The definition of business resiliency has expanded to a digital frontier. In this episode of Culture of Compliance, Sabrina Serafin speaks with Eric Aslaksen of iVision, Inc. about this new era of business resiliency and the steps you can take.
Culture of Compliance: A New Era of Business Resiliency
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, partner and national leader of Frazier & Deeter’s Process, Risk, and Governance Practice.
Today, we’re happy to welcome Eric Aslaksen, chief technology officer at iVision. iVision is an Atlanta based IT consulting and managed services firm that provides strategy, design, implementation, and global support for companies that require a secure and resilient infrastructure. Eric, welcome.
Eric Aslaksen Thanks for having me.
Sabrina Let’s dive into today’s topic. We’re excited to have you here today to talk specifically about business resiliency. Eric, it seems like over time, the view of risk management for organizations has greatly shifted. For example, years ago people talked about business continuity and disaster recovery in terms of power outages and backup generators, but we all know the risk landscape has greatly evolved. Could you talk a bit about what the term business resiliency means?
Eric Sure. I cheated a little bit and I went to the internet, so I’m going to read this to you. Business resilience is an organization’s ability to quickly adapt to disruption while maintaining continuous business operations and safeguarding people, assets, systems, intellectual property and overall brand equity. So it’s much bigger than just IT.
When we work with clients, we work with them in a very holistic way. When you talk about brand damage or safeguarding people, we think about having active shooter, a tabletop exercise, those type of things. So, yes, IT is a big part of it. But from overall business standpoint, there’s a lot of other things you need to worry about.
Sabrina So how does a business address resiliency within their IT environment?
Eric It really starts with an adoption of a framework, and there are several out there. iVision uses ISO 22.3.01 as a standard for that base framework. I feel it’s really checklist driven, covers all the pieces and parts that a company needs. We’ve got several folks that are certified as lead implementers and so it’s really something that we grasp on to, but it’s more of a strategic risk management approach. Business continuity is more of focus on process, and so we marry those two together.
Human error is probably the number one form of downtime. When you think about some of these breaches that we’ve seen in the news lately, a lot of it was due to some sort of human error where there’s somebody that picked up a USB drive out of a parking lot of that said “finance” and put it in their laptop. Or they pushed out changes that went sideways. We actually had two clients over the past three months that did just that. You think about that, they push out a driver, took half their server farm down. They came in the next morning and had to manually remove that driver. Now, if they had a different DR (disaster recovery) solution in place, they could have failed over and kept business running, right? But that’s what happens most often.
There is the security piece of it, the ransomware. The city of Atlanta, Baltimore, places in Louisiana, the list goes on with the damage that ransomware is causing.
You’ve got to think about that a little bit differently than how do you plan for a natural disaster or an earthquake. We’ve developed a solution focused on rolling back. If you think about how ransomware takes effect- somebody hit something on Friday and it naturally starts to encrypt everything over the weekend. How do you get that data back from Friday? Hopefully, the first thing is go to backups. But if it’s completely underwater, how do you take the entire environment back to last Friday?
There are software solutions out there that allow you to do that. The technology we have today is way different than what we had from 10 years ago, so smaller business can have that same high availability business continuity that only the largest enterprise could afford to enjoy 10 years ago.
Sabrina Could you possibly give us some examples of actions businesses are taking now to be more resilient?
Eric Sure. I think the first one is just getting educated. Understanding what business continuity is, what business resilience is, better understanding the risk of other business, and seeking expertise. So, when we talk about taking action, I shared that adoption of a framework. Pick one, work with your experts in the field, don’t do it alone. This stuff has all been out, there’s great recipes to do it. But when you take on a particular framework, something like the ISO 22.3.01, it’s step by step.
The first step being identify, and that’s really your risk assessment. Identify the causes of possible disruption likelihood. Analyze, that’s really that business impact analysis to determine where the areas of business are at most risk. How do you protect your crown jewels? Because it may not be hundreds of applications, maybe it’s 10. The architecture is going to look a lot different for how do you protect 10 applications versus 100 applications. This also allows you to determine which our RPO and RTOs are.
