A funny thing about pandemic planning
March 11, 2020
No, I’m not dead—nor do I have anything other than my normal killer sinus and allergy issues this time of year, thanks to the roller-coaster Cape Town weather. However, as I’m watching the news and the reactions of people here in the Mother City, I have to say that somewhere that’s dependent as it is on the multiple layers of society interacting together from all over the world where people have an aversion to proactive health practices is probably not the wisest place I could be right now.
But…there you go. It’s where I am.
And, like you, the work still needs to be done, and life will need to go on.
At the risk of “joining the rising tide” of pandemic pandering I see flooding my inbox, I wanted to share a little something I learned the last time around with H1N1 from some wise old men and women sitting in John O’Leary’s famous (or infamous) COSAC Monday Masterclass 10+ years ago.
Pandemic planning is when most people get caught with their pants down because they realize how little they’ve been focused on “the right things”…
…and how much they’ve gotten distracted by the noise and confusion of the day-to-day.
BCP and DR isn’t even aligned very well with the cybersecurity programs in some of the organizations I’ve helped in the past. It often sits just to the left of Enterprise Risk, between IT, Security and everyone else.
And everyone thinks they’ve got it under control.
Which all goes swimmingly until something like what we’re seeing now actually erupts. People worried about their remote network access and VPN capacity being substantially less than ready to cope with Gartner’s predicted 25% unavailability of your current workforce. People wondering about how they’re going to figure out the skill distributions and “who knows what” and where they can get backups…
…when the gun’s cocked, loaded and in their mouth while sitting on their knees in a high-rise office building watching the foundations of the neighboring buildings collapse in an underground uprising of epic proportions.
Rule #1 of BCP seems too often hark back to something very similar to, “You do not talk about BCP.” Followed closely by the startlingly similar Rule #2…and so on.
Despite the scramble and the spotlights being shown in the dim, dark reaches of the ugly underbelly of most organization’s ability to plan for this sort of thing operationally—let alone from simply a cybersecurity perspective…
…this too shall pass.
And I’m guessing that there will be a lot of money thrown around putting some contingency plans in place against the impending apocalypse…
…much like the installation of the diesel generator at the last minute at the Informix office in Lenexa, KS in the final countdown to Y2K. And like that particular investment – which I don’t think ever really got used – I’m sure it’ll be money well considered and well spent.
I’m not saying that BCP isn’t important. Far, far from it.
However, what I am saying that if you’re actually approaching the management of risk across your organization – including information and cyber security risks – in a way that makes sure you understand what the organization is trying to do, how it’s structured to deliver that value, the priorities and pitfalls inherent in the way things work today…
…and ensuring that those risks are visible, prioritized, communicated, and mitigated in ways that give the best chance of still being around when the dust settles…
…you’ll quickly realize that “little things” like a business-driven security architecture program are going to play a big part in how easy it is to keep on keepin’ on.
Followed quickly by the realization that if you’re already doing the right things, you just need to keep doing them.
Because you already know what you need to do, who needs to do what, and where you’re going to be able to get resources of all kinds to backfill any gaps and unexpected shortfalls you may experience.
Even if someone, somewhere didn’t give you the budget to do all the things you said you needed to do when you talked about it last time.
Your pandemic protocols should basically be just business as usual.
If they’re not, then maybe it’s worth a chat to talk about how we can work together to fix it. To do that, simply apply for a call with me using this link, and let’s talk:
https://securityleadershipcoaching.com
And if now isn’t the right time because you’ve already got your hands full of the wrong kind of Corona, just don’t wait too long once things settle down, ok?
Stay safe,
ast
—
Andrew S. Townley
Archistry Chief Executive
