What Resilia is (and also what it isn't)

Security is a hot topic, has been for a long time and it’s only getting hotter: The new GDPR is about to come in and make compliance even more challenging than it already is. Stories abound regarding this firm or that firm that has been hacked. The discussion of Brexit and how that frames relationships with trading partners and the need for security compliance.  There’s a lot going on.

One of the big problems with security is that it’s so often viewed as a technical problem. Of course the solutions can be technical, but the real challenge is ensuring that our organisations’ security responses are appropriately considered and managed.

And that is where the RESILIA framework comes in.

RESILIA considers a holistic management view of provisioning CYBER RESILIENCE for IT services. It takes the view that it’s not just prevention but it’s also recovery that matters, and that end-to-end planning for what happens when, not if, an attacker succeeds. This is sometimes an unpalatable view but experience tells me, that it’s a pragmatic one and shared by many, if not all.

RESILIA uses the idea of the lifecycle of a service to ensure complete coverage and does draw significant parallels with various sources of best practice, including ITIL, COBIT, Mgmt. of Risk (MoR), ISO27001, ISO31000 and others. That doesn’t mean it has nothing new to say, but it’s also not trying to re-invent the wheel. Where it does draw on these sources, it’s in order to ensure it makes sense and can be understood, not to claim old ground for itself.

 

What RESILIA attempts to do is get the management to talk about, actively consider and ultimately ‘put their shoulder to the wheel’ of adequately supporting the requirements of their business from a security perspective and ensure that staff are empowered to deliver on those requirements as an integrated element of the delivery of IT services.

If your organisation is already using, in whole or in part, ITIL, COBIT, etc; then RESILIA is a no-brainer. It is designed, ground up, to PLUG IN to those frameworks and support them. Ideally, I’d see it as a complementary publication to the ITIL family but it’s just as applicable in project and programme management and in the formulation of governance.

I have had a few people attend the RESILIA Foundation course and these are two of the common themes in the discussion. These are both valid comments in principle, and they highlight what RESILIA isn’t and was never intended to be. Let’s address each one in turn.

 

I thought this was a security course and that it would be more ‘technical’

RESILIA is a management framework, not a technical standard, for CYBER RESILIENCE not just CYBER SECURITY. There are plenty of security qualifications on the market (Security+, CISSP, CISM, Ethical Hacking, etc.) and some of these are technical in their approach. RESILIA is NOT one of those courses. Anybody looking to RESILIA for a technical treatise at more than a broad, shallow, non-technical management level will probably feel it’s not for them.

 

I thought this was a security course but it seems to have an awful lot of ITIL in it.

RESILIA uses the same idea that ITIL adopts in a ‘defined lifecycle’ that needs to be managed. So does COBIT. So do other frameworks. ITIL is explicitly referenced throughout RESILIA because it’s the AXELOS framework for IT service management.  This doesn’t make RESILIA redundant because of it’s use of ITIL, it simply uses what is already a very widely used framework as a reference point and structure for discussions.

 

 

RESILIA has its place in the pantheon of security best practice but it is important to ensure that it’s considered and used in the right way for the right reasons. It is already difficult enough in some arenas to get more than lip service paid to the real needs of securing the business. RESILIA can really help provided it is used in the right way.