BLUF – Every major crisis faced today is like an oncoming avalanche – but started as a pebble-sized risk overlooked. How pebble risks grow exponentially over time and how to effectively assess/preempt/mitigate are keys for effective operational resilience.

Background

Log4j — say that to anyone in the cyber security spaces this past week and watch them shudder! Although it looks like we are closing on resolution, the sheer panic coming from this simplistic zero-day vulnerability in a program implemented since the 90’s was almost enough for senior leadership and boards to pay attention to the potential for catastrophe.

Almost.

What started as a crisis headlong became another crisis as BAU, raising questions in risk. Cyber risk’s daily uncertainty creates familiar resonance to those operating in digital space, as we don’t know how far things will go. Try calculating the probability of being affected by a zero-day; unless we simply don’t have the systems or software, it’s difficult to know what number to assign. My go-to has been (and will continue to be) infinity. When they tell me I can’t, it becomes infinity+1, as even if we aren’t hit directly, we still may have supply chain issues affecting operations (Think it’s only suppliers? Imagine if your client/ customer has an incidental pause in operations, unable to accept the order they placed. Especially if your order is time-constrained or perishable).

We clearly see the vulnerabilities/ risks and the ensuing avalanche of chaos when they are present. How can we look further out before they are coming?

Skiers and those familiar with treacherous snow-covered summits know a few things about pebble risks. Potential disaster is ever-present based on snow pack and distribution in treeless slopes. The use of sonic and explosive intervention measures (creating controlled avalanches, similar to using controlled burns in wildfire) offers reason to give the Howitzer for Christmas. Attempts to curb uncertain risk here are similar to what we find in cyber: it only requires the wrong pebble.

What’s in a pebble risk? Very little on the surface, I’m afraid. Pebbles are small, with low current impact. Not seen as significant at the start, attention being paid to the larger crisis du jour aspects misses the pebble risk starting its motion. As an incident progresses, we see the problem grow exponentially and create avalanches previously unaccounted for.

By the time we realise what happened, it is a full-blown crisis.

So how do we identify pebbles over time? Moreover, how do we identify the right pebbles, as there are many and not all will create avalanches?

Much of it is risk evaluation with adequate time components. What the ARC is doing in the Risk Steering Committee is a good start. If we identify the current risk issues and start adding the time component, we see what emerges. Creating risk frameworks encompassing larger sectors or regions to test and repeat – seeing what variables change over time – is part of that. Examining individual risk components independently and in context to understand what and when alerting is in order (and knowing who is watching/ should be asked) counts for another another.

The last part is simple and ties back into the controlled avalanche concept – instituting solutions such as Zero Trust in and organisation and its counterparts throughout our sectors and supply chains.

Identifying this could change the dynamic from a major risk requiring mitigation to one eliminated whilst still a pebble. It takes extra effort. May uncover other problems along the way, but these are necessary findings. Best to preempt crisis where possible, as the effort is still manageable.

Small steps to leave pebbles undisturbed.

-scl