The establishment of the CERT^® Resiliency Engineering Framework actually began during our development and deployment of the OCTAVE^® methodology, which was focused on improving an organization’s involvement in managing information security risks. Through this work, we realized that organizations often view security as a technical specialty and don’t usually associate it with other activities such as business continuity and IT operations management—all of which are focused on managing operational risk and sustaining operational resiliency. Absent this important business driver, it is difficult to position security (or business continuity planning) as an enabler of an organization's strategy, much less an activity that is worthy of the investment of limited resources such as capital and people.

By examining the impact of OCTAVE and relying on CERT’s vast expertise in the field of security, we began to envision ways that security and business continuity could become important contributors to an organization's success and growth. Combined with the Software Engineering Institute's successful history of developing and deploying process improvement models for software and systems engineering, we realized that a process improvement approach to managing operational resiliency could help organizations to raise the effectiveness of their current efforts by shifting their perspective to the process, not the practice. 

Along the way, we have supplemented our research by seeking out real-world problems to solve. In 2004, we began a partnership with the Financial Services Technology Consortium (www.fstc.org) to examine the application of these concepts to the complex problem of managing operational resiliency in the U. S. financial sector. This has given us unparalleled access to some of the best practitioners in the security and business continuity space.