Security & Business Resilience

How to Prepare for ‘Business not as Usual’

How many times a month do we hear on the news about product recalls – on everything from vehicles and produce to toys and pharmaceuticals? How often do we hear about manmade and natural disasters that not only seriously impact the people in a locale – but the businesses that operate in that region?

To survive the “unexpected,” businesses today, both in the private and public sectors, must be prepared for unusual business conditions, whether they are caused by manmade, natural, environmental or accidental circumstances. And it’s essential that businesses develop crisis plans and regularly test them.

 Crisis planning can be broken down into three main areas: emergency management, business continuity and resilience plans.

Most businesses look at one or maybe two of these areas, but a good plan needs to encompass all aspects. The flaw many companies often encounter is that they develop crisis plans to show that they will work – but they are seldom tested for failure. But failure is where we learn how things really work – or not. What chain of unforeseen events might be set off by an incident when best-laid plans are set aside, and improvisation is key. 

So why are these three areas so important?

 

Emergency Management

In most “emergencies,” the first thing to take into consideration is how you assess the situation in preparation for an event – for example, a natural disaster like a hurricane or a scheduled occurrence like the Super Bowl. Questions to ask: what is my team, who does it include? How do I ensure I have the qualified resources as well as the assurance that in an emergency situation, they will be able to be first responders? Is any individual critical in the process? How do you get people where they need to be – or, do you have access remotely?  What is the impact if you pull a few key people out of the process or facilities?

 

Business Continuity

It’s admirable for companies to talk about 99.999 percent as an effective measure for up-time around networks and systems, but rarely does this get discussed at the application level or even further down the stack, at the customer level. How do you make sure your business is operational and functioning as normal?

This vigilance should be extended to your business partners, suppliers, transporters, maintenance, etc. The aftermath of the tsunami and Fukushima nuclear power incident in Japan has shown us how important this can be, given the disruption we have seen within the technology industry since then. 

 

Resilience

Then there is resilience. How much redundancy do you need in your business, either in the “business as usual” process, or as it relates to business as “unusual.” 

In reality, the three major areas noted here all merge together in a solid risk management process and an accompanying assessment of the organization’s risk appetite. Although the term risk appetite is more often associated with security, a risk appetite should be applied generally to how and what you view as critical within your business. Where is your lifeline and what aspects of the organization does it encompass?   

Here is what I consider the top ten tips for what you should cover in crafting your organization’s risk management strategy:

1)         What are the requirements of the business as it relates to governance and compliance?

2)         Who is your end customer and how do you make money?  The answer to this question can then be interpreted as your company’s “lifeline” – you must be able to service your end-customer. In the case of public sector organizations, you will be defining your end-users and stakeholders and the critical services you are expected to maintain.

3)         What key processes, partners, divisions have to be up and running to ensure you can make your end-product or deliver your service to users?

4)         What systems are critical? Which ones already have resilience built in? This could also be applied to partners and other areas.

5)         Know where your “single points of failure” (SPOF) are and minimize these, even in your business “as usual” scenario.

6)         Who are the key individuals, teams, groups within the business? It’s essential you bring them into the planning process.

7)         Start with a good foundation. Don’t try to swallow the elephant but take the bites out of it and measure the program against results.

8)         Having a solid governance tool as a way to manage is important. It helps in knowledge-sharing and to ensure the intellectual capital is where you can find it and not stuck in someone’s head. It also allows you to measure progress against key business objectives, which is always good when money is being spent against objectives.

9)         Integrate your change management processes to include this as part of the standard implementation.

10) Test regularly and test to get to failure! The only time you have a chance for a “mulligan” is when you are testing. When the real incident happens you need to know you have the right people, ingenuity and familiarity with what to do when something goes wrong.

 

So When The “Unexpected” Actually Happens . . .

The hours – and actions you take – immediately following an incident are particularly critical. What you do then can make a big difference – not just to the costs you incur and the business you may lose – but to the possible public relations fall out. So again, it’s essential to have a crisis management plan in place – one that makes it clear what everyone should do and, in particular, how communications with customers, the media and other stakeholders are to be handled.

Experience suggests honesty is the best policy. Attempts to minimize problems and downplay their impact have a habit of making things worse.

Your crisis management plan must follow a few simple but important principles.

First, you need to “Confirm” the nature, scale and impact of the incident if your response is going to be appropriate. Is the incident real? Where is it, and who is affected by it?

Second, prompt and effective early intervention can “Contain” the incident and prevent escalation of severity and resultant impacts. This intervention proves most effective in those organizations where regular and realistic testing of the plan has taken place.

Finally, what and how you “Communicate” is vital. In the early stages of the crisis, the demand for good quality information is at its highest – exactly at the time when the quality of that information is at its lowest. This position is reversed as the timeline of the crisis progresses.

The effectiveness of the communication strategy will very much depend on how successfully you have managed to confirm and contain the impact of the incident and, coming full circle, how effectively you built and tested your crisis plan in the first place.  

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Jeff Schmidt

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

August 2014

2014 August

In the August issue of Security Magazine, read about the public-private partnerships and the future of DHS with Frank Taylor, sneak a peek at the ASIS 2014 security products, and read a special report on cyber risk and security. Also in this issue find out why America is in desperate need of a CSO and the most common mistakes in Cyber incident response. The security game has dramatically changed since September 11th, read about what enterprises are doing to keep Americans safe and sound.

Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+