Cyber confessions from a Resilience, BCM and crisis leader
18 May 2017
I am worried.
I don’t know enough about “cyber”.
Is this going to hurt my career?
These are three thoughts that I confess I’ve had, and I know that I am not alone on this issue.
In my case, these thoughts are not recent. In 2009 I was involved in managing the response to a significant cyber incident. It was the first time I’d had a leadership role in an incident where I didn’t understand the exact detail on how we were going to resolve it. I was used to pulling together a group of Silver-level SMEs from facilities, IT, HR, communications, services etc. so in that sense responding to a cyber incident wasn’t much different, since the SMEs are actually delivering the response and you’re co-ordinating from the centre. But where I could apply my day-to-day knowledge and understanding to incidents such as fires, outages, and terrorism, the notion of a “cyber attack” felt very uncomfortably foreign. For that incident it was ok: we had SMEs for a reason and I could do my job without understanding the details that I wished I did. At that time, that was enough. I didn’t really like the feeling though, of not understanding it all.
Roll on eight years and I suppose I know a lot more than I did about cyber. Unfortunately, I’m also acutely aware of what I don’t know. I’m lucky enough to work alongside some of the best cyber SMEs on the planet, so I can still involve the right mix of SMEs in whatever we need to do. So why does it still bother me?
At the beginning of this year, after joint research with the BCI, we delivered our report on what BCM professionals believe the future holds for them. One finding was that 62% of our 650+ respondents said that BCM leaders need to move beyond traditional BCM activity and 53% say that includes working much more closely with Information Security (compared with just 2% who believed they’d need to work with them less in the future). But I’ve been working alongside Information Security leaders for years, so what is specifically about the word ‘cyber’ that had me concerned?
As a business continuity and crisis leader, I’m used to making it my business to understand how the organisation works, what the risks are, what resilience measures are in place, and our approaches to responding to the key ones. That’s my job. It means that I have a better than average understanding of the way a lot of things work – facilities, HR, technology, press offices, operations, services - and how their responses are likely to happen. But when I started in BCM and crisis leadership – me being older than many of you, obviously! - cyber wasn’t really on the agenda.
So while I’m coaching those coming up behind me that they need to be as cyber savvy as I am about other business functions, I am also being proactive myself. In this BCI Business Continuity Awareness Week focussed on cyber, here’s what I’ve personally found useful:
- Talk to colleagues. It’s rare that a colleague won’t make time for me if I offer to buy them a coffee in exchange for them telling me about something they know. I can learn a surprising amount in exchange for coffee, particularly if it happens every month or two and not as a one off. It also gives me a chance to nudge the reminder that responding to cyber issues is part of a much bigger response capability, and encourage the breaking down of any barriers to being joined up. When was the last time you took a cyber colleague for coffee?
- Exercise. I partner with SMEs from across the business to build realistic exercises and cyber is no exception. Building and delivering exercises based around any scenario – including cyber – is a fast way for me to learn specifics and potential nuances about issues and responses. Additionally, I often find that those with deep cyber knowledge don’t have my expertise in designing and delivering crisis exercises, so working together to deliver this brings our specialist skills together. When was the last time you exercised your Gold team using a cyber scenario?
- Case studies. Real life stories explain things in a way that I can relate to; I would not get that from a text book. Though many are reluctant to talk about their cyber incidents, my favourite place to keep an eye out for case studies is the Harvard Business Review. The CEO of Sony talks about the infamous Hollywood hack: “They burned the house down: an interview with Michael Lynton”). PwC issued a case study on Operation Cloud Hopper in April 2017, exposing a systematic hacking operation with an unprecedented web of global victims. And I use this google search every few weeks (do check the source of whatever you find to make your own judgement on its likely authenticity and accuracy). What was the last case study you shared with someone else?
- News alerts. As above, I find it easier to learn from what’s going on in the world today than from a book. My results from a Google Alert were a little too random so instead I found a couple of newsfeeds for new cyber issues and thought leadership. The first is from the UK government’s Policy Cyber Security feed and the second is from my colleagues here at PwC but is publicly available.
- Articles and forums. Books are great but cyber moves fast and I also have a shorter attention span than I’d like, so articles hit my sweet spot for cyber learning. I have a marker in my diary to hit the following searches once a month: Harvard Business Review articles on cyber, The Telegraph search service (you just need to type “cyber” into this link), and I also confess to a quick peek InfoSec Island every so often for a bit of wildcarding – this is more chat than articles, but you’ll see what I mean in terms of being able to pick up what people are talking about more quickly. What’s happening to other organisations in your industry now?
For me, BCI Business Continuity Awareness Week is about sharing and learning from each other, so I hope you’ll feel free to share your thoughts and strategies you in the comments.