Design, so you’re developing a strategy after that. It’s based really on three things from the BIA, the recovery and restoration procedures, the protection, and mitigation; that’s what you develop your strategy on. The next one is execute: execute the strategy. Don’t have the expertise in-house? Go to a third party, develop that strategy and execute. The last one is measure, so a train-test-maintain, you’re constantly training your people, you’re constantly testing the system on a regular basis, and you’re maintaining that every time you add a new server or new VLAN whatever it may be, you’re constantly maintaining that.
There’s a lot of low-cost options out there, that’s what I love about what we have done today with technology software-based solutions, that you can have DR protection in a matter of 45 to 60 days on your crown jewels. Again, that didn’t really exist 10 years ago, so the software providers made it a lot easier. These big providers have a playbook in order to help our clients implement that, and we do as well. When you think about it, more than 40% of US enterprise have already adopted a DR as a service offering. I was surprised to look that up and read it.
There’s small versions, large versions or maybe it’s just on a cloud environment, but when we look at US enterprises, there’s some contract in place for DR as a service. And overall, the global DR as a service market is worth about $2.4 billion and it’s expected to grow 50% over the next year- by end of 2021.
The reason I bring these statistics up is that people are adopting this, people are realizing DR has been hard, trying to get everybody in a room once a year and mapping all the applications and doing the testing. It’s a challenge, especially when you don’t touch it for a full year, finding the application owners. When you outsource that to somebody else, you’re paying for them to care and feed that solution, constantly test it, make sure that the run books are up to date, and just gets it off your back. When we implemented our own offering, I certainly slept better at night knowing that I push a button, at any point, my entire environment will flip over, turn to environment, and I’m up and running with about an hour of down time wasted.
Sabrina It sounds like thinking differently about tapping into expert resources on demand is a part of the new era of resiliency. Would you agree?
Eric I would certainly recommend it, there’s a lot of expertise out there. Like I said, software has made our lives so much easier. The days of using hardware-based replication, all the complexities there. It’s easy enough for the smallest of businesses to have some level of business continuity and disaster recovery. These frameworks have been matured as well. So, we talked about ISO 22.3.01, anybody who’s tackled ISO 27001, which is really focused on security, knows it’s delivered in a way that is manageable.
It doesn’t mean you have to go about getting certified on it, but you can use the best pieces and parts and that’s where I feel like a third-party expert can help you. It really boils down to business impact analysis and risk assessment, knowing where your risk are with the business and how much money you should spend on them to keep them up in life.
Sabrina So as we wrap up, do you have any key takeaways specifically for our listeners?
Eric I think the key takeaway is just the acknowledgement. Acknowledge that that you have risk in the business. Identify what those risks are. It doesn’t have to be formalized as we’ve talked about these different frameworks, but know that there’s more than just a natural disaster that can take out the business. Know that there’s human error every single day, and you probably see it. How many times your e-mail goes down, the ransomware and the crypto mining, those things add a completely different layer of complexity and risk to the business.
The fact that I can go out to the dark web for $500 to buy ransomware and send it to all my friends and family and completely take down an environment, that’s a scary thought. We didn’t have that 10 years ago. You don’t even have to be a hacker anymore, you just need to know where to buy it and purchase it with whatever your cryptocurrency is. It’s a real risk. So, acknowledge that there is a risk, take actions. I had a panel with a CIO group a couple of months ago, one of the key takeaways from one of these CIOs was just move, just do something right. Start the process, acknowledge you have risk in the business, and then leverage that third party, leverage the expertise.
Sabrina Thank you, Eric, for being with us today and for helping our listeners better understand the concept of business resiliency, it’s been great talking to you. To our listeners, thank you for listening to Frazier & Deeter’s Culture Compliance podcast. Please join us for our next episode as we continue to discuss transforming compliance requirements into a new business.