2015-12-28

in the midst of the crisis

Part of Business Continuity is dealing with crises. Throughout 2015 I've been involved in the large FSPOS Sektorsövning of the Swedish financial sector. The task was to plan, prepare and lead this simulation exercise for one participating Crisis Management Team. They faced a rapidly evolving scenario. How would they respond to threats, deal with uncertainties, communicate with customers and the market? Creativity in the midst of stress. Improvising from existing plans. Valuable lessons and loads of fun!

2015-12-07

the future of continuity

Last week's Q&A with Master's Students in Kista, Stockholm was fun. Still in their first semester, I'm impressed by their wide-ranging questions. In fact, I even appreciate their showing up for an optional event. Arranging anything non-obligatory was kind of a hard sell when I first studied, back in a previous millennium. Many thanks to Mark Strande who kindly agreed to join me for this session to share his insight on Business Continuity. Also, presenting together is so much more fun.

2015-11-23

innovation through dialogue

Security needs innovation, new ideas from new people. It's great to see a new Master's Programme underway at Stockholm University. Department of Computer and Systems Sciences (DSV) is set to regain its position as a leader in the field, and the industry stands to benefit.

Aiming for openness and external contacts, the programme has hosted a series of Security Dialogues, informal sessions with folks outside academia. I'm super-pleased to have been invited to meet with students December 2. Dialogue FTW!

2015-11-16

react, adapt and return

Continuity risk can rarely be avoided and the likelihood is difficult to decrease. Our best bet tends to be lowering the consequence, preparing for how to reduce the impact of the risk event.

The way we do this is through planning to strengthen key organisational capabilities:

  • to react effectively when the event occurs (contingency plan)
  • to adapt and do business differently when necessary (continuity plan)
  • to return to normal delivery in an orderly fashion following the crisis (recovery plan)

2015-11-03

passion vs. arguments

The Royal Swedish Academy of Sciences hosted a day on radiation risk in the context of final disposal of nuclear waste with researchers, industry, municipalities plus vocal opponents of, well, most everything.

60+ years after its introduction, nuclear energy remains an explosive topic. This sad state of affairs clouds our ability as a society to address the matter rationally. Then again, rationality is not in fashion these days.

But my thanks to all who contributed constructively. I learned a lot.

2015-10-26

later is now

Beginning to get a grip on continuity risk, where does it hurt and where will it hurt? Ensure the involvement of top management. Where will your business be one year from now? Three years? Be sure to have your strategy framing your risk assessment.

You cannot eliminate all risk. So, which represents a cost that you can live with and which of it is existential to your business? (Hint: many owners of processes and systems believe their area is prio #1. This is precisely why you must involve the execs.)

2015-10-05

your continuity compass

How do you manage the unknown?

For starters, make it part of your risk work. Risk is the potential for events with impact on your goals. Focus on low-likelihood events with high impact on availability. This is Continuity Risk - your continuity compass.

Have it integrated with your Risk Management. Identify, describe and quantify. Use your history, known events which could have a higher impact if repeated. How bad could it get on a rainy day? Analyse and treat. You know the drill. Expect the unexpected.

2015-09-21

the future in your rear mirror

Once in a while things happen for the first time. Experts talk of black swans, events we couldn't imagine.

Those are the exceptions. Many accidents occur repeatedly. In fact, a useful tool for gazing into the future is a rear mirror.

But I haven't had any disasters, you say? Good for you! What about those times you were lucky? Or, not as unlucky as you could have been? Use the history within your context, think of what has happened. Imagine what the impact could be, another day, under worse conditions.

2015-09-14

when the smoke clears

The 2014 Västmanland wildfire turned into a six weeks-long regional emergency.

It remains a source for insight into what works and what doesn't in societal preparedness. Issues from civil-military cooperation and local-regional-national coordination to volunteering, training and helicopters are subject to a broad study by Swedish Civil Contingencies Agency (MSB).

I was fortunate to attend last week's project update, and I recommend the webinar version with lessons for any practitioner in Crisis Management.

2015-08-26

seminars: continuity meets multi-sourcing

Continuity Planning is about armouring your business with an element of robustness.

Multi-sourcing is a delivery model where you orchestrate a strong business with multiple sourcing partners.

What happens when the issue of continuity meets multi-sourcing? In September, I will be co-hosting seminars (in Swedish) on this very topic. How can we protect our customers and our business by ensuring availability in the face of unexpected events, even when we are dependent on external partners? Come join us!

2015-08-24

know your dependencies

What might impact the continuity in your context? One key factor is dependencies.

Think of it. Are there deliveries, services, resources that you assume will always be available? Could you run your business without that special service provider, without those key individuals, those office premises, that technical infrastructure? If not, you must treat them accordingly.

Any business will have its dependencies. Knowing your dependencies and managing them proactively is a cornerstone for continuity.

2015-08-03

the continuity of what?

Before addressing continuity, ask yourself this question. What system (service, process, component) is in focus?

Sounds simple but if you stumble here, you won't get far. What is your scope and why does it need to have its continuity protected? Is it within your area of responsibility, do you have the mandate? Does its operational quality matter to your stakeholders? Who will foot the bill?

Stating where your context begins and ends is a great start and sends a signal to others to do their part.

2015-07-15

what is continuity to you?

According to Wiktionary, continuity means lack of interruption or disconnection; the quality of being continuous in space or time.

