I chair my town’s committee on emergency preparedness, so I know something about dealing with natural disasters. I’m familiar with the Federal Emergency Management Agency (FEMA) and its role in providing training, organizational information and even direct assistance in helping communities be prepared. I’ve seen how volunteer organizations can work with local authorities—the fire department, police, EMTs—to become effective first responders. And every time there’s a story on wildfires, storms or floods, I sense a personal connection—and I pray that the teams involved have the preparation, skills and resources needed to handle the calamity.
In my other life, my professional side, I’m also in the business of disaster preparedness. I’ve been in the cybersecurity field for 22 years, and as an investor I’ve been involved with 18 security startups. In my current role as CEO of a security analytics company, I meet with security professionals just about every day and keep up with the latest threat vectors. I see corporations worrying constantly about attacks on the network infrastructure, developing plans and procedures, and spending billions on defense strategies and technologies.
And yet, every day, there’s news of another massive network breach at another organization somewhere. With all that money, all that time, all those strategies and technologies in place, hacks have become routine. How can this be?
Of course, I understand the difference between natural disasters and sophisticated cybercriminal gangs looking to wreak havoc. But from my vantage point, I can also see that there’s a lot the business world can learn from the other.
All of us fundamentally comprehend the basics of preparing for emergencies. In my town, like every other town, we train our community volunteers that the core elements of emergency preparedness are information and communication, planning, and then drill, drill, drill. Similarly, in the business world, most large companies have plans in place and practice regularly to be prepared for emergencies such as fires and flooding. Yet in all the companies I’ve visited, there’s been just one that brings this kind of discipline to planning for network disasters.
This absolutely defies logic. Most corporations readily acknowledge that cybersecurity is a big deal, and that threats are escalating. There’s also a greater concentration of risk now, thanks to technology trends such as cloud infrastructures and mobility. Networks are unquestionably the foundation of every modern business, and understanding how that network operates, is managed and is protected is vital. If the network is compromised, the entire business is compromised. Just ask Sony Pictures, or Anthem, or Home Depot, or Target, or any other large corporation still reeling from a breach.
So with that backdrop, let’s consider how lessons from community emergency preparedness and NIMS (National Incident Management System) training can be applied to the business world.
Information: Emergency preparedness (EP) is simply not viable without information: Who’s in charge, where the assets are, how to reach and use them, best practices, procedures on ways to proceed depending on circumstances.
On the corporate side, we’re in the business of information technology, yet too often we focus on the second word at the expense of the first. You need to know how your network is built and the nature of the assets on that network. Specifically, it’s the ‘as-built’ condition of the network that matters when crises occur, not the how it should have been built. That information must be reliable, current and accurate—speculative bits of data don’t work.
Communications: For towns, there are generally layers of communications: cell phones, radios, messengers and procedures. For example, first responders such as ambulances and fire may not be on the same communication system, but they need to know what other groups are doing. Not everyone needs to know everything, but knowing who needs to know what matters a lot. What evolves is a command-and-control infrastructure that is defined, built and tested.
In an enterprise network, the same concept applies. There are layers of information—routes through the network, device configurations, security provisions, company policies, legal compliance, and even potential threat vectors. (The security folks probably don’t need to know all the compliance details, but the auditor sure does.) Parsing all the vast and various information elements of a network and its operations is critical to effectively managing that network in an emergency situation, or even on a day-to-day basis.
Planning and testing: Plans can’t be developed in a vacuum, nor can they be built and put in a box. To make sure they’re effective, they need to be tested during a simulated emergency.
Training for the people who’ll be in the thick of the emergency, making decisions based on planned procedures, is essential for proficiency. The best drills even throw random events into scenario plans—for example, we’ve asked our teams to deal with “mobs at the door making demands.”
Similarly, network and operations groups need plans for dealing with emergencies. Most have power-loss contingencies and hardware failure plans, along with backups and perhaps even a duplicate network or systems running in parallel to keep the business running. But what happens if a particular server runs afoul of malware? Is nearby network equipment vulnerable and affected? What can be done to isolate the problem or even redirect traffic so the business keeps running while the infected server is refreshed?
Drill, drill, drill: Plans are worthless if people don’t know them or can’t execute them. Sure, no plan is perfect, but they all get better with practice. This is how people become familiar with emergency procedures, make reasonable decisions and take action when that unplanned event occurs.
When I’m in front of my town council, I’m often asked how often we should drill and who should be involved. The answer varies based on the needs of the particular EP organization. A naval ship runs drills weekly. A fire department runs drills weekly. A town of volunteers runs drills twice a year.
On the other hand, however, I’ve talked to many organizations about their cyber security, and (this is a point worth repeating) I’ve encountered only one that runs any drills at all to ensure that their plans will hold up in the face of a real emergency.
The Ultimate Lesson: Itall comes down to knowledge, preparation and practice. An evacuation drill has a more immediate impact than isolating a server, but that infected server can wreak greater havoc. Your entire business – operations, credibility, bottom line – can be endangered. And since incident response is just as important as emergency preparedness, there should be pre-incident and post-incident intelligence gathering. That’s the best way to be prepared for the next disaster.
Mark Orndorff, director of Defense Information Systems Agency Mission Assurance and Network Operations, has said, “You can’t defend what you don’t know.” Exactly—and there’s no reason not to know.
This article was written by Frontline from Forbes and was legally licensed through the NewsCred publisher network.