January’s security awareness topic is resilience

Outline and scope New this month

Resilience is a valuable concept in business and life as a whole.  It involves ‘bending not breaking’, in other words making or arranging things such that issues or incidents aren’t disastrous or terminal, although damage may be sustained.  Resilient things aren’t necessary invulnerable but they are definitely not fragile.  In the lingo, their performance degrades gradually or gracefully.  Mostly, they just keep going.

In relation to information security, resilience is a form of control, a security approach supporting business continuity and information risk management.  As with ‘oversight’ (last month’s awareness topic), it is a very broadly applicable control.  There are situations where resilience isn’t helpful but they are far outnumbered by those where resilience makes business sense.  Examples:

  • 02 NB awareness poster on resilience 1 350Resilient databases and other software applications are designed to trap and deal appropriately with data or system errors and attacks that might otherwise cause failures, security breaches and other problems;
  • Resilient IT devices are physically robust enough to keep running despite various electrical problems, knocks and mechanical stresses, extreme temperatures, old age etc.;
  • Resilient communications mechanisms can be relied upon to ‘get the message through’ when other less-resilient methods slow to a crawl or stop working completely;
  • Resilient facilities are barely affected by threats such as fires, floods and power glitches: vital characteristics of, say, communications hubs and crisis management centers;
  • Resilient business processes exploit every opportunity to cope with challenges ranging from shortages of raw materials and workers through tough competition to global recession and war;
  • Resilient people are less affected than most by crisis situations: somehow they have the physical and mental capacity to think more clearly and get on with important stuff when others are rendered incapable, perhaps literally falling in a heap;
  • Resilient workforces extend the approach to the level of teams, departments, business units, organizations, perhaps even entire industries and nations.  They have the resolve, determination and resourcefulness to make it through whatever challenges they face, often by pooling resources and helping each other out.  Collaboration, teamwork and motivation are part of resilience.

Cost is probably the main issue with resilience: while basic approaches are essentially free or cheap, more sophisticated arrangements tend to require more substantial planning, effort and investment.  Awareness secures the benefits of resilience with relatively little cost, for example by convincing workers that their own preparation, readiness and response to various crises has implications for their wellbeing and survival plus that of colleagues and the organization.  We’re putting people into a more positive frame of mind.  At least, that’s the plan!

Learning objectives

Although security-aware workers are an important defensive control, in a truly resilient organization awareness and training are merely parts of a comprehensive suite of layered, overlapping and complementary information security controls – including incident, risk and business continuity management.  The NoticeBored materials directly address management and professionals as well as the general workforce since they have distinct roles in making the organization resilient.

January’s security awareness and training materials:

  • Introduces the concept of resilience, providing general context and background information;
  • Expands on the associated information risk and security aspects (e.g. resilient information systems are less likely to succumb to power cuts, hacks, viruses and bugs);
  • Puts workers generally in a positive frame of mind, more resilient and willing to get through situations that might otherwise overwhelm them;
  • Impresses on managers and professionals the value of proactively engineering things to maximize their resilience, especially business- and safety-critical things.

Consider your objectives for this awareness and training topic.  Is the organization’s resilience important enough to justify making sure everyone is up to speed in this area?  Do you agree that resilience is a company-wide cultural issue, an integral and vital part of business continuity management?  Are there particular messages you’d like to put across, specific concerns or points to emphasize?

Sure, you could research and prepare a suite of awareness materials on resilience if only you had the competent professionals to do it, or the time and inclination to do it yourself.  Alternatively, kick off 2019 with NoticeBored.  We‘ll get your awareness and training program off to a flying start, sustaining and systematically improving it over the months and years ahead. 

 

Module 189

Get this module

Subscribe to the NoticeBored service to receive this module, plus similar batches of security awareness and training materials delivered fresh to your organization every month.  We offer a wealth of top-quality creative content on a market-leading range of information risk and security topics making it easy and economic for you to run a world-class security awareness and training program.

Email us to set the ball rolling.  Find out what it takes to get your security awareness and training program quickly up to speed, for a lot less than you might think.  We’re a small company with a big reputation for quality and innovation.

If you only want this module, then yes we can do that too.

What’s next?

Tag along with us on NBlog as we work on the next awareness topic.  In addition to clues about what’s coming up, we share hints and tips on making security awareness more effective.

Home > NB this month >

Copyright © 2018 IsecT Ltd.