On hearing about the horrific events last weekend in Florida USA, I was saddened first and then struck by the bitter irony that these murders occurred in Orlando. Maybe it’s just me, but I was reminded that the magical central character played by Tilda Swinton in the movie Orlando transitions his gender and Orlando, Florida, USA the home of Disneyworld is billed as the happiest place on earth.
Whether or not the tragic and horrific murder that occurred in the Pulse nightclub in Orlando on 12 June is a hate crime on the LGBT community, a terrorist attack by a radicalised individual, or both, is probably a matter of semantics. I can’t see why it can’t be both, but it is definitely something that will be skewed by various political agendas. Indeed, that started happening the following day!
Despite the fact that the Omar Mateen wasn’t on a shift at the time, the Orlando shootings are a security failure that has impacted the reputation of his employer. For G4S, Omar Mateen’s murderous attack in security risk terms seems like the classic nightmare – a ‘black swan’ event. The high consequence of this low likelihood event is that one of their 600,000 employees killed en masse, with a resultant 5 percent fall in share price at time of writing. With a market cap of almost $4 billion (USD) G4S value has decreased by $200 million as a result of this event. Whether or not it has long term implications is not easily foreseeable.
There are increasing indications that Omar Mateen was unstable. His ex-wife apparently left him after four months and an ex-colleague reported that he was prone to outbursts of anger. The FBI investigated Mateen as well, but they only seemed to be looking for signs that he had been radicalised, not that he was psychologically stable or had anger management issues. None of this seems to have triggered significant investigation by G4S.
This should be of significant concern to security professionals. Bloomberg reports Mateen was first recruited in 2007. On employment he apparently passed a psychometric test called the Minnesota Multiphasic Personality Inventory. He was apparently rescreened by his employer in 2013 and continued to work until his death. Mateen also held Florida state security and firearms licences. But somehow the indicators, which seem with hindsight to have been clear, that Mateen was no longer suitable for employment as a licenced armed security guard, do not appear to have triggered internal ‘aftercare’ or due diligence processes.
More concerning is that this may be a systemic failing. In 2009, another employee of G4S, Danny Fitzsimons killed two other staff in Iraq. One of them was an Australian, Daniel Hoar. In 2015, the UK Coroner’s inquest released its findings. Coroner Joanne Kearsley found that Fitzsimons’ employer did not make sure that he was adequately vetted before he killed his fellow employees. Coroner Kearsley reportedly said that the killing was ‘a defining moment globally in the security industry’.
Unfortunately, we may find that Coroner Kearsley’s words are equally applicable to the killings in Orlando.
In any case, these events provide significant food for thought for enterprise security professionals. Organisations do not sit in isolation, they are part of the society in which they operate, whether this is online or in the real world. Marketers tell us that their companies’ employees are “part of the community”, which is true, but this highlights the fact that there is not a hard perimeter for an organisation, if there ever was. It is an increasing expectation of our societies that organisations take care of the bodies and minds of people that work for them. Organisational resilience comes from companies recognising this and truly caring, because in the end it affects the bottom line.
Have you ever wondered why on your electricity bill there is a representation of your household’s usage against the average 2, 3 or 4-person household telling you whether you are over or under? How does it make you feel?
The term behavioural economics has been around for maybe two decades. The marketing profession has been using the techniques it describes for even longer to get you to buy their brand. However, the use of behavioural economics as a tool for enterprise security is just emerging.
It is time for security professionals to start using these techniques to help protect organisations and not just to influence people to buy a particular soap, car or follow a sporting code.
What is behavioural economics
Behavioural economics looks at the relationship between the decisions that we make and the psychological and social factors that influence them. A significant amount of study in this area has been on people’s economic decisions, but the tools and techniques that have been tested can be applied in many other contexts.
