Most Organizations Fail to Incorporate Security in Operational Resilience Planning. New Research Seeks to Change That
Security practitioners contribute essential capabilities towards operational resilience. But most security teams are not well integrated into broader resilience planning, according to new analysis published Thursday by the ASIS Foundation.
The report, Operational Resilience: The Critical Contribution of Security to Operational Resilience, was produced in partnership with Res Orgs. The authors, Tracy Hatton, director; Joanne Stevenson, principal and consultant; and Erica Seville, director, all of Res Orgs, conducted a literary analysis and interviewed 20 practitioners from around the globe about the state of operational resilience and security’s role in it.
“The widespread recognition of the need to integrate security into operational resilience thinking contrasted sharply with the reality experienced by many—that actual cross-organizational integration and prioritization remains limited,” writes Hatton, who is based in New Zealand, on behalf of herself and her coauthors in an email to Security Management.
The authors broke down the concept of resilience into three main buckets:
- Operational resilience: An organization’s ability to maintain critical services through disruption
- Strategic resilience: An organization’s ability to sustain success in a world of uncertainty
- Organizational resilience: An organization’s ability to survive a crisis and thrive in a world of uncertainty
Organizations are increasingly focused on improving their operational resilience due to seven drivers that the researchers identified: customer and stakeholder demands, regulatory pushes, complex and interconnected systems, growing threats, financial impact, competitive edge, and learning from past failures—including the COVID-19 pandemic.
But what can be less apparent is the practical role and integration of security into the organization’s operational resilience. The researchers found that security can be misaligned within existing resilience frameworks, leading to “gaps in incident response coordination, weak threat intelligence sharing, and inconsistent risk mitigation strategies,” the report said.
There is also a lack of guidance in existing frameworks that provides practical steps for integrating security into operational resilience.
“There are many different ways in which organizations organize who does what with particular sector norms and country norms,” Hatton says. “Across any 20 companies, the role of head of security might have 20 different job descriptions and 20 different reporting and collaborating lines. Given that, it is very hard to get beyond high-level principles to actual implementation without understanding the specific context within which the implementation will take place.”
Security practitioners can play a critical role in their organization’s operational resilience. The report explained that security is “woven through many key operational resilience concepts,” including continuous monitoring of emerging threats, incident response, asset protection measures, and proactive risk detection and intelligence gathering.
To demonstrate the value that security practitioners can bring to operational resilience, the report highlighted the Four Rs framework:
- Reduction: Detecting, evaluating, and mitigating risks proactively before disruptions occur
- Readiness: Preparing systems, people, and processes to absorb stress and respond effectively
- Response: Implementing coordinated actions during disruptions to contain impacts
- Recovery: Restoring functionality quickly to acceptable performance levels
Organizations can use the Four Rs framework—which the report dubbed “the cardinal directions of a shared resilience map”—to create a common language for internal stakeholders to clarify how security integrates with operational resilience functions.
“Risk is about identifying and managing potential threats, while operational resilience is about ensuring the organization can continue to operate through disruptions caused by those risks,” the report explained. “…an operational risk management framework provides an important foundation for operational resilience because it helps identify, assess, and manage the risks that could disrupt critical operations, enabling more targeted and effective resilience planning.”
Next Steps
The report recommended that organizations integrate security into their formal resilience governance structures and create cross-functional collaboration through committees or working groups.
“Developing shared risk frameworks and conducting regular scenario-based exercises will ensure all functions can coordinate effectively during disruptions and build mutual understanding during normal operations,” the report said.
It also suggested that board members and executives buy in and support security’s role in operational resilience with the creation of clear accountability, resources, and regular reviews for resilience performance.
“Leadership should foster collaboration between departments, ensure clear roles and responsibilities, and maintain visibility of emerging risks that could impact critical services,” the report added.
The report recommended security professionals position themselves as internal strategic resilience advisors. They will need to develop business acumen and create standardized metrics to demonstrate their contributions to leadership effectively, showing value beyond just threat mitigation.
Hatton adds that security practitioners will need several skill sets to successfully contribute in this way, including the ability to map interdependencies between security and other business functions, understanding how security decisions impact overall business continuity, the capability to translate security risks into business impact language, and cross-functional collaboration and communication skills.
When reviewing the report, Hatton says the researchers recommend security practitioners take steps in four different phases.
Start with self-assessment and positioning. Security practitioners should use the Four Rs framework to map their current security activities and identify gaps. Then, they should conduct a maturity assessment that is outlined on pages 19 to 21 of the report to understand their baseline. Next, security managers should reframe their function as an operational resilience enabler—not just a protective function.
Build strategic relationships. Security practitioners should get executive sponsorship using the governance framework on page 30 of the report. Then establish cross-functional collaboration with business continuity, IT, crisis management, and risk teams. Finally, practitioners should position themselves as a boundary spanner who connects different organizational functions.
Develop business-focused communication. Security practitioners should create metrics that demonstrate their department’s impact on operational continuity (see guidance in Appendix C). Then, they should use data-driven storytelling to show how security initiatives support business outcomes; shift the narrative from that of a defensive posture to one of business enablement.
Implement practical steps. Security practitioners should run scenario-based exercises with other functions to test coordination. Then, integrate security into existing business continuity and crisis management planning, followed by developing a shared risk terminology and common understanding across teams.
“The report emphasizes that operational resilience is a team sport—success requires moving beyond silos to create integrated, collaborative approaches,” Hatton explains. “Security managers should use this report to initiate conversations about shared goals and mutual dependencies rather than trying to own operational resilience independently.”
The full report, Operational Resilience: The Critical Contribution of Security to Operational Resilience, is available in the ASIS Store for purchase. ASIS members can download a copy of the report for free.
