Part One: About the CERT Resilience Management Model

Organizations in every sector—industry, government, and academia—face increasingly complex business and operational environments. They are constantly bombarded with conditions and events that can introduce stress and uncertainty that may disrupt the effective operation of the organization.

Stress related to managing operational resilience—the ability of the organization to achieve its mission even under degraded circumstances—can come from many sources. For example:

• Technological advances are helping organizations to automate business processes and make them more effective at achieving their missions. But the cost to organizations is that the technology often introduces complexities, takes specialized support and resources, and creates an environment that is rife with vulnerabilities and risks.

• Organizations increasingly depend on partnerships to achieve their mission. External partners provide essential skills and functions, with the aim of increasing productivity and reducing costs. As a result, the organization must expose itself to new risk environments. By employing a chain of partners to execute a business process, the organization cedes control of mission assurance in exchange for cost savings.

• The increasing globalization of organizations and their supply chains poses a problem for management in that governance and oversight must cross organizational and geographical lines like never before. And it must be acknowledged that the emerging worldwide sociopolitical environment is forcing organizations to consider threats and risks that have previously not been on their radar screens. Recent well-publicized events have changed the view of what is feasible and has expanded the range of outcomes that an organization must attempt to prevent and from which it must be prepared to recover.

All of these new demands conspire to force organizations to rethink how they perform operational risk management and how they address the resilience of high-value business services and processes. The traditional, and typically compartmentalized, disciplines of security, business continuity, and information technology (IT) operations must be expanded to provide protection and continuity strategies for high-value services and supporting assets that are commensurate with these new operating complexities.

In addition, organizations lack a reliable means to answer the question, “How resilient am I?” They also lack the ability to assess and measure their capability for managing operational resilience (“Am I resilient enough?”) as they have no credible yardstick against which to measure. Typically, capability is measured by the way that an organization has performed during an event or is described in vague terms that cannot be measured. For example, when organizations are asked to describe how well they are managing resilience, they typically characterize success in terms of what hasn’t happened: “We haven’t been attacked, so we must be doing everything right.” Because there will always be new and emerging threats, knowing how well the organization performs today is necessary but not sufficient; it is more important to be able to predict how it will perform in the future when the risk environment changes.

CERT recognizes that organizations face challenges in managing operational resilience in complex environments. The solution to addressing these challenges must have several dimensions. First and foremost, it must consider that the management activities for security, business continuity, and IT operations—typical operational risk management activities—are converging toward a continuum of practices that are focused on managing operational resilience. Second, the solution must address the issues of measurement and metrics, providing a reliable and objective means for assessing capability and a basis for improving processes. And finally, the solution must help organizations improve deficient processes—to reliably close gaps that ultimately translate into weaknesses that diminish operational resilience and impact an organization’s ability to achieve its strategic objectives.

As a process improvement model, the CERT Resilience Management Model seeks to allow organizations to use a process definition as a benchmark for identifying the current level of organizational capability, setting an appropriate and attainable desired target for performance, measuring the gap between current performance and targeted performance, and developing action plans to close the gap. By using the model’s process definition as a foundation, the organization can obtain an objective characterization of performance not only against a base set of functional practices but also against practices that indicate successively increasing levels of capability.

Do You Need CERT-RMM?

The use of models for process improvement is common throughout the world. Models for improving manufacturing processes are typically the most recognizable, but models such as CMMI are widely adopted across a range of industries.

All organizations have some type of operational element—they may produce software or cars or deliver consulting services, but they all share the need to carry out functions that directly and indirectly support their mission on a daily basis. Regardless of what is being produced or what service is being delivered, managing operations that are critical for day-to-day and long-term success is what many people in organizations are charged to do. What makes this so challenging?

Do You Have These Common Problems?

Many organizations accept that with operations comes operational risk. They see it as an unpleasant by-product of doing business, and perhaps as something they can’t do anything about. But according to Towers Perrin, operational risk has been identified as the most important category of risk facing executives today [van Opstal 2007].

For security and continuity professionals, operational risk is our playing field. Much of what we do on a daily basis is directly focused on avoiding or mitigating operational risk even though the tasks we perform might not appear at first glance to be risk management activities.

The way that security and continuity management has evolved in organizations has resulted in inefficiencies that have become commonly acceptable limitations on success. For example, do any of the following conditions exist in your organization?

• Security and continuity activities are compartmentalized and lack coordination toward common goals.

