Why IT service management teams must play a key role in cyber resilience

When it comes to information security it's been well documented that everybody has a key role to play in protecting sensitive and valuable information, says Nick Wilding.

Nick Wilding, head of cyber resilience at AXELOS
Nick Wilding, head of cyber resilience at AXELOS

In order for any organisation to be more resilient to cyber-attacks it needs to ensure that all of its people are placed at the heart of any effective cyber resilience strategy.

AXELOS believes that the most effective preparation is to educate everyone in the organisation on the typical threats and risks they face, ensure that they understand the importance of cyber resilience and that they understand how they can help protect their organisation's most valuable information.  It has been estimated that 95 percent of successful cyber breaches are caused by the unwitting actions of a member of staff – and so minimising that risk through effective education and ongoing learning must be an essential part of any effective cyber resilience.

However, in most organisations there are teams who are closer to the cyber security ‘front-line'. Typically these are the information security and the IT service management (ITSM) teams.

There are a number of areas of significant overlap between the information security and ITSM teams. Yet in all too many organizations these teams are managed in independent silos with differing objectives, responsibilities and priorities. This can produce unhelpful and unnecessary conflicts – but good management can make this overlap advantageous. It provides an opportunity to create synergies and promote business efficiency and effectiveness.

If this overlap exists and isn't recognised and adjusted for, the two groups can see the other as a roadblock – an issue to be worked around if people are to do their job effectively. The ITSM team can believe that information security measures prevent them from effectively developing new and innovative services – and generally cause their work to slow down for no real benefit. The information security team, conversely, can believe that ITSM staff do not understand the critical importance of protecting valuable information.

In reality, there is a huge amount to be gained through collaboration and co-ordination between the two teams. Each team can provide their own perspective, leading to more effective working practices.

There are a number of areas where we see real potential for collaboration to improve practices. Governance is a good example.  Without proper governance, both information security and ITSM tend to focus on technology solutions rather than on meeting the needs of their stakeholders. By working collaboratively in building joint governance structures that combine both approaches, organisations can ensure that goals, objectives, roles and responsibilities are aligned and teams are working together in their mutual interests.

Another good example is incident management. For information security teams, security incident management is a crucial corrective control that mitigates those cyber incidents that cannot be avoided. For the ITSM team, incident recovery and management is about providing support to users and restoring services as quickly as possible when IT issues occur. If these two sets of incident management processes aren't aligned and working together, there will inevitably be duplication, inefficiencies and the risk of wider damage to the organisation. Conversely, if the two teams have worked on their incident management strategy and processes together, the associated risks will be reduced and organisations are more likely to react effectively when things go wrong.

To enable the organisation to ‘pull together' on multiple fronts the adoption of best practice management processes is essential. There are a number of approaches, from formal management standards like ISO 9001, to portfolios of best practice such as our RESILIA. Each business needs to decide which strategy and approach fits their model best, and then work with their information security teams and ITSM staff to adopt new ways of working.

We believe in taking a lifecycle approach to effective cyber resilience involving five stages for managing cyber resilience: service strategy, service design, service transition, service operation and continual service improvement. These stages help organizations to find and exploit the synergies between information security and IT service management.

Greater collaboration between the Information Security and IT service management teams will develop shared goals and help design and deliver tools and processes that cut across silos in an organization. In turn this will deliver real value, helping a business ensure that it receives the greatest possible benefit from the critical information it owns.

Contributed by Nick Wilding, head of cyber resilience at AXELOS.