-3-Catalog] What Specialist Level Blended Learning Courses that are Available?](https://no-cache.hubspot.com/cta/default/3893111/4b22a53c-6e3e-4b9e-8c2a-888423f1d26c.png)
![[BL-5-Catalog] What Expert Level Blended Learning Courses that are Available?](https://no-cache.hubspot.com/cta/default/3893111/fe175db3-7f57-4636-bf09-e9a836aa5478.png)
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 5 Project Management 5.1 Introduction to 5.4 Identify Stakeholders
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.