Daniel Kahneman and his late research partner Amos Tversky are the two research psychologists most associated with behavioural economics. In 2002, Kahneman shared the Swedish Banker’s Prize in Economic Sciences in Memory of Alfred Nobel for this work. Kahneman’s 2011 book “Thinking Fast and Slow” explains many of the concepts in accessible terms. Kahneman and Tversky built on earlier studies that cut down an idea that now sounds quaint, the idea that humans act entirely rationally at the population or large group level. Even so, this idea was at the heart of much classical economic thinking.
You might not think at first that this seems entirely related to enterprise security. However, if you consider that the premise of behavioural economics is that people do not always make decisions that are entirely rational, you’d probably see the connection! In addition, the ideas that small (and sometimes even intangible) incentives and disincentives can be used to guide individual actions on a large scale are also very important. It is this second aspect which is of greatest use to the enterprise security practitioner.
Behaviour is at the heart of enterprise security, because people are every organisation’s greatest asset and often also their greatest risk. At its simplest, the key aim of good enterprise security is ensuring that individuals are encouraged to make the right decisions that benefit their organisation.
Behavioural economics works by assuming that in many cases, people making the ‘wrong’ decision within an organisation do so because they have imperfect information or lack the right incentives or disincentives.
Psychologists have also found that people can often exhibit a strong inclination to conform to social norms. The social norms change with the social groups that we participate in. Essentially, we often do things because our friends, colleagues, or those we admire, do. Our friends and colleagues provide us with informational social influence or social proof. In plain English, we like to follow our herd and keep up with the Jones’.
Curiously though, we seem to struggle more with changing our minds than coming to a decision in the first place. The idea that when the facts change, people change their minds is a bit tricky for many. Associated with this curious aspect, researchers from Harvard Business School have claimed also that we tend to think we are more moral than we actually are and inhabit an “ethical mirage”. This can mean there’s a disconnect between how we describe our decisions and how we actually behave. If we accept this somewhat unflattering portrait of human behaviour, it means that we tend to take a position that justifies our actions whatever they were, once we’ve made a decision. And we want more justification to change our minds than we needed to come to it in the first place!
But what if we could get people to make the ‘right’ decision in the first place. Then they wouldn’t have to justify wrong decisions. This is where the research findings of behavioural economics are tested at organisational and national scale.
Behavioural economics concepts are being applied at the public policy level by governments wanting to encourage certain behaviour without going to the expense of legislating compliance. It is expensive to make something illegal. Sometimes it is absolutely necessary e.g. murder, but the society has to create enforcement systems, pay the enforcers, and then who watches the watchers? Some enlightened government agencies are dabbling with the use of behavioural economics to achieve high levels of compliance.
In the UK and latterly also in Australia, the tax authorities have been attempting to use behavioural economics techniques. So called ‘nudge units’ have been set up to coax to get people to do their taxes by using social proof methods. Informing taxpayers who are late paying that “90% of people pay their taxes on time” increases the rate of taxpayer compliance. This achieves the policy objective of getting timely tax payments, but does it in a way that won’t generate negative headlines. This in turn allows the tax agency to focus on individuals who are intentionally breaking the law, rather than doing so because life got in the way.
Another recent example has been the introduction of the “No Jab, No Pay” policy by the Australian Government where parents do not get all their family tax benefits unless they are willing to vaccinate their children. Rather than making it illegal for children to remain unvaccinated, the government has incentivised parents to vaccinate. This, added to significant social pressure from almost all the medical community, means that Australia’s childhood vaccination rates are generally very high and we see fewer distressing pictures of children with whooping cough around the country.
One interesting way that companies are using social proof is in encouraging households to save water and electricity. Increasingly, utility bills show householders where they stand in comparison to their suburb in terms of water or electricity use. The householder can then consider whether they want to moderate their behaviour. Literally to keep up with the Jones’!
