November’s theme is RISK, and this week’s article is:
IT Risk and the Challenge of the Black Swan Event
Kevin Campbell | November 30, 2020
In the previous articles for this month I discussed several aspects of IT risk and the importance of:
- Discussing risk in the language of the Board and business – no IT lingo!
- Using a common yardstick across the enterprise and getting all risk down to a dollar value.
- Putting a risk mitigation plan together that is oriented towards a series of small, straight-forward, and highly actionable efforts designed to change behavior.
- The importance of and the value of a Risk Governance Board – one that can be a formidable ally to help achieve the final risk mitigation goals for the organization.
In this last article on IT risk I would like to discuss one final aspect of a comprehensive IT Risk Management Program, present a challenge, and ask a request.
Most every IT Risk Plan has been amended over the past several years with one or more entries that fall within the cyber-security category. This would include cyber-attacks, denial of service attacks, ransomware, destructive malware, etc. Each of these risks would reference a particular section of the Cybersecurity Incident Response Plan (CIRP) – a plan every IT organization should have and update regularly. The CIRP is so important, in fact, that many organizations have separated it out from under the broader Business Continuity Plan (BCP). This is being done to show the importance of the CIRP and in many cases the very different methods and procedures for reacting to a cyber-threat.
Several years ago the complete loss of all data on employee office computers and servers was unthinkable. It was something that never did nor never could happen. If was not on ANY risk register that I knew of in any organization. It was considered a Black Swan[1] event. Today, ransomware is extremely common and has done exactly that – encrypts data on computers to the point where the victimized organization is unable to access any of their data. What was once considered a Black Swan event and made headlines across the globe hardly even makes the local newspapers today.
But we are living in a Black Swan event as I write this – the COVID-19 pandemic. Twelve months ago how many organizations had even an entry, let alone a response plan, for a contagious, air-borne, multi-national and multi-cultural global illness that can easily prove fatal for its victims? Very few had such insight. Even fewer practiced their response if such a situation were to occur.
Which leads me to my challenge. Ransomware and pandemics are Black Swans, or at least they were in the not too distant past. Today they have become a normal part of corporate life. But there are other Black Swan events that many companies have yet to address in their business continuity planning efforts. My challenge is for you to consider the total loss of the Internet as your next Black Swan event. As impossible as you think that the “Internet would go down,” remember the same thoughts that many had about “total loss of all data” and “a global sickness that could kill multiple hundreds of thousands, cause millions to lose their jobs, shutter businesses worldwide, and even shut down entire economies.” All too often the unthinkable becomes real.
Plan for this incident. Plan for NOT having the Internet available to your business, your employees, your suppliers, and your customers. What would you do if that were to happen? Better still, what activities, plans, mitigation tasks, etc. can you put into place TODAY to ensure your company can stay in business and continue operations should such an event happen in the future?
That is my challenge to you, and now here is my request: PRACTICE. With whatever risk response plans you have identified there will be some level of “response” should that risk become a reality. Practice your response plans today. That practice can be with small groups, larger departments, or even an enterprise level “simulation day.” Whatever form it takes, the value and learnings from such practice sessions are invaluable. Remember: a plan that is never practiced is no plan at all.
That wraps up my thoughts on IT Risk for this month. …and with fingers crossed I hope none ever have to open up their organization’s business continuity plan and begin executing it. This is especially true for any Black Swan event! It is, however, always better to have a plan and never use it than to have no plan at all.
Here’s wishing everyone has a safe, enjoyable, and healthy holiday season.
[1] A Black Swan is an unpredictable event or occurrence that is unreasonably difficult to predict which is beyond what is normally expected of a situation and is characterized by their extreme rarity and severe negative consequences.