In a recent #CSO (Chief Security Officer) Focus Group discussion hosted by effortlo, a consortium of Chief Security Officers and seasoned professionals delved into the intricacies of business continuity and #resilience. Facilitated by the effortlo Executive Resource Council, the session unfolded as a rich tapestry of experiences, strategies, and insights, with a particular focus on navigating cyber threats, natural disasters, and other emergencies. This article encapsulates the essence of the discussion, emphasizing technology tools, their impact, and the unique challenges posed by the absence of robust solutions.
The CSO Focus Group comprised of Chief Security Officers and distinguished professionals, is designed to host about 20-25 CSOs, Global Security Leaders, and SMEs alongside the effortlo Executive Resource Council. This is a working session where security leaders speak openly and candidly - sharing their experiences, successes, and struggles around the topic with the intent to #benchmark and collaborate with like-minded peers
The discussion centered around 3 key subjects:
Organizationally: where does Business Continuity sit within your organization? Who does it report to and how does it align with Crisis Management and Emergency Management
Functionally: how does Business Continuity work? How effectively does BC work together with the other departments (EM, CM, etc), the business operations team and stakeholders.
Capabilities: Do your business process owners regularly exercise their recovery strategies and procedures? If so, how often?
Do you have confidence in your organization's capability to deal with a loss of People, Sites, Supply and/or Information?
Do you have the resources and procedures needed for recovery?
What is your experience with technology to support preparedness/recovery and how is it managed?
Below we explore the main takeaways from the discussion, highlighting specific tools, suggestions, and comments that emerged from the group.
Aligning Business Continuity with Key Business Objectives
The discussion opened with a profound insight emphasizing the integration of business continuity plans and activities with Key Business Objectives. The participants stressed the critical importance of aligning business continuity efforts directly with the overarching goals of the organization. This strategic alignment serves as the linchpin to ensure that business continuity is not seen as a standalone function but rather an integral part of the broader organizational strategy.
The recommendation resonated with the concept of objective-centric #riskmanagement, where the focus is not only on mitigating risks but also on contributing to the achievement of key business goals. By tying business continuity initiatives to these objectives, organizations can enhance their resilience in the face of crises, making it a shared responsibility across various departments and levels of the organization.
“If you don't have that senior leadership support, you’re going to struggle. They're the ones who are going to ensure people will be in the room and push a reasonable budget to you.” Sulev Suvari
This approach aims to engage Objective Owners, such as department heads or leaders responsible for specific business goals, by highlighting the direct impact of business continuity on the certainty of achieving those objectives. The concept involves instilling a sense of ownership and accountability among key stakeholders, ensuring that they actively promote and integrate business continuity practices throughout their departments. This not only enhances the visibility and importance of business continuity but also aligns it with the strategic interests of the organization.
In essence, the participants emphasized that effective business continuity goes beyond mere planning; it involves fostering a #cultureofpreparedness and resilience that is deeply embedded in the organization's overall mission and objectives. This holistic integration ensures that business continuity becomes an integral part of the organizational DNA, rather than a siloed function with limited impact.
The plan is important, but it is not as important as the planning
The discourse delved into the organizational placement of business continuity, bringing to the forefront a fundamental principle: "The plan is important, but it is not as important as the planning." This statement encapsulates a shift in perspective from viewing business continuity as a static document to recognizing it as an ongoing, dynamic planning process.
The resonant quote underscores the importance of agility and adaptability in the face of ever-evolving risks and uncertainties. It signals a departure from the traditional approach of creating a business continuity plan as a one-time, exhaustive document. Instead, the emphasis is on fostering a continuous planning mindset, where organizations actively engage in the iterative process of assessing, updating, and refining their strategies based on emerging threats, changing business landscapes, and lessons learned from exercises and real incidents.
This agile approach to business continuity planning aligns with the principles of resilience, acknowledging that the business environment is dynamic, and risks are dynamic as well. Organizations need to be prepared not only for known threats but also for unforeseen challenges that may arise. The planning process, therefore, becomes a proactive and ongoing effort, ensuring that the business continuity framework remains relevant, effective, and responsive to the evolving nature of risks.
“consider starting your BC review cycle with an exercise. This will bring the team together, by highlighting gaps or issues, instill a common understanding of the need and sense of purpose through the rest of the process.” Bruce McIndoe
Furthermore, this perspective emphasizes the importance of leadership mandating employee involvement in the planning process. “If you don't have that senior leadership support, you’re going to struggle. They're the ones who are going to ensure people will be in the room and push a reasonable budget to you.”
It's not just about having a comprehensive plan in place; rather, it's about fostering a culture where employees at all levels actively participate in the planning discussions, contribute insights, and stay informed about their roles and responsibilities in times of crisis.
Impactful Exercises for Business Continuity Plans
The discussion emphasized the importance of conducting practical exercises to build and enhance capabilities and identify gaps in the procedures, checklists, and recovery resources needed. Efficiency is crucial and “keeping exercises within a 60-90 minute timeframe ensures focused and purposeful simulations”. This approach maximizes participant engagement, facilitates meaningful insights, and allows for efficient post-exercise debriefings.
