Build a business continuity plan: Why cross-training matters

When someone says ‘data is the most valuable asset’, I kinda get the ick.

Why?

Because it seemingly devalues and disempowers another critical asset – people. Sure, data is more regulated. But people created written language, and data is, at its most basic definition, nothing more than a written language of 1s and 0s.

Sure, there’s big talk about AI replacing humans - some conspiracy theorists even cite AI as the next form of evolution. But while I was attending AI professional courses at the Massachusetts Institute of Technology (MIT), AI research scientists seemed quick to rebuff any kind of blanket assertion that humans are truly “replaceable.”

Aside from replaceability, humans are widely considered to be the greatest source of risk to the organization – just ask the thousands of organizations that experience a reportable breach each year. Year over year, people have played a major role in the successful attack path of over 90% of all major breaches.

So why do we continue to seemingly glaze over the critical role people play in our disaster recovery and business continuity planning, and readiness? Why do we continue to take a somewhat laid-back and limited approach to business continuity, simply documenting the people needed to keep a critical process going, the backup resource for those people, and a worst-case scenario workaround?

Disaster recovery best practices

Disaster recovery best practices include the use of hot, warm, and cold backup sites. Sites can be anything from data centers to offices to production centers – they’re inherently a resource where a set of discrete business-critical processes occur. The temperature of the backup site describes how quickly and with what level of effort the site can be brought fully online. Hot sites require little to no time or effort to be fully online. Cold sites may need anything from patching to updates, and data syncs to be ready to go. If we apply that same temperature concept to people - the backup resource is the ‘hot’ resource, the workaround is the ‘cold’ resource, and a ‘warm’ resource might only need to have the appropriate access provisioned, or some other minimal work or time, to be ready to step into another role or fulfill another critical function.

But why do we continue to bet against workarounds? Yes, cold resources can still help mitigate risk. But we all know it’s only a matter of time, if it hasn’t happened already, that the stars align and the critical resource and their backups are out of commission at the exact time that a critical process is at its most time-sensitive point. In a world where AI continues to enable outpacing, it’s our duty to think beyond traditional business continuity and empower a more robust and ‘warm’ critical workforce.

So, how do we empower the security organization and the enterprise as a whole to improve their robustness?

Cross-training and secondments are a solution, and here’s a roadmap to leveraging these functions for business continuity robustness.

Define a strategy and framework

Start with Business Impact Assessments to determine critical processes and the skill sets needed for those processes. Have team leaders pseudo-cross-train to gain an understanding of each other’s critical processes. This facilitates collaboration in defining individual and collective roadmaps. Be sure there is top-down communication with clear goals and objectives.

Start small and don’t rush outcomes

Plans should start with implementing cross-training and build into secondments over time. If cross-training is not already occurring within a team, have the team start with internal cross-training before resources start any external cross-training. Team leaders should consider existing skill sets and capabilities within their own teams and be thoughtful about who cross-trains where.

Champion for customer and stakeholder buy-in

Make internal customers and other stakeholders aware of the initiative and the goal of enhancing business continuity. Promoting the program's benefits can help facilitate the rollout to other departments. Awareness minimizes the risk of confusion if a resource they prefer to work with is in secondment and helps showcase security best practice benefits. Bonus points: Communication and awareness will also help build rapport and trustworthiness for the security organization.

Leverage the experts

Have the program manager or team leads work with the department responsible for learning and development to create training materials tailored to the organization's BCP and culture. Consider various delivery methods and what’s most suitable and effective for the skill sets and roles being cross-trained. Consider how mentorship can support training methods. Again, the goal isn’t to replace people; it’s to empower them.

Foster a culture of continuous improvement

Leverage surveys to provide employees with opportunities to volunteer for cross-training in security domains where they may have an interest. Develop and share training matrices to allow employees to track their progress. Bonus points if your culture is receptive to a bit of friendly competition and gamification around completion of cross-training within security functions and domains.

Target diverse micro-training

Have team leads plan cross-training with the goal of team members only learning a small subset of critical processes at a time. Cross-training should focus on higher criticality processes first, and more complex processes may warrant multiple training sessions.

Ensure team members being cross-trained have the opportunity to learn from both the critical resource and any backup resources so they get diverse viewpoints, insights, and knowledge that can also aid in overall resource development.

Pilot the program and make adjustments

Roll out the program to a small group of resources or a single team to gain visibility on the risk of employees feeling overwhelmed or the creation of resource constraints. If needed, adjust the strategy and overall plan to ensure continuous balance with regular duties and workloads. Efforts to improve robustness should never create the risk of workforce brittleness.

Continuously monitor via regular temperature checks

Gather feedback and track program progress and effectiveness. Continuously check on performance and scale up when and as appropriate. Ensure there is a plan to scale up or down in response to changing business objectives.

Integrate into business continuity plan maintenance

Incorporate cross-trained resources into the BCP. Update maintenance frameworks to reference the cross-training and secondment framework.

In today’s world, where AI continues to enable threat actors and unknown risks to sometimes outpace the org, cross-training and secondment offer a path to continuing critical business operations in a more seamless and robust fashion.

About the authors

Jeniece Vega, MSPM, PMP, CRISC, CISM, CISSP, is a Senior Director of Information Security & Privacy and overseas all facets of enterprise information security services and strategy. She's been in the Information Security space for the last 10 years and served in both technical and non-technical roles. She is passionate about the human component of information security and she continues to advocate for innovation around security awareness and the development of a strong security culture within the organization.