Operational resilience is much more than cyber security

Adrian Overall, CEO of CloudStratex, discusses the facets of operational resilience that organisations need to take into account

Very few organisations need persuading that operational resilience is increasingly necessary – but achieving true resilience involves more than cyber security.

Of course, there’s never been a more compelling motive for large enterprises to bolster their understanding of operational resilience.

Even if we leave aside the obvious advantages of preventing and mitigating for operational disruptions, we’re prepared to speculate that the substantial fines caused by non-compliance have a very persuasive ring to them.

These fines aren’t empty threats, either – as Raphaels Bank discovered to their detriment in 2019, when the FCA and PRA jointly exercised the full force of their regulatory power to the tune of a £1.89 million fine due to a lack of resilience in the bank’s outsourcing process.

This is a prime example of the dangers inherent in failing to take operational resilience seriously, for three key reasons.

Firstly, it’s a striking story of customers unable to withdraw much-needed funds on Christmas Eve, demonstrating the profound scope of operational disruption.

Secondly, the substantial fine cements the Raphaels Bank incident as a thoroughly cautionary tale.

Thirdly, although the FCA did describe the disruption as a “technology incident,” this was not caused by a lack of cyber security – instead, the vulnerability was rooted in the bank’s inadequate processes, which tells us that operational disruption can wear a number of different masks.

More than just security

Clearly, as the Raphaels Bank disruption indicates, operational disruption can often take the form of IT- or technology-related issues.

The same can equally be said for the Bank of Ireland which, in December of 2021, was fined €24.5 million for its lack of service continuity processes in the event of IT disruption.

The danger here, however, lies in the temptation to conflate IT-related disruptions with cyber vulnerability, and – by extension – to assume that operational resilience is simply a matter of investing in cyber security.

And, of course, security does have a part to play in the broader puzzle of operational resilience. A 2021 Government survey found that 39% of businesses reported cyber attacks over the previous 12 months, and this kind of security is vital – but cyber security alone is no substitute for a robust set of operational processes.

We’ve had first-hand experience with this more nuanced aspect of operational disruption.

On more than one occasion, we’ve been asked to help organisations who have recently suffered disruptions following unsuccessful cyber attacks.

This may sound counter-intuitive, but it’s a perfect illustration of the multi-faceted demands of true resilience.

In one instance, a cyber attack against our client failed – the attack didn’t work; their cyber security did its job.

However, when the client ran anti-malware software after the fact – a seemingly sensible precautionary measure – they set in motion a chain of events that took down a remarkable 60% of their operations.

In this case – and in countless others – the best cyber security money can buy simply can’t help organisations which lack robust operational and IT processes.

The many faces of resilience

All of the above begs the question: what does resilience look like once we put cyber security to one side?

We find it can be helpful to think about the breadth of challenges that today’s firms face.

These can certainly include cyber breaches, but other disruptive possibilities include system outages; service provider outages; key-person dependencies; and – lest we forget – the occasional pandemic.

This more expansive view of risk is a good reminder of how many facets of an organisation have a different perspective on resilience, from security, IT, and finance to HR, facilities, and compliance.

To a Chief Information Officer, for example, an IT department can’t be considered operationally resilient without the accurate, actionable data necessary to keep essential business services running.

To a Chief Financial Officer, meanwhile, resilience involves maintaining strong financial reporting systems in order to maintain vigilance over spend and savings.

This list could run on and on, but while resilience manifests itself differently to different departments, no aspect of an enterprise organisation exists in a vacuum. True resilience involves understanding connections between different aspects of a business – and the dependencies between the various facets of its infrastructure.

To understand the connections and dependencies between business services, customer journeys, business applications, and cloud / legacy infrastructure, and so on, large organisations need to invest in tools like configuration management databases (CMDBs).

With the visibility and knowledge that a CMDB provides, organisations can strengthen their resilience by understanding and anticipating how disruptions to one part of their infrastructure will impact the rest – allowing them to avoid the kind of domino effect that causes massive operational failures.

CMDB’s are not a new concept, but the good news is that the technology has now caught up with the aspiration so that fully auto-discovered CMDB is possible, that does not rely on manual updates or continuous human intervention.

It’s tempting to conclude on that reassuring note.

It’s not about a quick fix

However, advocating for a tool like a CMDB – especially when throwing in advances in automation and so on – needs to come with a caveat.

CMDBs are useful – but, crucially, this means they need to be used. Tooling like this is only as useful as the way its insights are implemented – and, in terms of resilience, this will involve new and comprehensive changes to processes and systems.

For large organisations, there are no quick fixes amidst a world of complex cloud technologies and labyrinthine organisational models. It needs a structured plan backed by a solid business case, and clear cross-business buy-in to the outcome

This piece began by using cyber security as a cautionary tale – it’s not a quick, all-encompassing solution to operational resilience.

Overestimating the value of a CMDB can cause organisations to repeat this habit, and it’s vital to understand that any tool is only as useful as the people who implement them and the processes that constellate around them.

While this holistic approach takes more time and effort to implement, the rewards of resilience are well worth the effort – not only to avoid the eye-watering fines mentioned above, and not only to mitigate service disruptions, but for a whole host of advantages that come hand-in-hand with better processes, clear visibility of applications and vulnerabilities, and stronger reporting.

Written by Adrian Overall, CEO of CloudStratex

Related:

2022 is set to wash operational resilience onto US shores — Guy Warren, CEO of ITRS Group, discusses how operational resilience is set to be a prominent trend among financial service providers in the US

Three guiding principles to establishing data resilience for a hybrid cloud strategy — Stephen Gilderdale, senior director at Dell Technologies, identifies three principles to consider when looking to establish data resilience for the hybrid cloud

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at stubbenedge.com