The latest business continuity news from around the world

Survey results: Are business continuity and information security converging?

In 2017 Continuity Central published the results of a survey looking at whether the increasing focus on information security is having an effect on the traditional demarcation lines between business continuity and information security management (ISM). In 2018 we repeated that survey to monitor how things have developed and the results of the survey are now available.

Is information security a business continuity issue?

62 percent (64.5 percent in the 2017 survey) of respondents believe that information security is definitely a business continuity issue, with a further 29 percent (32 percent*) saying that it was partially a business continuity issue. 9 percent (3.5 percent*) said that information security is not a business continuity issue at all.

It seems clear from both the 2018 and the 2017 versions of the survey that information security is viewed as a business continuity issue; but to what extend do business continuity teams actually get involved in preventing and managing information security incidents? The remainder of the survey examined these areas:

Does the business continuity team manage information security threats?

Information security threats are managed by the business continuity team in only 16 percent (14 percent*) of respondents’ organizations. A further 34 percent (29 percent*) of respondents said that the business continuity team was partially responsible for managing information security threats. The remaining 50 percent (55 percent*) of respondents said that the business continuity team was not responsible for managing information security threats.

The 2018 survey does seem to indicate a minor trend of increased involvement of business continuity teams in information security management, with a 5 percent points decrease in the number of responding organizations stating that the business continuity team played no part in this area.

Respondents were also asked which department or business unit should lead information security management. The results were as follows:

  • Information security management should be led by the IT department / business unit: 27 percent (20 percent*)
  • Information security management should be led by the business continuity team: 5 percent (5 percent*)
  • Information security management should be led by the Board: 9 percent (10.5 percent*)
  • Information security management should be led by the risk management team: 16 percent (19 percent*)
  • Information security management should be led by a team consisting of representatives from different areas of the organization: 37 percent (38 percent*)
  • Other responses were 6 percent.

Although there is no consensus, the most popular opinion, which was consistent in both the 2018 and 2017 survey, is that information security management is best led by a team consisting of representatives from different areas of the organization. From answers given when respondents were asked to briefly describe how information security is actually managed in their organization it seems that few actually manage to achieve this structure:

  • 28 percent of respondents said that ISM sits within the IT team or department and the business continuity team is not involved;
  • 17 percent said that a dedicated information security team manages ISM but involves the business continuity team;
  • 14 percent said that business continuity is an integral part of the security team;
  • 14 percent said that the business continuity team became involved at the incident management stage but it is not involved before this stage;
  • 7 percent said that business continuity and information security are fully integrated into one team;
  • 7 percent said that their organization had a dedicated information security team and that the business continuity team was not involved with this team.

Do organizations have a formal incident response plan for information security incidents?

The simple answer to this question is ‘yes’! 86 percent (82 percent*) of respondents confirmed that their organization has a formal incident response plan for information security incidents, with only 10 percent (10.5 percent*) stating that it doesn’t. 4 percent didn’t know.

Does the business continuity team respond to information security incidents?

15 percent (26.5 percent*) of respondents stated that the business continuity team does respond to information security incidents and 27 percent (34 percent*) said that it doesn’t. 54 percent (37 percent*) said that the business continuity team is partially involved in information security response. 4 percent didn’t know.

There seems to be an increasing trend for the business continuity team to be partially involved in information security incident response; but it only takes the lead in a small proportion of organizations.

Respondents were asked who should be responsible for information security incident response. The results were as follows:

  • Information security incident response should be led by the IT department / business unit: 30 percent (19 percent*)
  • Information security incident response should be led by the business continuity team: 9 percent (8 percent*)
  • Information security incident response should be led by the Board: 4 percent (4.5 percent*)
  • Information security incident response should be led by the risk management team: 10 percent (10 percent*)
  • Information security incident response should be led by a team consisting of representatives from different areas of the organization: 43 percent (49 percent*).
  • Other responses: 4 percent (9.5 percent*).

The most popular response was that a team consisting of representatives from different areas of the organization is the best structure for managing information security incident response; however, almost a third of respondents to the 2018 survey believe that it should be led by IT. The number of people believing that managing information security incident response should be led by the business continuity team was consistently low in both the 2018 and the 2017 surveys.

Conclusions

The survey set out to look at the question ‘Are business continuity and information security converging?’ Both the 2017 and the 2018 survey give no indication that this is the case. There seems no doubt that information security is seen as a business continuity issue; but organizations in general do not, or only partially, use the business continuity team to manage it.

There is little consensus about the way that information security management and incident response is best managed but the most common viewpoint is that a team consisting of representatives from different areas of the organization is the most effective way of managing both these areas.

Notes

The survey was closed after 100 responses were received.

* According to the 2017 survey.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

   

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.