As part of this year’s National Cybersecurity Awareness Month, we spoke with Roberto Zegarra, DRI Director of Education and instructor of the Cyber Resilience course, which has been recently updated to address current cyber concerns.

Q: From your perspective, what is the current relationship between cybersecurity and business continuity?

RZ: That’s a great question – business continuity has been part of DRI’s DNA for since it was born in 1988, but from a cybersecurity standpoint, over the past few years, an exponential number of cyber attacks have been occurring and getting worse. And the cybersecurity industry is doing quite a good job in terms of protection, in terms of setting up the stage for protecting, detecting, containing, and responding when it happens. They do an awesome job, providing strategies to help organizations deal with the problem and recover the systems. But they’re limited to systems; they’re limited to IT.

On the other hand, there’s the business continuity end, which was used to very short recovery time objectives. But the business continuity plans as developed weren’t necessarily considering what happens if the problem takes far more time to resolve. These cyber attacks are taking many days for the IT departments to contain, isolate, and eradicate the problem. That means for the business continuity department waiting to recover backups and restore systems, we may be talking about days or sometimes even weeks.

Q: And how does the DRI Cyber Resilience course address this issue?

When we developed the Cyber Resilience course, we knew we needed to offer strategies to integrate these two areas – BC and cybersecurity – and say, “How can the entire organization be collaborating so that we have a plan and we can recover business in parallel?” So, while IT is responding to an attack from the technological side, the business continuity side has a plan that works in tandem to minimize the impacts, mitigate the overall risk, and to be much better prepared so that they are able to recover mission critical functions in a much more effective and efficient way.

Q: So, you think that for those reasons, a formalized Cyber Resilience course like DRI’s is important to professionals who aren’t necessarily IT focused – perhaps focused more in the business continuity or risk management areas?

Our course is not aimed at a specific type of area within an industry. This course actually talks about how different areas collaborate with each other – inside and outside of the organization – so that the business survives. When a disruption occurs, sometimes people will think “Oh, it’s an IT problem,” but it isn’t. You have all these pieces of the organizational puzzle – communications, risk management, operations, finance, marketing, sales – that have to collaborate, so that the overall impact of the attack is minimized, and the organization can recover.

So, to answer your question: this is not a course that’s specific to the business continuity folks, or the risk management folks, or even the IT folks! I’ve seen people in these classes from all different departments, saying, “This is opening our eyes, and it’s allowing us to as an organization to be much more effective in responding to a problem.”

Q: How does the course apply to members of the organization that have varying levels of experience, particularly in responding to cyber incidents?  

Even though it’s not the ideal way to work, often departments are siloed, which can lead to thinking like “A cyber attack is just an IT problem,” rather than problem for the entire organization. So regardless of where you are in the organization, you want to make sure that the organization is able to collaborate with the different areas, talking to each other to resolve the problem so that you can respond and recover effectively and promptly.

The beauty of this course is that it walks you through the different stages and advises you on how the collaboration can take place within the different areas. There is a tool that DRI has used from the start, the business impact analysis. The business impact analysis allows us to take a look at how the operations work and what is it that we deliver as a product, as a service, or as information to our clients, and based on this we’re able to look at how the pieces of the puzzle should be connecting when an incident occurs. That way we are much faster in resolving the problem, and this vision allows people that have very little experience or have a lot of experience to open their minds, even if they have to step outside of their comfort zone and work together with other areas of the organization understand how all these pieces of the puzzle fit.

So even if you’re not a cybersecurity person, the course will give you a good baseline to understand and talk about these things without necessarily becoming an expert on black hat hacking, malicious code writing, things like that. This course is focused on helping the organization, as a whole, better prepare for and recover from a cyber attack, while the cybersecurity experts are recovering the vital systems.

On the other end of the spectrum, for IT and information systems professionals, what are the benefits of taking the course?

People who are already steeped in cybersecurity and IT systems have told me how they benefited in this course, because it gives them the overall picture within the organization to bring down silos and work together with the other aspects of the business so that they can collaborate. One of the key things that cybersecurity has to do is map their architecture and mission-critical assets against the other business processes, that’s extremely valuable.

What lessons from some of the most recent types of large-scale cyber attacks have been addressed by the course updates?

We all know everything’s going into the cloud – so in the course, we look at recent cases and what they show us about the vulnerabilities there, for organizations and their third-party contractors.  As I’ve said, it doesn’t matter how secure you think you are, hackers will be able to outsmart us eventually. So it’s a frustrating game that we’re forced to play with them, but we have to remember these guys are doing this 24/7, and all they need is somebody to make a mistake.

Another issue we delve into is social engineering, where someone will steal your credentials under the guise of developing a relationship with you. We also have insider threats – in many cases, an employee or contractor was offered money or compromised in some way to help them infiltrate your security.

The Internet of Things is another big topic. We have so many smart devices in our homes and offices, which are built to be easy to use, but as a result are incredibly vulnerable to hacking. And it isn’t just a vulnerability to your organization, it’s one that can easily expand out through your supply chain. Even organizations with major cybersecurity that they’ve spent hundreds of thousands of dollars on can be breached if somewhere in the chain, another organization’s security is easy to penetrate.

We look at recent attacks that have been in the news. For instance, the Crowdstrike glitch, where a software patch brought malware along with it, and when everybody at Microsoft updated their systems, they updated it with malware that gave attackers the opportunity to steal data and cause a lot of damage.

We go into all these current threats and more in the Cyber Resilience course. The message here is that we must be ready, and work together as an organization and with our supply chain to be prepared for when an attack happens.

DRI International offers Cyber Resilience (CRLE 2000) and Cyber Resilience Review (CRP 501) courses online and in-person throughout the year. Click here for additional information on the course and our Certified Cyber Resilience Professional certification.