28 March 2020

24: Lessons in Resilience...

Flashback to 2007.  It's going to be a busy day for Jack Bauer this season. Last night's episode of 24 ends like this:
9:58 A.M.
Numair completes work on the suitcase nuke. One of the guards sees the TAC teams and gunfire erupts. Ray ducks to the ground. Amid the shooting, Numair detonates the nuclear device.

From where he is, Jack can see the mushroom cloud in the sky.

The White House team is in shock. Wayne orders Karen to put the entire military at the disposal of the Los Angeles response teams.

9:59 A.M.
As CTU watches the video in horror, Milo alerts them to a warning from the FBI. An Arabic phrase was overheard at one of the detention centers. Nadia translates it: “five visitors.” There are four more nuclear weapons out there.
The WMD scenario is now being played out by focusing on the infamous "Suitcase Nuke" that has been talked about for years. The question remains how the remaining part of Jack's day will go now that he will be searching for four more devices during what is certain to be mass panic. And whether the incident is of the sudden magnitude of this 24 thriller or the sudden onset of a contagious virus, our hospitals and healthcare system will be immediately challenged.

Continuity of Operations and Contingency Planning is starting to get the funding it requires in the healthcare systems across the globe. We can only hope that it comes long before the first wave of Pandemic or the radioactive WMD event.

What would happen if you woke up at 2 a.m. with chest pains but the area hospitals were overwhelmed because of a COVID-19 outbreak? What would happen if you couldn’t get lifesaving blood work because the labs couldn’t process the results or your health insurance provider couldn’t process the authorization? What would happen if you were scheduled for surgery but the computer network containing your patient records was down due to a computer virus?

These are just a few of the scenarios that keep business continuity planners at hospitals and healthcare organizations across the country up at night and focused on the task at hand. Healthcare is the one thing you hope you will never need, but when the time comes, the availability of healthcare in this country is often taken for granted. Business continuity planning (BCP) professionals in the healthcare industry want to keep it that way.

This is a clear example of where the Critical Infrastructure sector we call Healthcare and it's sister the First Responders / Emergency Services Sector, is still behind in funding and increasing it's resilience to sudden disaster. Public - Private partnerships are working with diligence on an "All Hazards" mindset to help address the lack of preparedness in many of our metro regions.

It's vital to really understand the mission for not just the healthcare sector, but the government, law enforcement and first responders combined:

MISSION: To provide a forum that fosters communication and cooperation between industry and government security, law enforcement and emergency responders at the federal, state, local and tribal level to protect America's citizen's and critical assets.

It's been said that we could never be totally prepared as there will always be some degree of residual risk in any prudent planning or testing exercise. The only real truth is that working towards the worldview of increased Business Resilience creates a different perspective.
Business Resilience
Even resolving these shortfalls and misunderstandings really is only part of the picture when seeking to create true resilience – we really must focus more broadly than on the technology and the facilities. Business resilience should be our goal. IBM has articulated its concept of business resilience as:

“The ability of an organisation’s business operations to rapidly adapt and respond to internal or external dynamic changes – opportunities, demands, disruptions or threats – and continue operations with limited impact to the business.”
The paradigm shift from a defensive posture to an offensive posture is the first leap of faith. To see the opportunities and upside not just the cost of protection and overhead. Mitigating Operational Risks, thinking through all possible contingencies and creating new strategies for the future success scenario is what this mindset is all about.

I wonder what's going through Jack Bauer's head right now? Defense... I don't think so.

21 March 2020

Human Factors: Pandemic Fear & Y2K...

"Most people have the will to win, few have the will to prepare to win."  --Bobby Knight
Organizations are running around looking for quick answers to COVID-19 "Pandemic Planning."

Is this the next SARS? Many agree that it is not the same threat and more are convinced that specific losses to personnel, will have significant long-term cascading effects on other operational risk factors.

And yet there is a standard and lessons learned waiting for any organization who wants to increase it's overall "Business Resilience", regardless of the origin of the "Virus."

Organizations who are now waving the panic flag for increased resources and funding to address the future of our current "Pandemic," should look closely at the behavior that drove them to the brink of another bug problem two decades ago, known as Y2K.

A world wide panic, millions of dollars invested in redesigning software applications and then at the apex of the millenium, a huge sigh of relief.

And in the after action reporting and for the next two years, an Internet revolution was born. Our applications were reengineered and the next generation of innovation was born, for companies to serve customers in ways they had never dreamed.  We can do it all over again.

A strategic investment today in "Pandemic Planning" and Continuity of Operations, will have the long-term benefit of creating a stronger, resilient and more survivable organization. In fact, this time the emphasis will not be so "Tech-Centric" but "People-Centric".

Who is "Core" to our business? What processes are necessary to run the business and who are the people we really need to support those processes?  Now is the time to truly understand your "Team of Teams".

Everytime you run a new preparedness exercise or test your contingencies, you are learning how and what, are the fundamental items that have been overlooked.

The real "Human Factors" are in play this time. That makes it more unpredictable and more unreliable.

More importantly, perhaps it becomes necessary to put your employees through some of the most stressful training they have ever had to endure. What if?

Imagine telling your "Core," they can't leave work for the next month, instead of ordering them to work remotely.

What people do you have on your team, that will give up that much time and isolation from their close family members? The fact is, you won't know, until you see them under fire.

You won't know, if all of the training and preparedness has made any difference, until you see your people perform under the most demanding and emotionally challenging circumstances.

You better start now. And you should be prepared to see some of the most shocking human behaviors you have ever witnessed.

The people you never expected to be heroes will be. The most brave and macho people on the outside are often the first to run and hide.