Plausibility in exercises means simulating realistic scenarios that organizations may
face. For example, a plausible exercise could involve a simulated cyberattack or a supply chain disruption, providing participants with a context they can relate to and enabling a more immersive learning experience. “FEMA has an outstanding set of free trainings and evaluations. That's one of those key pieces that you can roll back up to the senior leadership and say, here's the after-action review, here's how we did and the questions that came out of it”
Keeping exercises moving aligns with the dynamic nature of crises. Organizations can structure exercises to maintain momentum, encouraging participants to make timely decisions and implement business continuity strategies swiftly. For instance, a tabletop exercise involving a time-sensitive decision-making scenario could effectively capture this dynamic element.
Tech Tool Challenges
The technology discourse centered around leveraging existing resources, with the absence of robust tools being a notable challenge. Participants discussed the use of traditional technology tools, with PowerBI and SharePoint emerging as valuable platforms for business continuity.
However, the lack of comprehensive #technology tools was a recurring theme. Many participants expressed the challenge of finding robust solutions tailored to their unique needs. The industry's reluctance to fully embrace tech tools was apparent, with only 50% of the group indicating limited usage and 30% having nothing in place. This brought attention to the industry's current struggle to find suitable and value-driven technological solutions for business continuity.
Key Takeaways
Based on the collaborative discussion, the following key takeaways emerged:
Strategic Business Alignment: The overarching theme of strategic alignment underscored the importance of integrating business continuity with key business objectives, fostering organizational commitment and engagement.
Executive Leadership: The significance of leadership buy-in and placing business continuity strategically within the organization, focusing on an adaptable approach to continual planning.
Relevant Exercises: Practical, time-conscious exercises that focus on learning and improvement were highlighted, ensuring efficiency and actionable insights.
Technology Innovation Needs: An impactful moment was the realization that, despite the recognized importance of technology, the industry is grappling with a lack of robust tools for business continuity. This insight shed light on the challenges faced by organizations in adopting comprehensive technological solutions tailored to their specific needs. Despite challenges, the discussion showcased the potential of leveraging existing resources for assessments and the use of specific technology tools, such as #PowerBI and #SharePoint.
This collaborative Focus Group/Roundtable discussion amongst CSOs and global security leaders not only unveiled strategic insights for effective crisis management but also brought attention to the industry-wide challenge of finding robust technology tools for business continuity.
As organizations grapple with an evolving threat landscape, the need for innovative, tailored solutions becomes paramount. The impact of these discussions extends beyond immediate insights, driving a collective effort to bridge the gap between the industry's current challenges and the technological advancements needed for resilient #businesscontinuity programs.
About Effortlo
Effortlo is a technology-enabled solution that helps companies operate a lean and efficient security program by providing effortless access to a wide range of global security experts with one agreement and one payment. With transparent pricing and a hassle-free (Airbnb-like), model, effortlo allows customers to work directly with security experts to expand their capabilities, meet deadlines, and stay within budget. We're also the only platform enabling any validated security expert to discreetly promote their skills and expertise to the greater security community.
Contributors/Attendees include:
Roy Lemons – Chief Security Officer at International Paper
Scott McBride – Chief Global Asset Protection Officer & CSO at American Eagle
Anya Fleischer – Business Resilience Leader at Airbnb
Niall Brennan – VP, Global Head of Strategic Partnerships at SAP
Joe Ordona – Head of Global Workplace Security at Pinterest
Jason Maddix – Corporate Security Director at Republic Services
Bridget Guerrero – Director of Global Security at Viasat
Arian Avila – VP, Safety and Security at Capital One
Chris Espinosa – Director of Security at Altos Labs
Jason Veiock – Sr. Director, Safety, Security & Resilience at GoDaddy
Reigna Zeigler – Director, Global Integrated Services at Cummins
Ty Sellers – Chief Security Officer at ALCOA
Steve Slyter – Sr Director, Corporate Security and Asset Protection at UNFI
Carlos Galvez, Jr. – VP, Global Security, Facilities and Financial Intelligence at Oportun
Joshua Carver, MBA, CPP – Chief Security Officer at Schneider Electric
Scott Fischer - Sr. Manager, Global Security at James Hardie
Matt Blowers - Vice President, Global Real Estate & Facilities at BorgWarner
Plus other Chief Security Officers / Global Security Leaders.
And aided by the effortlo "Executive Resource Council."
Bruce McIndoe – President McIndoe Risk Advisory and founder of iJet/WorldAware
Richard Widup – President of The Widup Group & former President of ASIS
Sulev Suvari – Principal of Levvari, fmr Global Head of Safety, Security & Resiliency at HP
Jon Harris, MBA, CPP, PSP – Sr. Product Manager, HiveWatch
Robert Chamberlin – President & Founder of Security 101
Brittany Galli – Founder of MoboHub & Chair of ASIS Women in Security Group
Steve Lisle – Ambassador for Reducing Effort – Founder of effortlo.
Dr. Steve Albrecht – WPV and Threat Assessment Expert
Mike Osborne – former Chief Security Officer at Kinross
Karan Uthaiah – Founder of TASC and former Head of Global Resilience at HP
Commenti