Formalizing your information security program is a critical step to drive information security capability maturation in any organization. The intent of formalizing a program is to get clear on focus and ensure everyone is on the same page about who is doing what.
From our experience, building a great information security program starts with asking the right questions. At Avalution, we build information security programs from the top down, starting with the strategy of the business and focusing on the following five key questions:
- Why do we have an information security program?
- What are we going to protect?
- How are we going to achieve it?
- Who is responsible and accountable?
- What are the results going to look like?
Let’s take a closer at each. Continue reading
General Data Protection Regulation (GDPR) is the most comprehensive personal data privacy regulation ever issued, and its implementation deadline in May 2018 is approaching quickly. With the potential fines accompanying noncompliance, GDPR has shifted the business world’s attention to privacy. However, since this regulation was issued by the European Union, there is a lot of uncertainty around how GDPR impacts US-based businesses. Bottom-line – if your business sells to or holds EU residents’ personal information, GDPR affects you. Continue reading
Imagine entering your workplace and being met with a sign instructing you NOT to turn on your desktop computers or dock your laptops until further notice. No network access; no email; no dependent application. Unfortunately, this was the actual scenario that played out for one global law firm, DLA Piper, who fell victim to the Petya cyberattack in late June. For this law firm, the loss of email services is devastating; and their email was unavailable for over one week.
The June 2017 cyberattack, known as Petya, affected major organizations throughout many industries. Global shipping conglomerate, Maersk, has estimated quarterly losses of between $200M-$300M, due to experienced interruptions. Large manufacturing facilities were brought offline for many days while working to re-establish critical systems.
Prior to Petya, in May, WannaCry spread worldwide and infected over 200,000 computers. In both cases, infected computers had their data encrypted and hidden from its owners until a ransom was paid. Continue reading
For twelve years, Avalution has been laser focused on business continuity. We’ve become the leading provider of business continuity software and consulting in the US. We work with 13% of the Fortune 100, including the largest organizations in seven different industries.
We’ve become well known for delivering business continuity services that are connected to the strategy of the business, pragmatic, and reliably delivered.
Today, we are expanding into Information Security Management. Continue reading
When my business partner Brian and I started Avalution in a Starbucks 11 years ago, we didn’t spend much time agonizing over what we wanted this firm to be about. It was a quick conversation – and it didn’t really focus on business continuity! We envisioned a firm of great problem solvers. We were both most comfortable with business continuity, so we considered that a great place to start. Throughout the years, we’ve had many quick conversations to determine the path forward for Avalution. Continue reading
The organizations we work with are increasingly coordinating, and in some cases integrating, the management of their Business Continuity Management (BCM) program with the management of Information Security (InfoSec). This perspective looks at how they are approaching coordination/integration. Let’s explore the various forms of integration possibilities between BCM and InfoSec.. Continue reading
Cloud computing is potentially the most important technology development of this decade, so business continuity professionals should rightly be asking: “What does it really mean and how does it affect me?” This perspective is designed to address common questions about cloud computing.
What is the Cloud?
Bottom-line – it is a marketing term. Like all great marketing terms, it can be used to mean anything, and thus, it actually means very little. For our purposes, I’d like to suggest the following explanations for “the cloud”, which have proven broadly true in practical experience: Continue reading
In the last month alone, I’ve worked with two companies that had IT disruptions but didn’t use their IT disaster recovery (DR) plans because they weren’t sure if they could fail back home (aka return to normal). In both cases, these concerns were a surprise to the executive management team.
It’s a theme I’ve heard many times before – the IT disaster recovery solution was built without considering how the organization would return to the primary data center from the disaster recovery location. This perspective highlights some key issues to consider regarding the use of the IT disaster recovery strategy. Continue reading
Building a business continuity program (or anything worthwhile for that matter) takes time and dedication. It also requires compromises – constantly balancing what is practical and what is possible to protect the business. BUT – it’s important to remember that politics, committees, and making everyone happy isn’t the goal of business continuity.
If you’re lost, playing the same game over and over and ending up at the same result, maybe it’s time to start from a blank page so you can focus on what matters most. Continue reading
As business continuity professionals, it’s easy to be overwhelmed by the myriad roadblocks that exist on the road to building resiliency – lack of funding, lack of people, lack of management support, etc. In some organizations, it seems like everyone just wants the business continuity person to go away!
At Avalution, we’re always studying these challenges and working to find ways to prevent and overcome them. Many of those techniques are documented elsewhere in this blog. However, one foundational consideration is missing – an appropriate mindset in approaching the challenges facing you and your organization. Specifically, there are three areas where business continuity planners are often defeated before they even get started: expectations, excuses, and confidence. Continue reading