• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
    • Cyber COI
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
    • Cyber COI
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
  • Cyber COI
/ Journal Issues / Early Prevention & Best Practices / Managing Operational Resilience

Managing Operational Resilience

Published in Journal of Cyber Security and Information Systems
Volume: 3 Number: 2 - Early Prevention & Best Practices

Authors: Julia H. Allen, Pamela Curtis and Nader Mehravari
Posted: 02/09/2016 | Leave a Comment

A search at your favorite news aggregator for keywords such as “malware,” “computer virus,” or “data breach” will return results in the tens of thousands. For most organizations it’s not a question of if a cyber attack will occur, but when. And when an attack happens, the tempo of response must be fast, so an organization must already have practices in place covering how to respond. These practices should reflect a strategic approach that balances actions that protect assets such as customer data and intellectual property with actions that sustain services and operations.

A recommended approach to address both protection and sustainment is the application of resilience management practices. Operational resilience is the ability of an entity to prevent disruptions to its mission from occurring, continue to meet its mission if a disruption or incident does occur, and return to normalcy when the disruption is eliminated. The concept of operational resilience applies to entities such as organizations, systems, networks, supply chains, critical infrastructure, cyberspace, Armed Forces, and even nations.

Operational resilience management includes all the practices of planning, integrating, executing, and governing activities to ensure that an entity can

  • identify and mitigate operational risks that could lead to service disruptions before they occur
  • prepare for and respond to disruptive events (realized risks) in a manner that demonstrates command and control of incident response and service continuity
  • recover and restore mission-critical services and operations following an incident within acceptable time frames

Operational resilience management draws from several complex and evolving disciplines, including risk management, business continuity, disaster recovery, information security, incident and emergency management, information technology (IT), service delivery, workforce management, and supply-chain management, each with its own terminology, principles, and solutions. The practices described here reflect the convergence of these distinct, often siloed disciplines. As resilience management becomes an increasingly relevant and critical attribute of their missions, organizations should strive for a deeper coordination and integration of its constituent activities.

Our discussion of operational resilience management has four parts. First, we set the context by providing an answer to the question “Why is operational resilience management challenging?” A set of recommended practices for operational resilience management follows. We then briefly address how an organization can achieve effective results by following these practices. We conclude with a list of selected resources to help you learn more about operational resilience management. Also, we’ve added links to various sources to help amplify some points.

Every organization is different; judgment is required to implement these practices in a way that benefits your organization. In particular, be mindful of your mission, goals, existing processes, and culture. All practices have limitations. Some of these practices will be more relevant to your situation than others, and their applicability will depend on the context in which you apply them. To gain the most benefit, you need to evaluate each practice for its appropriateness and decide how to adapt it, striving for an implementation in which the practices meet your business objectives. Monitor your adoption and use of these practices, and adjust as appropriate.

Why is managing operational resilience challenging?

Over the past 10 years, organizations have invested a tremendous amount of resources in cybersecurity. Nevertheless, regardless of how much has been spent on protection, cyber attackers continue to penetrate systems. We have reached a point in the battle for information and cybersecurity where we should change the focus of security investment from a narrow focus on planning how to avoid cyber attacks to a more balanced focus on avoidance and planning how to recover from cyber attacks.

Operational resilience management has two sides—protect and sustain—and both are equally important. An organization must learn about the threat environment, maintain situational awareness of the context in which it operates, and create a risk-management plan that is as thorough and reliable as possible. But when an attack occurs, can the organization sustain its critical services and operations? Can it adequately recover its systems and get them back online as quickly as possible? Can it restore and recover service within a prescribed recovery time and according to its recovery-point objectives? An organization must ask, where can we not afford to have something bad happen, and where can we afford to have something bad happen and bounce back as quickly as we can? The need for organizations to achieve a balance between protect and sustain is why operational resilience management is so important.

Operational resilience management is challenging for several reasons:

1. Making a long-term commitment: Operational resilience is an emergent property. An emergent property is not something an organization can buy and put in place or assemble by buying its parts. For a property to emerge within an organization, the organization must execute a certain set of activities in a coordinated manner and do so with consistent discipline. Our own health makes a good analogy: we would all like to have good health, but we cannot buy it at any store. To become healthy, we must do certain good things, such as eat well, exercise, sleep enough, and get checkups. And we must do these things in a disciplined manner for a long time. Achieving operational resilience requires an organization to make a similar long-term commitment to perform certain activities with consistency. The activities involved in operational resilience management must become part of the organization’s daily habits across the enterprise.

2. Understanding the big picture: To be operationally resilient, organizations must address operational risk on many dimensions simultaneously, including people, technology, information, facilities, supply-chain, management, cyber, and physical dimensions. This requires careful planning, coordination, and training across many interdependent domains, as well as understanding how the organization’s capabilities along these dimensions contribute to mission success.

