NIS2 and DORA: aiming at strengthening resilience
Digital transformation, threats, instability and uncertainty
We are in a time where there is still an ongoing and intense digital transformation for many businesses. This transformation journey is happening in a competitive business landscape and a world under geopolitical tension with uncertainty and threats on the rise. The war in Ukraine, the territorial disputes in the south China sea, and the fierce economic and dominance competition between the USA and China are all examples that have a direct impact on the world’s stability and security through the cyber space. In that context, it is even more relevant to protect this digitalization and secure the resilience of the provisioned critical services.
What is resilient
Being resilient is about being able to adapt to internal and external challenges by changing the ways of operating while continuing to operate. It is an adaptive capacity or continuous adaptability to unforeseen situations. It is our abilities as people and teams to adapt to variability that our technologies cannot deal with. Resilience is about the whole socio-technical context, not only something you buy technology for. Teams have their own context, systems, goals, and constraints. This is what we should focus on next to accelerate resilience.
The most difficult part is getting all the parts of the organization, including technology, people and processes, to work together to improve or implement operational resilience.
Warfare and Safety Management lessons
It is interesting to make some warfare comparisons and analysis in this context, and on how different organization’s culture and practices affect resilience effectiveness. We can observe a centralized strong chain of command culture with information loss or distortion between each hierarchy level and the reality of the ground. Another approach might be more loosely coupled with a de-centralized way of operating, with decision-making shifting closer to the field, and timelier responsive. The latter approach appears significantly more effective and performant in a highly intense and volatile warfare involving many different types of troops, tools, logistics and communication infrastructure which are interoperating in a hostile environment.
Similarly, Safety Management and resilience engineering is an interesting inspiration about how companies are organized regarding operational resilience. It can be categorized as either a centralized-control mode, de-centralized or hybrid modes.
In a centralized-control mode practiced as top-down standard requirements, resilience tends to be a practice planned in a “work as imagined” and compliance ways that might be disconnected from the variability and realities of the operational risks of the local systems or units. A significant gap between “work as imagined” and “work as done” in the front line can impact severely the adaptability and the performance of the operational resilience, which might be destructive for the organization. Understanding how front-line teams are currently adapting in their environment in the gap between “work as imagined” and “work as done” is crucial to adapt plans and approaches to connect and coordinate activities across organizational boundaries.
We are used to work with different cyber operating models for clients. When it comes to an operational resilience framework, and beyond DORA and NIS2, the focus should also be on the organizational part, the ways of working and to interoperate. This is crucial to develop an operational resilience that fits clients’ context, needs and their landscape in a pragmatic way.
At Accenture, we work, reflect, and co-create with colleagues from different delivery services such as technology, software development, red-team, innovation, and organizational development. This gives a similar end-to-end, integrated, and guided adaptive framework approach to contextualize and implement real and effective operational resilience for our clients.
About Accenture Security
Over the past 20 years we’ve created a portfolio of security offerings that we feel are unmatched in the industry. What makes us truly unique is we can partner with you end-to-end – from defining the strategy and architecture to implementing it to running it through our managed services. And we do all of this through an industry lens.
When it comes to helping our clients with security, Accenture’s approach is to embed security in all aspects of the client work, solving even the most complex of the client’s cyber challenges. Our capabilities can help organizations in four areas: Cyber Industry services, Cyber Strategy services, Cyber Protection services, and Cyber Resilience services.
By Patrick Tahiri