Building a culture of digital resilience

It is clear that a customer-centric strategy is at the heart of successful organisations; tons of personal data have been captured and processed to that end. However, data aggregation from multiple channels can have catastrophic impacts on the data host, including missed opportunities and brand damage if left unprotected. Moreover, the changing regulatory landscape in the Middle East and the unprecedented dependence on technology have provided lower latency and increased the number of endpoints and connectivity vulnerabilities to which businesses are exposed. 

According to our Digital Trust Insights, 81% of cyber executives in the Middle East see social engineering as a very real threat this year. Additionally, with the advent of remote working, complex data touchpoints and a growing use of cloud networks, future-proofing key technology infrastructure and implementing an up-to-date digital resilience strategy are essential to businesses.

Creating a solid and cost-effective RCP program 

A digital trust framework

Use a comprehensive framework that unifies and touches on critical aspects across all three domains. Implementation of the framework would commence with a comprehensive RCP readiness assessment that captures the gaps across all enablers and best practices required for the development of a digital resilience capability. 

The framework must utilise a bottom-up approach to information gathering and cross-utilising process-level information to ensure alignment of security and resilience requirements across the board. Unified process gathering activities, like Business Impact Analysis (BIAs) and Records of Processing Activities (RoPAs), enable agile RCP framework implementation while standardizing digital resilience requirements across the three domains.

Escalation and response

Develop an escalation and response framework in alignment with the organisational risk appetite that integrates plans and procedures across all three domains. All three pillars have requirements to immediately respond to incidents through defined plans/procedures such as cyber incident response, privacy breaches, incident response plans and BC plans. Such a framework enables effective communication across each of the different layers, cross-utilization of resource requirements and agility when responding to a disruption.

Risk management

Enhancing the organisation’s existing risk management framework with a tailored trust-based framework will ensure a unified risk management practice across all three domains. Ownership of RCP assessed risks and prioritised corrective actions is held by a single dedicated risk management team. Implementing adequate controls that reduce continuity risks, in line with best-practice IT security and data protection protocols, will mitigate the impacts of business disruptions. Risk reduction is also dependent on the ability to ensure effective communication across the organisation's engineering, operations, health and safety, physical security and technology teams. This assurance activity is critical to the success of a risk management program.

Governance

Have a clear governance structure consisting of strategic, tactical and operational layers to ensure alignment and collaboration on RCP issues and next steps; this includes clearly outlining roles, responsibilities and accountabilities across RCP. Knowledge champions practising Digital Trust principles help to initiate forward-looking conversations across the organisation. Effective governance that engages stakeholders on RCP can set and maintain a data strategy, increase the visibility of areas of cyber softness and develop resilience from the organisation's foundations. 

Also, regular forums should be held by the organisation's Executive Committee and Chief Information Officer (CIO) to showcase program support and ensure alignment on RCP action plans, budgets and strategic initiatives. In addition, tactical and operational level teams should regularly catch up to discuss relevance of existing controls and identification of issues and areas for improvement.

Technology

Discuss the RCP strategic roadmap with IT teams and work closely to fill the gaps across the RCP capability. For example, cloud-based IT strategies accounting for data mobility and security are being adopted as a foundation for the future to support increased data-intensive workloads and ensure business agility. In addition, developing the exemplary data protection architecture, providing future-proof critical IT infrastructure and implementing an effective IT disaster recovery capability will help reduce business downtime.

Continuous monitoring

Continuous monitoring is critical to ensuring the relevance of the RCP capability. More than three-quarters of Middle East tech leaders emphasise the need for correctly executed assessments and testing to maximize ROI from cyber investments. This may be done through regularly held training and awareness workshops, embedding RCP roles into performance evaluations, periodically conducting audits, addressing gaps and nonconformities and implementing documented corrective actions. 

Validating RCP capabilities must be done using comprehensive test scenarios that integrate all three domains. Backup and penetration testing of critical information/operational technology infrastructure that store personal data using the right combination of automated and manual methods enables organisations to detect and repair flaws before cybercriminals do. 

These exercises must be carried out with representation from all the leading business players in cybersecurity and operations, human resources, legal and public relations. This is because the most unlikely scenarios are often the ones that need to be practised the most. The gap between reality and perception are sometimes not understood until after an incident has occurred (as the Facebook outage showed recently).