Beyond Disaster Recovery: Using BIA to Prioritize Cybersecurity Budget

image source:
Anyone who works as a cybersecurity professional has been in an organization that spends too much money, time, and resources on data or systems that don’t really matter. There is regulatory compliance requirements, which I will talk about later, but there are risk decisions that can be made on all other cyber assets. The following are common questions asked by successful information security professionals:

“What do we actually care about protecting?”

“Which assets, data, and processes should we be focusing our time, money, and resources into?”

Luckily, there is already a cybersecurity tool that can be used to measure the importance of assets, data, and processes for the organization. It is often overlooked, since it is used in another area of focus: the Disaster Recovery Plan (DRP). In case you haven’t already figured out where I am going with this, the tool I am proposing for the identification and prioritization of focus areas is the Business Impact Analysis (BIA).

If your organization is up-to-date with their DRP, you should already have access to the BIA. Most of your work is already completed. If you don’t already have a DRP or a current BIA, I would suggest that you conduct the analysis as soon and thoroughly as possible, so you can knock out two pigeons with one pebble.

Now that you already have your BIA, you can filter out all the human, supply chain, and backup site information, as they are not applicable for this measurement. Continue filtering until you are left with data, assets, and essential business processes.

Next, as promised above, you should filter out the regulatory compliance requirements for your organization. You should already know what these are, but the most common types of data that should be protected, according to governmental regulation, are personally identifiable information (PII) and protected health information (PHI). Protection measures under regulatory compliance requirements are not negotiable, so these items should be placed at the very top of your prioritization list.

Now add the data, assets, and processes from the BIA to your prioritization list, in order from most severe to minimal impact.

Congratulations! You know have a prioritized list that you can use to help determine where your time, money, and resources should be focused.

For further reading, please check out this detailed explanation on business impact analysis from TechTarget and this guide for determining applicable regulatory requirements for your organization by JURINNOV. As always, please let me know your thoughts in the “comments” section below. I always take pride in addressing comments and answering questions. After all, the best information protection efforts and advancement of the cybersecurity field are achieved through collaboration between like-minded people. Thank you for visiting!

Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at and on Twitter at @SteveHigdon.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s