Cyber: learning to speak a new BCM and crisis leadership language
19 May 2017
“Find an interpreter or at least learn the basics of the language. Even better...do both.” This sounded like solid advice as I eavesdropped on my colleague’s phone call, imagining the anonymous recipient gearing up for an expedition across the Andes or preparing for an arduous project in Central Asia.
When he hung up the phone I wasted no time in grilling the speaker on what far flung corner of the world the recipient was off to. Tajikistan? Cambodia? Nicaragua?
'Slough!' came the matter of fact response.
The language he had been referring to wasn't French, Mandarin or Swahili. It was the comparably complex languages of cyber security and modern business management. Both contain nuanced terminology and unfamiliar concepts that can easily be written off as dark arts that take years to master Business Continuity and crisis leaders are very used to having to explain terms such as recovery time objective and recovery point objective and what really constitutes a critical activity, and we prefer to explain those – where possible – before an incident occurs. Understanding the language of cyber before an event occurs ensures that we aren’t concerned when we hear phrases like “Identity and Access Management (IDAM), “Advanced Persistent Threat (APT)”)” or “Keylogger”(software or hardware that watches keystrokes monitor user activity)” during an incident.
The cyber/BCM translator my colleague was referring to was the near-mythical employee that is fluent in both languages: a character that understands the detail of the technology landscape and the complexities of how the business operates when business-as-usual isn’t available. Most organisations have one of these individuals, you just need to find them.
As rare as this skills-cocktail sounds, with a little digging I often find that “people who can” don't just appear at the top of the organisation. This type of individual can be found scattered around the organisation and are worth their weight in gold when the world comes crumbling down. But there is also another way: as BCM and crisis leaders we can ensure that we speak just enough of both languages as well.
In my experience, when cyber crises occur, people revert to what they know best and can quickly feel uncomfortable with anything on the peripherals. Those with a technology background tend to focus on the technical aspects on an incident. Those coming from the business side tend to focus on the business impacts . Two distinct focuses that can lead to a decision making impasse.
This is where the cyber/business translators come in and, with some investment of time, this can be us. I've seen first-hand that these fluent people are the 'So what?' specialist of cyber responses. They can absorb briefings on the forensic details of a cyber attack, compute the information and provide answers to the “So what does this mean?” questions the Executives are looking for. Working alongside all aspects of the response they can translate technical actions into tangible business impacts in a way that mean something to senior decision makers.
If I were to sum my thinking here up, I guess it would be that a bar fight is no place to start a boxing lesson, and a cyber crisis is the wrong place to start learning about basic technology concepts.
As brilliant as our translators are, knowing a few key concepts will save us a lot of time and make it as easy for us to deliver our role in response to a cyber incident as it is to any other. As well as making it their business to liaise with cyber colleagues, I’ve seen more of our industry turning to simulation exercising as a tool for exploring and understanding their response to cyber crises. These exercises can be used to identify and explore these knowledge gaps in a safe environment leaving the participants with a clear list of actions to close that gap.
My question to you is, have you learned the language yet? If not, do you know who your cyber translators are? Have you integrated them, and their cyber colleagues, into your Incident Management process? How fluent are your executives when the topic turns from P&L and KPIs to malware and cryptolockers?