Managing cyber resilience with RESILIA
RESILIA™ Cyber Resilience Best Practice was launched in June 2015. It is the latest publication from AXELOS, joining their existing portfolio of management practices that includes ITIL® for IT service management, PRINCE2® for project management and many more. As the lead author and chief examiner I have been extremely busy over the past few months helping to ensure that everything is in place. I am amazed that we managed to get the syllabus and exams ready at the same time as the publication, and that training organizations had their course materials ready to go as well. This was a great piece of release management by AXELOS, who recognized the importance of making sure that all the bits would be available at launch.
I have been very encouraged by how RESILIA has been received since the launch. Just this week I have read two blogs recommending that people study and adopt the RESILIA approach.
So what is RESILIA, and how is it different from all the other publications out there that tell you how to manage information security?
A management system approach
Many publications (and security experts) suggest that you need to have an information security management system. RESILIA takes a rather different approach, saying that you need to have a management system to run your business, and that this single management system should meet all your needs – for security management, quality management, IT service management, compliance management, and managing every other aspect of the business. Cyber resilience is not something that you manage separately, but something that you integrate into your management system to ensure you meet your security needs at the same time as you meet all your other needs.
To help with this, RESILIA has adopted a lifecycle structure similar to the one that will be familiar to users of ITIL, defining practices and controls in the areas of strategy, design, transition, operation and continual improvement. RESILIA also describes how cyber resilience can be integrated with IT service management to ensure that information and information systems meet the needs of the organization.
Because of this management system focus, the target audience for RESILIA is very wide, including people who work in every aspect of IT and information security, but also including any manager who has accountability for the security of assets. Recent well-publicised incidents have shown that this accountability extends all the way through the organization, including the CEO and CIO, as well as security managers and IT managers.
The need for balance in cyber resilience
RESILIA is focussed on the need for balance across a number of different dimensions. This need for balance can be found throughout the publication. Some of the important areas that need to be balanced include:
- Prevent, detect and correct. However much you try to prevent security incidents, you won’t always succeed, so you need to invest in detecting incidents as quickly as possible and correcting them with minimal impact on the business, as well as in protecting your assets. The controls described in RESILIA show how you can achieve this balance within your organization.
- People, process and technology. Many security publications, and many security experts, focus almost entirely on technology solutions, but cyber resilience is as much about processes and people as it is about technology. RESILIA offers guidance to help you create and manage controls in all of these areas.
- Risks and opportunities. The more security controls you put in place, the harder it can be to run your business. Really great security could make it absolutely impossible for the business to capitalize on new opportunities. This can lead to people working around your carefully crafted security controls, resulting in increased risk. RESILIA recognises the importance of balancing risks and opportunities. Achieving the right balance between risk and opportunity is a business decision that starts with the board of management and involves driving decisions about cyber resilience all the way through the organization.
- Getting things right and continual improvement. RESILIA has a strong focus on continual improvement. Even if you have the most perfect set of security controls you still need continual improvement because the threat environment, business environment and technology environment are constantly changing.
Do you want to learn more?
If you’d like to learn more about RESILIA then here are some resources you can use:
- Cyber resilience and ITSM - working together to secure the information your business relies on (requires free registration)
- RESILIA FAQ
- RESILIA Qualifications
- RESILIA Cyber Resilience Best Practices (publication, available for purchase)
If you’ve had a chance to look at the RESILIA publication, or to attend a RESILIA training course then please let me know what you think.
And finally, I’d like to thank my co-authors Moyn Uddin and Mike St John-Green. Collaborating with them has been a delight.