• Budgets for security and continuity activities are typically held by IT.

• There is no governance over the security and continuity activities.

• Risk appetite of higher-level management is not considered in security and continuity activities.

• Processes for security and continuity management are not defined and managed.

• Technology drives security and continuity management solutions rather than a layered approach of people, procedures, tools, and technologies.

• Work related to security and continuity management is not planned or tracked.

• Performance of staff during times of disruption depends on conditions and the heroic efforts of smart people, or the ability to repeat effective behaviors is questionable.

• The impact of a disruption on the organization is difficult to predict based on past performance.

• Many codes of practice are used, but the effectiveness of these practices is not measured, nor is redundancy in these practices identified and eliminated.

• Compliance activities take an inordinate amount of staff time and resources but do not advance the state of the organization’s security and continuity practice.

The list can go on and on. However, all of these conditions indicate the lack of a systematic approach to managing operational risk that is typically characterized by silos, lack of coordination and collaboration, ad hoc processes, unknown and unpredictable outcomes, and heroics: working longer and harder, lowering expectations, throwing more resources at problems, cutting corners, and depending on the right people to be available at the right time. Unfortunately, disruption doesn’t really adapt to our management shortcomings; instead, it exploits them.

How Does CERT-RMM Help You Solve These Problems and Benefit Your Organization?

While the intention of developing CERT-RMM was initially to produce a model in the likeness of CMMI that could be used for model-based process improvement, there is a broad range of uses for the model that address many of the challenges listed above.

CERT-RMM helps you manage your way through changing risk conditions by focusing on stabilizing operational resilience processes and meeting resilience objectives. It uses a process orientation as a way to “glue together” people, procedures and methods, and tools, equipment, and technology—all important elements in managing operational resilience. And CERT-RMM’s focus on continuous process improvement supports an organizational reality: operational resilience is never achieved—it must be continually managed.

Whether you use CERT-RMM as a process improvement model or just as a starting point for renovating and rejuvenating your resilience program, you may find many side benefits:

• You can realize the benefits of a convergent view. When operational risk is managed in organizational silos, the benefits to the organization are suboptimal. Silos allow for different (and sometimes divergent) risk processes, risk definitions, and risk measurement criteria, all of which can dramatically reduce the organization’s overall ability to identify and address operational risks. Convergence ensures that all operational risk management activities are coordinated, aligned with organizational drivers, and free from the artificial constraints that impact effectiveness (in other words, optimal).

• You can make your security and continuity practices work better. CERT-RMM doesn’t replace your administrative, technical, or physical security and sustainment practices. Instead, it provides a framework that the organization can use to ensure that these practices are producing results, are efficient, and support operational resilience objectives.

• You can measure progress. Because CERT-RMM is a process improvement model, a new world of measurement capabilities is provided to security and continuity practitioners. Processes such as incident management can be measured directly to know when they are working, when they are failing, and what gaps should be closed. In addition, the process orientation of the model provides opportunities to measure performance so that an organization can determine that it is getting benefits from its investment in security and continuity activities.

• You can more confidently characterize your operational resilience management posture. In our complex world, it is no longer acceptable to characterize operational resilience in terms of events and outcomes that haven’t happened. An organization needs to be able to understand its capability for managing operational resilience so that it has some degree of predictability about how it will perform during times of stress. The capability levels in CERT-RMM give an organization a way to characterize their competency and their ability to sustain good behaviors in bad times.

• You can determine where to allocate your limited resources. Legacy budgeting processes simply aren’t effective for addressing the allocation of resources to operational resilience activities. These processes tend to be tied to organizational structures (such as IT controlling the “security” budget) that artificially limit the ability to fund and account for all of the organization’s activities that are involved in managing operational resilience. CERT-RMM provides not only a process for formalizing resilience budgeting and accounting but also a broad view of all of the operational resilience capabilities that need resources.

• You can convert from a compliance mind-set to an improvement mind-set. Compliance activities divert the organization’s attention away from its goals and toward the act of complying. However, the ability to comply with various laws, regulations, and obligations should be an outcome of effective operational resilience management processes. In addition, the act of compliance can often give the organization a false sense of capability—many organizations are “in compliance” with a code of practice or an industry regulation yet have a significantly diminished ability to manage during stressful times. An improvement mind-set focuses on ensuring the work products of operational resilience management processes are being created through planned and executed work. These work products can typically be used to satisfy the range of compliance requests and concurrently improve the organization’s ability to be operationally resilient.