BLUF – Constant crisis has raised the noise threshold to deafening, creating difficulty in finding your organisation’s signal – making it difficult to take stock after managing one crisis whilst preparing before the next one hits. It needn’t be so.
Last week examined crisis at scale and the complexities forcing us to weather. It’s not a storm we wait to pass, rather a tide. Trouble is, tides don’t pass – they wear us down over time. Doesn’t have to be so, and here are some considerations to help in your meeting the next crisis.
Breathe. Survival is paramount. Doing so requires focus and calm. Breathing helps.
Get your house in order. In part, knowing what hardware/ software/ vendors/ personnel you use and how they connect is crucial. Map it out internally so you know what you are getting and where it goes. Establishing VCAT helps.
Find what you can do and focus there. There is a lot of intel/ news/ rumours potentially leading the organisation astray. Instead of looking at all the potential avenues, simplify your focus – what can you do? Walk it back from where your controls are to find what pieces of intelligence are of value. It might be great someone attributed a threat actor group, but unless you are shifting business priorities away from nation state threats, it’s unlikely to make any difference. However, if you can drop payment thresholds to $0, what would trigger the decision? What intelligence would be required to make the right decision?
Determine priorities in orders of effect. If the responses to Colonial Pipeline weren’t cringeworthy, you weren’t paying attention. The loss of petroleum and personal effects were only a small part of the issue. The larger issue was the increasingly apparent upstream and downstream effects. With supply chains much shorter in the global economy, having a sense of what impacts a crisis would have – in both directions, upstream and downstream – gives a sense of where you might feel the hit.
Extend reach. No man is an island, though organisations certainly try. Extending information sharing is a start, with many opportunities available. Better still, reexamine your contracts with vendors and clients to consider regular conversation (with a good faith NDA) and include their interests as stakeholders in your business continuity plans.
Understand resource allocation. We often put together task forces to meet perceived requirements in a short amount of time. Challenges notwithstanding, adequate resources must be provisioned to extend beyond the crisis-du-jour. Crisis tides pull organisations into the midst – if looking to escape, you’d best have more than cupped hands to paddle.
Anticipate failure. Operate with the knowledge you won’t see every risk, secure every port, patch every vulnerability in time. Failure is imminent though you still have a chance to influence the impact. By taking the time and resources required in understanding what’s important to us and what can be done, we can set up the failure to be a stumble rather than a fall.
Sun Tzu was close in his discussion of knowing yourself and your enemies as crucial to victory, though he didn’t know or anticipate the landscape redefinition cyber offered. Perhaps he saw knowing yourself as larger than simply your organisation, but the entire allied landscape opposing the enemy. As it currently stands, the best we’ve are glimpses.
Dust off, stand up, square off, brace yourself. Your crisis is coming.