Marketing firms use many behavioural economics techniques to encourage us to use particular products. Many of us take advantage of airline frequent flyer programs that give rewards for the flights taken by members. The extremely successful travel website, Tripadvisor awards points to its website users for the travel reviews that they produce. However, Tripadvisor points have absolutely no dollar value. They are valuable only to users in terms of social proof to that community that a member is a well seasoned traveller. You may have realised that the majority of social media operates in a similar way.
Why should enterprise security professionals consider using behavioural economics in their organisation?
It is expensive and time consuming to maintain rules for the increasingly complex environment that organisations operate in. Rules are difficult to write well and often only work in limited circumstances. The more detail, the more exceptions need to be built. Quite often rules also create a culture where individuals only follow the letter, not the spirit of the rules. This can contribute to the creation of a workplace which is not adaptable and where security is blamed for the problems of the organisation.
This can lead to situations where workers sometimes choose to circumvent organisational rules in order to achieve local goals. A worker might shortcut a process to ensure that their team are able to complete it faster. The individual might rationalise this as being good for their company in that the job is completed faster and good for themselves in that they can go home earlier. However, the decision that they have rationally come to might be the ‘wrong’ decision from the perspective of their organisation. The shortcuts that have been introduced may decrease organisational security.
How do organisations change this? By changing the decision-equation the worker takes when he or she makes that decision. This is very much the place of behavioural economics in enterprise security. Organisational messaging which demonstrates the social norms of the organisation from a security perspective are vital. So to are tools and procedures which endeavour where possible to make the secure decision, the easiest one to make.
In many ways the decision is very much linked to the ‘security culture’ of the organisation. The security culture is effectively the customs and practices of the organisation for whom the individual works.
Organisations are increasingly moving to principles and risk based frameworks in many areas including security because they find the sheer complexity of business overwhelming otherwise. This was one of the main drivers for the creation of the Australian Government’s Protective Security Policy Framework. The PSPF tries to get government agencies to focus on their security outcomes, rather than on process.
Enterprise security professionals should be asking where they can apply these behavioural economics techniques in their organisations. The possibilities are varied and many, but one financial institution has used behavioural economics give nudges to staff regarding personnel security. In one case, to improve their reporting of change of circumstances by giving them a simple message that “most people in our organisation report their change of personal circumstances within four weeks”.
In the government space, there has been debate about whether it is possible to create an ‘information classification market’ which balances the need to classify information appropriately against the costs to organisation of over-classification in terms of long term storage and devaluation of security markings. Such a market could work by incentivising managers to ensure that staff were classifying information as accurately as possible. As always, the trick would be to ensure that the incentives matched the risk profile of the organisation.
Every organisation is different and so are the opportunities for using these techniques to improve your enterprise security.
How do organisations develop resilience in the complex environment that is the 21st century information centric world?
The lifeblood of the modern organisation is information. Every organisation, from small business to government department depends on information being passed to the right place at the right time.
Organisations and society are becoming more complex, but that doesn’t mean that they are more resilient. Complexity and resilience are more often enemies than friends!
Complex Organisations in the 21st Century
The opportunities posed by increased information flows are enormous,
Information is being gathered, stored and manipulated in larger quantities at higher speeds and analysed in more detail by organisations and society. They aim to to drive greater efficiencies and provide new and improved services. The information revolution allows organisations to become larger and more complex and to develop more complex systems and processes to support their organisational models.
The threats are also enormous
But the opportunity to become larger and therefore more complex often comes with a downside for organisational resilience and longevity. Complex systems are prone to catastrophic failure as small problems cascade and become enormous.
Information is damaging organisations when it is leaked or lost. Organisations are struggling to cope and governments are struggling to keep their own data secure. In other cases, too little information being passed to the places that need them. The organisational strategy is a delicate balancing act!
Survival and resilience
Why do organisations fail. Organisations are by definition self organising systems. However, when a self organising system loses the capacity to self organise – it is dead. Broadly, the story is similar for each one. The organisation was unable to adapt to the business environment before it ran out of resources. The end is often brought about by an acute event, but in many ways such an event is really just the ‘final straw that breaks the camel’s back’ .
