Businesses should prepare for black swans, says resiliency consultant
While black swan events are random and unexpected, businesses can still prepare for them, according to a resiliency consultant
A black swan event is defined as an incident that occurs randomly and unexpectedly and has wide-spread ramifications, but businesses can still prepare for them, according to a resiliency consultant.
Black swans may be game-changing, but they are not all that rare and businesses can mitigate against them, said Alternative Resiliency Services managing principal Howard Mannella.
“Businesses need to move past a bad thing happening, and think about some bad thing happening,” he told the 2015 European Identity & Cloud (EIC) conference in Munich.
According to Mannella, businesses should assume that something that might be termed a black swan will happen, and they should plan accordingly.
“Do not rely solely on your ability to predict because improbable events happen all the time. Although the chances of a particular event are low, the chances of some event are high,” he said.
For this reason, Mannella said it is important that every organisation has a business continuity plan, and everyone in the organisation is aware of that plan and is regularly drilled on it.
While most organisations have firewalls, antivirus and intrusion detection systems, fewer have well-known, well-practised continuity plans, and fewer still have integrated that with a business continuity exercise to identify how to respond to impacts on the business.
Shifting from being reactive to pre-emptive
“Organisations need to move from being reactive or even proactive to being pre-emptive,” said Mannella.
Read more about black swans
- No matter how thoroughly you set up and plan a project, unanticipated things may happen
- The risks associated with the IoT will reach new levels as interoperability, mashups and autonomous decision-making begin to embed complexity, security loopholes and potential “black swan” events
- Enterprises are taking a whole new look at their governance, risk and compliance (GRC) programs
Reactive would be calling up a vice-president and figuring out what to do when things go wrong, he said, and proactive would be publishing who to contact and their contact information.
“Pre-emptive would be thinking through potential responses, doing some choreography, and doing some role-based assignments with two backup people so that in a crisis the contact people are not making things up,” Mannella added.
While risk management deals with prediction, and high availability and redundancy deal with prevention, he said business continuity or disaster recovery management is still necessary to take care of response. “Risk management, high availability protection, redundancy and security do not obviate the need for planning for failure.”
According to Mannella, most organistions tend to focus on the cause of incidents such as flood, fire or terror attack.
“A better practice is to focus on the impact of an incident. Regardless of cause, the organisation has to formulate a plan for what to do in response to a compromise or outage of its information technology systems,” he said.
Supply chain management vital
Managing supply chain is also an extremely important, but often overlooked or under-emphasised element.
Mannella said organisations should not only ensure that they really manage their supply chain, but should also consider helping critical suppliers with their developing their security plans and assist them with incident recovery.
“A pre-emptive approach is to assess all critical suppliers beforehand. Do not take their word for it when it comes to their resiliency,” he said.
Mannella also believes that joint planning and joint exercising are important elements of a pre-emptive approach to supply chain management.
The next important element, he said, is training and exercising, but he warns against focusing too much on the details of incident scenarios.
“The best practice is to focus on the expected outcomes of the training. Aim for outcomes such as enabling employees to think two steps ahead, dealing with ambiguity in security events and managing with purpose under stress. These are more important than dealing with specific kinds of attacks on specific targets,” said Mannella.
Counterbalance blind spots
Finally, he said, it is important for organisations to counterbalance their blind spots. “Admit that you need to compensate for cognitive or experiential bias, solicit a variety of inputs into your enterprise thinking – including lateral thinkers and dissidents.”
Mannella concluded by giving examples of potential black swans that every organisation can and should be planning for.
These included an internet outage for two weeks and cyber attacks that can have physical consequences like bring down a plan without detection.
“What really keeps me awake at night are the unknown unknowns – the things that I don’t know that I don’t know,” he said.
Mannella’s parting advice to information security professionals was engage executives and board members in terms they understand.
“The C-suite is not scared of Isis, but they are scared of attorneys. So if you talk to your executive stakeholders about the ability to provide an affirmative defence, the ability to demonstrate a standard through care to limit their liability – not the company’s – but their liability, then you will have their hearts and minds so that you can get the budgets,” he said.