Think of it. Lack of interruption in a real-world context means being able to withstand interference, continuing [sic!] to function in the face of external events. What kind of events? Some will be anticipated and we can design our system (process? service?) for them. Some will be unforeseen. How can we design for the unexpected? We know we have to.

What is continuity to you?

2015-06-12

again, known unknowns and unknown unknowns

This week's #sthlmcrimsymposium was fun and valuable. This being my 2nd time, I had managed expectations better.

Sure, linking outdoor violence to substance abuse is different from preventing compromise of valuable information. But there are also similarities. There was a poster session about Situational Prevention in the context of incident response. Infosec has so much to learn from mature fields, such as Criminology.

Managing known unknowns. Constructing unknown unknowns. We're all in that business.

2015-06-01

on the unsinkable and the unthinkable

It started as a jolt on the lower deck

Swedish song-writer Mikael Wiehe captures bewilderment, affection, anxiety, hope, pride and despair during the final hours of the RMS Titanic. 103 years later on, this spectacular disaster offers lessons for those of us working with risk and security. Using the power of analogies, we can help our stakeholders approach difficult subjects in persuasive ways. While doing the best we can to protect our systems, we must admit that they are by no means unsinkable.

2015-05-13

vertical challenges

Riskkollegiet and Swedish Radiation Safety Authority (SSM) hosted a seminar on Risk Communication.

Informing is not communicating. Still, the prevailing perspective was that of authorities with their experts informing the public, motivating them to change behaviour.

I advocate local ownership of risk. We are the experts on our system, we own and manage its risk. But I must admit that there's a difference between horizontal communication within an enterprise and the challenges for government officials.

2015-05-11

continuity through imagination

What does it mean to be planning for the unexpected? Something out of the blue which we failed to foresee, how could we be planning around this?

Firstly, the unexpected might not be unheard of. We don't expect all engines of a jet plane to fail at the same time, but we know this has happened.

Secondly, let's differentiate between cause and effect. Our office might suffer a power outage. We can think of possible causes for this effect, but we won't know them all. Still, if we can imagine the effect we can plan around it.

2015-04-20

old rules for new stuff

Why do we need system-specific security requirements? Can't we just comply with instructions? Yes we can, and we must. But it's not enough.

A new system does new stuff (or familiar stuff in new ways) or we wouldn't bother constructing it. New stuff means new risk components (assets, threat sources, vulnerabilities) and consequently new risk. New risk means we cannot simply rely on old rules. We need to rethink how security is implemented for this very system. System-specific security requirements.

2015-03-30

from policy to real change

When you want something to happen, you can write a policy. Then what? Is it realistic or does the policy assume components which are not in place? Is it easy to adhere or will compliance be an uphill battle? Now that it's easy, have you anchored the policy, ensuring that stakeholders understand it? Also - are people motivated to adhere? Always remember: awareness is not motivation.

Once again:

  • define "right"
  • make it possible to comply
  • make it easy
  • communicate your policy
  • help people understand
  • build motivation

2015-03-09

implementing is not establishing

Implementing something is about solving a problem, finding a workable technical solution, showing that it can be done.

Establishing something is about making it happen in the real world. Communicating the implementation to stakeholders, gaining their acceptance, understanding and commitment to use it. Integrating it into their processes, making it part of their business-as-usual.

From firewalls to access control models - implementing is not establishing. Security folks should ponder the difference.

2015-02-16

security is about timing

Beside the who, the how and the where - security is a lot about the "when".

In the best of worlds, you will be able to deter an adversary from even trying to compromise your system.
If not, can you prevent the attack from succeeding?
If not, can you detect the intrusion in a timely fashion?
Once detected, can you contain the attacker and prevent a wider compromise?
Finally, can you swiftly restore your system to agreed service levels?

Better get the chronology straight. Security is a lot about timing.

2015-02-12

obligatory quality

I'm reflecting on Business Continuity Planning. The ability to withstand the unexpected and carry on, serving customers as best you can.

Two observations.

The field is compliance-driven. Before the advent of regulation, interest was lukewarm at best. Whatever happened to self-preservation? Haven't we learned anything from 9/11?

Terminology is confusing. Guidance refer to several categories of plans. Relating them and putting them in context is left as an exercise for the layman. A challenge for us educators!

2015-02-04

still blogging, a decade down the line

Ten years ago I got an idea. It was rather trendy in those days, having your own blog. One purpose soon emerged though. I wanted to practice my English. The topics have been widely varying, so picking a generic blog title proved useful.

I used to be interested in politics, as became apparent in the first posts:


In recent years I have shifted focus. When I got started within the security realm, I chose to devote the blog to precisely that:


As for the next ten years, who knows? What will be my perspective?

2015-01-26

assets and motives

How do they do it, asks the technician.

Why would they do it, asks the criminologist.

Considering motives is a great way to analyse potential abuse. What are the assets? What could make an adversary attempt to compromise the system?

If you run a bank, one answer is obvious. But people are not driven merely by financial gain. Revenge, power, politics, publicity, and let's not forget curiosity ("because I can"). The list goes on.

Get those assets and motives straightened out before calling the technician.

2015-01-05

trusting a system

In the best of worlds, we could all trust each other not to compromise security qualities of information - neither intentionally nor accidentally.

In the real world there is not sufficient trust in this regard. Instead, we need to implement protective measures to uphold sufficient information security. When we cannot trust other parties as much as we like to, we need to establish trust in our protective measures instead.

What does it mean to trust a system? How do we create and maintain such trust?
20240205