Tobias Dames: For most, the word “resilience” conjures up thoughts about ISO 27001, BSI Baseline IT Security, service management and business continuity management. However, all of these are relative concepts. They chiefly define processes for minimising the damage caused. In addition, they are often not fully implemented simply because there aren’t enough time or resources. It’s when incident and emergency management topics are discussed that wide-ranging vulnerabilities are discovered. The challenge here is to create the best possible resilience with the resources on hand and to do so before any damage is caused.
In a resilient organisation, various mechanisms work together. Combining closely linked IT areas—information security, emergency management, disaster recovery, business continuity, risk management and service management—with strategic leadership, corporate culture and other processes forms the bedrock of proactive resilience.
Resilience does not promise to pre-emptively eliminate all threats. Rather it means being prepared for an emergency and the associated business-related risks, which is why it’s crucial to focus on core processes. What has to work and what is not absolutely necessary? A parts supplier’s production and logistics are more important than, say, its application management. Critical process can be made almost completely fail-safe. Of course, cyber resilience does not make you impervious to threats, but it does make systems and organisations less vulnerable to attack. The overriding goal is to make sure a company can stay up and running whatever happens, and to ensure that they are equipped to deal with whatever the future holds.