One: Get a clue
So you have made the decision to face reality. Trouble is, while most organizations are willing to face reality, they are clueless when it comes to their reality.
To be resilient is to know your strengths, weaknesses, gaps, and vulnerabilities, as well as the threats that are imminent, likely, or possible. Know these things, and you are positioned to prepare for, respond to, work through, and recover from inevitable disruptions. You also must be aware of your organisation’s human dynamics as well as its systems and infrastructures. These days, the most pervasive infrastructure is digital. Yet surprisingly few organizations have a basic working knowledge of their networks, and fewer still understand how these connect to the digital universe beyond. Invest in the capabilities and expertise to create this knowledge. The truth will set you free—and help you to help yourself.
Two: Sharpen your situational awareness
While a healthy appetite for network knowledge is a necessary habit of resilient companies, it is not alone sufficient to achieve resilience. Often, the difference between a pilot who lives to retirement and one who comes to an untimely end is a matter of situational awareness. It is not enough to have textbook knowledge of every aircraft system. Surviving in-flight requires applying this in real-time. Keen situational awareness is a multi-dimensional process that continuously acquires, evaluates, and applies information as new input, new opportunities, new threats, new strengths, and new vulnerabilities appear, impinge, and attack.
When your IT team set up your network five years ago, they probably documented their work with a map, which has slumbered undisturbed in your drawer for, well, five years. In that time, devices have been added and taken away, people have been connected and removed, security privileges have been assigned and reassigned, and cloud connections made, subtracted, added, and multiplied.
That paper map? It’s archaeology. And without a “picture” that updates in real time, you can have no situational awareness. Instead of being resilient, your business is as brittle as a papyrus scroll.
William Saito was chief technology officer of the Fukishima Nuclear Accident Independent Commission created by the Japanese legislature. “The Fukushima accident is profoundly disturbing,” he posted on his blog for March 6, 2013, “not simply because 250,000 residents will not be able to return for decades to an area the size of Luxembourg. It’s disturbing because it forces us to ask [why, in a region that has experienced tsunamis] as far back as Europe’s Dark Ages, [none] of the world’s brightest engineers [questioned the wisdom of putting critical] back-up generators in a floodable basement.” Had backup power during the tsunami been available, the cascading failures that triggered the nuclear catastrophe could have been contained. Saito concludes that, “Japanese culture was the culprit … our reflexive obedience; our reluctance to question authority; our devotion to ‘sticking with the program’; our … ‘groupthink.’”
Resilient organisations are totally hooked on diversity. They invite every point of view and welcome contradicting opinions. When they come up with an idea they love, they form a “red team” assigned to tear it to shreds. (The more they love it, the harder they tear.) They build what winning sports teams call a “deep bench,” filled with people of varied backgrounds with a range of expertise and ideas. And then they listen to them—and hear them.
Resilience thrives on diversity, but it also requires a matrix of connectivity to ensure that disparate sources of data, opinion, and insight are productively integrated across the company. Bureaucratic silos and administrative fiefdoms can both sacrifice the opportunities created by collaboration, and derail – or worse, destroy – resilience by undermining the inherent strength of coordinated planning and response. Groupthink can blow up an organisation. Lone-wolf thinking and siloed action can blow it up even faster.
Five: Always consider the network
Key to creating resilience in any dynamic structure—a building, an ecosystem, a business, a complex digital network—is to consider the whole system before taking action or making changes. You are remodeling your house. You want one big living space. You knock down a wall. It turns out to be load-bearing, and … well, now you’ve learned a hard lesson in why you need to consider the network before you change the network.
Businesses run on networks, many of which are exclusively digital, and virtually all of which are at least enhanced or facilitated by digital connectivity. Adding a single connection or changing a single user’s privileges can have implications throughout the entire structure, potentially exposing valuable assets to attack. Invest in the tools and expertise that show you how one change will affect the entire network. And make sure you explore the impact of those changes before you make them.
Businesses thrive on connection to the outside. Resilient organisations understand that every connection is both an opportunity and a risk. For this reason, they build into themselves ways to arrest cascading failures by segmenting—in effect, selectively de-networking—to contain local failures and attacks before they cascade into a catastrophe for all stakeholders. The designers of RMS Titanic had the right idea when they built the ocean liner with sixteen watertight compartments. Tragically, they failed to build any of them tall enough to prevent an overflow that sunk the whole shebang.
Seven: Be agile
The safest cars are sophisticated, agile systems. In a collision, they crumple strategically, absorbing energy that would otherwise be transferred to driver and passengers. Rigid metal, it turns out, can be designed to adapt with remarkable agility to a radical new situation: sudden impact.
A business may build rigid digital walls around the periphery of its networks. Say this fends off ninety-nine of every one hundred attackers. The 100th, however, might put you out of business—at least for a time. To prepare for the new reality you need the agility to adjust to the attack, contain it, and operate despite it. Agility enables resilient organisations to adapt to sudden impact.
Cyber security is now everyone’s business. Resilience is not a product. It is not a department. It is not the responsibility of one person. Resilience is a way of thinking, and – once committed to – it quickly becomes an essential part of how effective companies operate, delivering confidence to CEOs and board members. Resilience begins with knowing your networks in real time, all the time.