Directors now hold responsibility for setting business and risk strategies as well as for the overall oversight of operational resilience standards and governance. In today’s uncertain and complex operating environment, it is not surprising that a disruption to any key operational resource can quickly affect the delivery of business goods and services.
The goal, for both the business leadership and the security team then, is to improve cyber resilience and protect the IT systems, assets and data that contribute to the ongoing operations of the organisation and its ability to deliver its goods and services. Increasingly legislators are demanding it.
For some Critical Infrastructure sectors, cyber resilience is the cornerstone of the wider regulatory requirement for Operational Resilience (sometimes called Operational Risk Management) that is being mandated in various jurisdictions like:
Organisational resilience more broadly is becoming a fundamental tenet of corporate governance and continuous disclosure. In essence, the ability of an organisation to continue to conduct operations, even in the event of disruption to key components of the product or services value chain, is a ’team’ responsibility. Cyber security leaders are now expected to contribute to the ongoing resilience of the organisation. The resilience of systems, processes, people and 3rd party inputs into the delivery of a product or service are all part of that responsibility.
While delegation of some of these specialist tasks is acceptable, oversight, evidence of the effectiveness of controls and lessons learned, together with an objective assessment of the success of operational resilience efforts, are a Board’s responsibility and must be available and demonstrable.