3. Overcoming organizational hurdles: An organization may encounter these barriers to operational resilience management:

  • the vague and abstract nature of operational risk management
  • compartmentalization of operational risk-management activities, such as segmenting responsibilities for information security and business continuity/disaster recovery
  • focusing on technology instead of on all the dimensions listed in Challenge 2
  • the proliferation of practices for operational resilience management
  • insufficient funding and staff
  • insufficient success stories and measurements
  • (over)reliance on people
  • regulatory climate
  • existing policies
  • the tendency to ignore current information to avoid a painful reality and the need to act
  • competitive pressures or short-term goals
Pages: Page 1 Page 2 Page 3

Previous Article:
« Looking at M&S Education Through the Prism...
Next Article:
Increasing Assurance Levels Through Early Verification with... »

Authors

Julia H. Allen
Julia H. Allen
Julia Allen is a senior member of the technical staff within the CERT Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Allen is engaged in developing and transitioning executive outreach programs in enterprise security and governance, as well as conducting research in software security and assurance. Prior to this technical assignment, Ms. Allen served as acting Director of the SEI for an interim period of six months, as well as Deputy Director/Chief Operating Officer for three years. Before joining the SEI, she was a vice president in embedded systems software development for Science Applications International Corporation, and managed large software development programs for TRW (now Northrop Grumman).
Pamela Curtis
Pamela Curtis
Pamela Curtis is a Senior Researcher on the Resilient Enterprise Management Team in the CERT Program at the Software Engineering Institute. Curtis conducts analytical studies and investigations and develops models and assessments related to improving and measuring operational resilience. She has over 25 years of experience in the information technology domain as a systems analyst, programmer, process improvement team leader, technical communicator, and manager. Curtis holds a BA with a concentration in Management from Simmons College and an MS in Management Information Systems from Boston University.
Nader Mehravari
Nader Mehravari
Dr. Nader Mehravari is with the CERT® Division of the Software Engineering Institute (SEI) at the Carnegie Mellon University. His current areas of interest and research include operational resilience, cybersecurity and resilience management, protection and sustainment of critical infrastructure, preparedness planning, and associated risk management principles and practices.

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Richard "Rick" Aldrich

CSIAC SME and member of the American Bar Association's Information Security Committee, Richard "Rick" Aldrich, gives updated snapshots of evolving developments in cyberlaw, policy, standards, court cases and industry legal frameworks. His latest work discusses cybersecurity issues of interest to security managers.

Read SME's Contributed Content

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

CSIAC Journal - Artificial Intelligence

CSIAC Journal Cover Volume 7 Number 1

This edition of the CSIAC Journal highlights three very different views of complex situations where AI might, should, and does intersect with our ability to use AI effectively.

Read the Journal

Recent Video Podcasts

  • Publishing Domain Specific Source Code for Reuse and Maintenance Series: CSIAC Webinars
  • 5 Best Practices for Software Security Series: The CSIAC Podcast
  • Authenticating Devices in Fog Multi-Access Computing Environments through a Wireless Grid Resource Sharing Protocol Series: The CSIAC Podcast
  • Machine-Learning Techniques to Protect Critical Infrastructure From Cybersecurity Incidents or Equipment Incidents Series: CSIAC Webinars
  • Cyber Deconflicted: Understanding the Layers of Cyberspace Series: CSIAC Webinars
View all Podcasts

Upcoming Events

Feb 12

DeveloperWeek SF Bay Area

February 12, 2020 - February 16, 2020
San Francisco CA
United States
Feb 23

BSidesSF

February 23, 2020 - February 24, 2020
San Francisco CA
United States
Feb 29

BSidesTampa

February 29, 2020
Tampa FL
United States
Jun 15

QCon New York

June 15, 2020 - June 19, 2020
New York City NY
United States
Jul 13

OSCON

July 13, 2020 - July 16, 2020
Portland OR
United States
View all Events

Recently Active Members

Profile picture of walkerkoagel98
Profile picture of jreade
Profile picture of mackaybe
Profile picture of rmmm
Profile picture of CSIACAdmin
Profile picture of Mogo
Profile picture of stevechan
Profile picture of jyelle01
Profile picture of PraveenWATI
Profile picture of j.p.doherty
Profile picture of Mathieu Schram
Profile picture of balbuena14
Profile picture of pixelhunters
Profile picture of Rvnth
Profile picture of biggswe
Profile picture of khunearylikethebird
Profile picture of JSchempp
Profile picture of marchbol

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
USD(R&E) LogoUS Department of Defense LogoDoD IACs LogoDTIC LogoTEMS Logo

Copyright 2019, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Necessary Always Enabled