Prepared for Anything? Really?

Is any organisation truly prepared, and for anything?

Quite obviously the answer is no, and managers are quick to point out that they cannot know what ‘anything’ is. In this they claim that no one has successfully proved to have perfect foresight, and in this they are correct but this hides a multitude of managerial sins. Not least is that they inevitably build upon the issues on which they have had chance to reflect in hindsight, and in this, they are guilty of concerning themselves with the historical threats irrespective of the evolution of the threats. In parallel they are similarly focused on their best known vulnerabilities, increasingly because they have been targeted and have been forced to focus on what that entailed. Their failing is typically lack of insight. Insight into what is within their threat landscape, insight into what the potential impacts could be on the organisation, and insight into the pace of evolution. This is really about near-sightedness and the inability to ‘raise one's gaze’ which is a quite natural phenomenon among managers. The temptation to engage with what is familiar and anticipate scenarios that are more probably are only the beginnings of analytical bias.

Napoléon once said ‘uncertainty is the essence of war, surprise its rule’ and preparation for serious security incidents or crises, must be built upon the assumption that there will be surprises, and the organisation’s response will have to tackle the unexpected. This raises two issues: Firstly the nature of the response and capabilities inherent to the before- and after- response; Secondly the ability to deal with the unexpected which is founded in managerial ability & experience. Unfortunately experience is gained over very long period as serious crises are invariably infrequent and experience can degrade over time.

So there exists a critical gap where organisations need to ‘exercise’ the ability to anticipate the unexpected, be able to identify uncertainties and factor them into their planning, and tackle them head-on. Not least in order to maintain capability, and confidence in existing preparation, but also to build experience. The adage that being forewarned is forearmed is always the justification for investing in threat intelligence, but in the sophisticated cyber domain it can be too tempting to rely on technology for early warning, and too complex to identify the critical signals from within the ‘noise’. The nature of technological solutions is being exploited by attackers to create ‘noise’ to mask an attack, and the decision-taking needs to be as reliably intelligence-led as possible, but ultimately taken by a human.

So what happens when you are faced with the unexpected?. A threat that you did not anticipate that was always plausible, but upon which you have little or no intelligence, and therefore your response depends entirely on your ability to quickly analyse the threat [which may require some specialist skills] and then calibrate your response before it is too late. The essence of intelligence gathering is to identify and qualify threats, no matter what the levels of plausibility or probability, and in doing so managers need to accept that the lower probability events are invariably higher-impact ones. It is always a useful exercise to contemplate events according to impact and implications rather than probability, and make a list of events under the title: Could Happen And Could Be Severe... just to see whether sufficient attention is being given to them. Alternatively you can turn it on its head and ask the question what could cause a catastrophic collapse of ‘the business’ and then list the type of security events cyber or otherwise that could effect it. For this you may need a specialist to inform you of the future threats you will face, or to model the financial impact of certain events, and this is highly recommended.

This is the first step towards healthy preoccupation with the failure of organisational security and preparedness, and organisations need the ying-yang of managers that are preoccupied with creating value & wealth; and managers that are tasked with protecting it. Unfortunately the former greatly outweigh the latter. A preoccupation with failure is essential to combating the complacency that tends to set in after a period of calm, and it is an attitude that is at the centre of ‘high-reliability’ teams that require a near-perfectly synchronised and effective performance on every occasion. It requires a commitment to being proactive in the plan-do-review process, and this is at the core of being prepared for anything.

Good management practice and preparedness really requires the ability to anticipate events long before they happen, and develop a planned response to each scenario. In developing and refining capabilities, managers need to be able to regularly review flaws in plans and road-blocks to effective performance through drills. This should run counter to any tendency to over-simplify plans and procedures, as the threats are increasingly sophisticated: Hence the defence needs to match the levels of innovation and sophistication that threat actors are introducing. Practise does make perfect, or at least builds familiarity to the point where response can be quickly and effectively adapted to a change of events. If you are not running exercises, refining plans, preparing capabilities, or anticipating future events, then you cannot claim to be prepared for the future: Only the past.
Posted: 23 July 2013 by Optimal Risk Admin | with 0 comments
Filed under: analytical, bias, crisis, exercises, failures, foresight, insight, intelligence, management, planning, preparedness, security