Fear is a phenomenon that enables some and paralyzes others. Your job is to find out how it affects those you choose to lead your organization, during the multiple waves of "Pandemic Attacks" just over the horizon...

14 March 2020

Operationalizing Defend Forward: A Paradigm Shift...

In light of the recent and overwhelming global state-of-affairs, it is now timely to enter into a dialogue on operationalizing "Defend Forward".

Is it possible to increase your organizational, personal or nation state resiliency to the active threats you can't yet see, hear, or feel?  You understand that it depends on what the adversary actually is and what medium or environment it is operating in.  So here are just two examples that are difficult to see and detect with only the naked eye:
  1. Ransomware
  2. Coronavirus
Number One is a threat operating in a virtual environment of vast Information Technology infrastructure propagated across the Internet by adversaries who seek to infest a host and produce a potential outcome as the threat infects vulnerable computing assets.

Number Two is a threat operating in a physical environment of vast geographical and human-based populations propagated across our planet Earth by biological adversaries who seek to infest a host and produce a potential outcome as the threat infects vulnerable human assets.

Fortunately Number One does not have a "Zoonotic" origin.

"Defend Forward", entails the proactive observing, pursuing, and countering of adversary operations and imposing costs in day-to-day competition to disrupt and defeat ongoing malicious adversary infectious campaigns, deter future campaigns, and reinforce favorable international norms of behavior, using all the instruments of national power." --Dr. Erica Borghard

Think about your particular 1) organizational, 2) technological and 3) human-based ecosystems.

How much have you invested in operationalizing a "Defend Forward" strategy for all three?

You see, in the year 2020 and beyond you will need to be thinking differently.  You will need to be investing in a cohesive and strategically balanced Operational Risk Management (ORM) paradigm.

Yes, paradigm.  For those of you reading this, who do not understand the true definition, look it up.

What is currently going on in "Cyberspace" is not that much different than what is going on in our current "Healthcarespace".

Yet one is commanded by human behavior and the other one is commanded by human behavior.

Godspeed Mother Earth!

07 March 2020

Scenario Vs. Resource Planning: All Hazards...

"Strive not to be a success, but rather to be of value" --Albert Einstein
This article by Saul Midler on Scenario Planning Vs. Resource Planning recently caught our eye and for a good reason. The link between Corporate Risk Management and Operational Risk Management is Business Continuity Management. Brilliant!

More importantly as he indicates:

"The danger of undertaking an operational risk assessment before the BIA / RDA activity is that a business case may be built to remediate the biggest operational risk without realising that impact or the consequence is low. This is essentially defining a solution before identifying a problem.

Think about 9/11 where 320 companies FAILED to return to business, 2800 workers DIED and 135,000 workers lost their jobs. By contrast a number of organizations did recover and continued operations. These include:

• Cantor Fitzgerald who lost 658 staff and resumed operations two days later;
• Marsh & McLennan with 3,200 staff over 8 floors;
• Morgan Stanley with 3,500 staff over 17 floors;
• NY Port Authority with 2,000 staff over 23 floors.

New school thinking saved these organizations. No one could possibly have thought of the scenario that two airplanes could cause structural integrity failure of both World Trade Centre skyscrapers resulting in the collapse and complete destruction of the precinct. The businesses that did survive did so because they adopted a resource loss philosophy that included office facilities, technology systems and, of course, staff.

While the scenario of airplanes being used as weapons of mass destruction is not a new concept for planning purposes, (in fact it was hypothesized long before 9/11) the fact is that organizations today have adopted an "All-Hazards" mind set. As a result of the new worldview, "Business Continuity Management" as previously mentioned, has provided a much needed conduit between Corporate Risk and Ops Risk."


What does this "All-Hazards" mentality mean for the cure to unplanned disruptions or untested scenarios? It means that you move to the proactive side of the line and away from the reactive mode that so many organizations are still coping with. The old "It will never happen" to us syndrome.

Global 500 public organizations, small private businesses and non-governmental organizations have true stories and cases that are considered a security risk crisis. Confronting a crisis in one organization will be completely different at another, based upon the type of organization, number of employees, geographic locations and their senior executive process for dealing with a significant disrupting event.

The following question was asked at “Company A” and the top answers were:

What are the top five incidents/events that could cause a significant crisis within your organization?
  • Fire or Flood
  • Violent weather/damage to facility
  • Workplace violence
  • Industrial accident
  • Terrorism 
"When the question was asked a different way, to a different group at the same company, the results were even more telling:"
What are five incidents/events that have caused your organization significant crisis in the last three years?
  • Counterfeit products or major disruption in the supply chain
  • Alleged ethics violation of Foreign Corrupt Pracctices Act (FCPA)
  • Geopolitical unrest in key overseas markets
  • Extended loss of electricity at a manufacturing plant
  • Data Breach/intellectual property theft by a nation state
The company is a multinational manufacturer of communications components. Senior executives charged with a “Duty to Care” in todays global enterprise, require new thinking, enhanced skills and relevant solutions to improve crisis leadership.

What is your current readiness factor for the potential of environmental or natural disaster, supply chain disruption, economic espionage, ethics scandal, data breach, employee kidnapping, sabotage, terrorism, workplace violence and other legal risks?

Throughout the enterprise the functions of physical security, information security, legal and financial liability have all become specialized and these same security risk professionals, have become subjected to the potential for a blindside incident.

For example, the HR recruiter is more focused on the security risk of hiring a person with a criminal record of violence and substance abuse problems.

The Chief Security Officer (CSO) is more focused on the physical and information security of facilities and the Chief Operating Officer (COO) may be more focused on daily operations and securing the resilience of the supply chain.

How will you provide your senior executives with the knowledge, skills and strategic solutions that enables global enterprise business resilience for years to come?  Leadership of Security Risk Professionals...