Monthly Archives: December 2011
A Case for Business Continuity Planning
Or…”Fortune favors the bold, but it’s not a bad idea to hedge your bets.”
Dealing with the unexpected can be frightening, exhilarating, and sometimes disastrous. In business, it is also a requirement. A sensible look at the company’s risk appetite should be a regular occurrence. As a Security and Privacy professional, I take the time to examine what risks are likely to occur and which are not. For example, when you flip a coin, the only options are not Heads or Tails. It is also possible that the coin will land on its side and stay, or that a flying animal could swoop down and catch the coin in mid-air keeping it aloft for hours before putting it at an angle in its nest. This last option is possible, but I doubt that I will ever see it happen. In business today, it is important to think about what may be lurking that could affect your actions, but I would not invest too much in ‘Theft by Bird’ insurance.
What does this have to do with Business Continuity? Continuity planning is all about seeing the options and APPROPRIATELY preparing for possibilities or interruptions. Understanding the probability that something will occur is key to managing your risk appetite. There is truly only one way to be 100% secure in business, and that is to lock up everything that you own, and put all of your employees in sound-proof single person offices where they can’t speak to anyone else. The problem with this scenario is that you can no longer do business. Risk is inevitable. There is risk all around you every minute of every day. Managing risk is how we get out of bed in the morning and how we do business every day. I like to think of risk this way:
Bad things actually do happen. Businesses have failed due to malicious actions of others using a computer as a tool. I’ve been in corporate America long enough to know that theft occurs. Theft is not only taking tangible things like cash, but also the intangibles, like the theft of a customer’s loyalty.
I tell you this, not to make you afraid, but to make sure that your eyes are open to both good and bad possibilities for your company. I’ve spent years of my career preaching against using FUD (Fear, Uncertainty, and Doubt) in security. If someone is working hard to make you afraid of something, they are usually trying to sell you something that you probably don’t need. The down side of FUD being used as a sales technique is that it can cause you to miss something that really should frighten you. Catastrophic incidents come at you from unexpected angles. Having a good business continuity plan allows for you to recover from the things you never could have seen coming. Over the next few weeks, I will be sharing additional thoughts with some helpful information to allow you to determine the best methods for you and your company to create and maintain a Business Continuity program to give you a fighting chance in dealing with unexpected incidents that could be disastrous if not dealt with appropriately.
Knowing that a storm is coming can help, but in the middle of a tornado is not the time to learn how to survive one. Fortune may favor the bold, but preparedness trumps bravado.
Williams & Garcia LLC has a Security and Compliance practice with capabilities in Information Security, Privacy, Business Continuity, and GRC. We work with each of our clients to help them achieve business value through technology adoption, risk management, and process execution.
Knowing What You Can Do Best
There is an old parable about a hedgehog and a fox. The fox knows many things, but the hedgehog knows just one big thing. The fox is a cunning creature, able to devise a myriad of complex strategies for the sneak attacks upon the hedgehog. Day after day, the fox circles around the hedgehog’s den, waiting for the perfect moment to pounce. Sleek, fast, beautiful, fleet of foot, and crafty – the fox looks like the sure winner. The hedgehog, on the other hand, is a dowdier creature, looking like a genetic mix-up between a porcupine and a small armadillo. He waddles along, going about his simple day, searching for lunch and taking care of his home.
The fox waits in cunning silence at the juncture in the trail. The hedgehog, minding his own business, wanders right into the path of the fox. “Ah ha, I’ve got you now!” thinks the fox. He leaps out, bounding across the ground, lightning fast. The little hedgehog, sensing danger, looks up and thinks, “Here we go again. Will he ever learn?” Rolling up into a perfect ball, the hedgehog becomes a sphere of sharp spikes, pointing outward in all directions. The fox, bounding toward his prey, sees the hedgehog’s defense and calls off the attack. Retreating back to the forest, the fox begins to calculate a new line of attack. Each day, some version of this battle between the hedgehog and the fox takes place, and despite the greater cunning of the fox, the hedgehog always wins. *
Hedgehogs in Corporate America
There are an abundance of foxes out there in the corporate world. Companies that pursue many directions at the same time. They are “scattered or diffused, moving on whims at many levels.”
Never integrating their thinking into one overall concept or unifying vision. Hedgehog companies, on the other hand, simplify a complex world into a single organizing idea, a basic principle or concept that unifies and guides everything. It doesn’t matter how complex the world, a hedgehog company reduces all challenges and dilemas to simple – indeed almost simplistic – hedgehog ideas. For the hedgehog company, anything that does not somehow relate to the hedgehog idea holds no relevance.
Isn’t it refreshing when you find a company that has taken a thoughtful and unified approach to the complex world of IT?
So many foxes are out there bouncing from productivity tool to security tool to automation tool, strategizing about that next idea that can provide the solution that will “magically” help them to finally catch their hedgehog. But, time and time again they produce the same poor results.
Key Focus For Hedgehog Companies
Organizations that are hugely successful are able to take a complex world and simplify it. Understanding what matters most to an IT organization has very little to do with the latest technology, but everything to do with the process and how they use that technology to support their one single hedgehog idea. Companies today make money so many different ways that the complexity of the choices can draw their focus away from that one idea that makes them unique.
Great organizations have found a way to simplify the complicated processes that weave the fabrics of business and IT together into one focused idea. However, the organizations that are continually frustrated by their repeated attempts to try anything to snare their elusive hedgehog, will remain instead scattered, diffused, and inconsistent.
For the moral of the story is that the fox is constantly focusing on the latest idea, concept or fad. No matter how hard he tries, the fox will always fall short. Understand what you do best and do only that. The hedgehog knows what it can do, but even more importantly, knows what he can’t do.
[Excerpts and idea for this blog came from the book "Good To Great", by Jim Collins]