However, in practice I think this may be too gentle. Taken over the longer term, organisations either live or die. There is no middle ground. Organisations that survive crises are able to do so for two reasons
They have the resources, capital personnel, leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or
They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities.
It is this second group which are truly resilient and survive long term. They still suffer from crises, but emerge stronger over the long term as they adapt to their new environment.
ICT is a two edged sword in the quest for resilience
As organisations become more complex, they are relying more and more on information technology and systems to help them understand themselves and their environment. Organisations can become more efficient. However, most organisations do not have control of their ICT infrastructure and it is increasingly difficult to understand how information flows within an organisation. It is also important to realise that efficiency and resilience are not the same. In fact, some efficiency practices may increase organisational fragility
Are the tools that organisations are using to try to understand their own organisations becoming in themselves part of the problem?
Possibly, though it is more the issue of complexity. There are a number of other factors
Speed of change
The speed that societies are changing is accelerating as technology advances. This means that organisations need to be able to adapt faster in order to keep up.
Organisations are more interdependent than ever. It is a trend that will continue to increase. In fact, countries are also more interdependent than ever. During the Cold war, sanctions didn’t affect Russia nearly as much as they do now. This is positive from a global political perspective, no country can survive without others, not even the USA or China. It is even forcing Iran to make compromises. In some ways this trade interdependency may be an alternate for the Mutually Assured Destruction (MAD) that nuclear weapons threatened to the USA and Russia during the cold war.
However, interdependency inherently leads to complexity and that is not a characteristic of resilience. Most organisations are increasingly dependent on long supply chains for materials and services, meaning that failure at one end of the supply chain can be expensive or time-consuming. On the other hand, international supply chains are extremely reliable … until they aren’t.
Everyone’s your neighbour
Because everyone is connected. Organisations can get closer to their customers and suppliers via the Internet. At the same time criminals and competitors are able to get closer to their target organisations as well.
Some organisations have been struggling. Sony corporation is one of the most prominent, but it is by no means the only one.
Affecting organisational longevity?
The evidence seems to be showing that organisational longevity is being reduced by a number of factors. Not least the ones I’ve written about above.
This graph produced by Innosight plots the average company lifespan on the USA Standard and Poor’s company index from 1958 to 2012 and extrapolates this out to 2030.
US corporations in the S&P500 in 1958 remained in the index for an average of 61 years. By 1980, the average tenure of a similar organisation was 25 years. By 2011, that average had been cut to 18 years. In other words, the churn rate of companies has been accelerating over the last Century. On average, one S&P500 company is dropping off the index every two weeks! In total, 23 companies were removed from the S&P in 2011, either due to
declines in market value – eg Radio Shack’s stock no longer qualified in June 2011.
acquisition – eg National Semiconductor was bought by Texas Instruments in September 2011.
At the current churn rate, 75% of the S&P organisations that were there in 2011, will no longer be on the index in 2027.
The flaws in simple risk
Risk assessment loses specificity with complexity. That is, the larger, more complex the organisation, the less accurate the risk assessment can be. This is also true when we think about societal risks.
The sum of overall risk that an organisation has, is greater than its parts.
It is hubris to think that an organisation or society can know all its risks. There will be risks faced by an organisation that are either unknown, unquantifiable or both. Moreover:
The organisational environment continues to change rapidly. This means that risk owners ie company boards have less time for consideration and risk assessments need to adapt to the changing circumstances.
Perception bias is a significant problem. Gardner talks about bounded rationality in risk – suffice to say we downplay risk of things that we think we understand. Taleb talked in the Black Swan that people focus on the simple things they could understand.
In a complex organisation, people tend to focus on problems in parts of the organisation, rather than the organisation as a whole.
Different risk events
We see these issues playing out in different events that affect organisations, whether it is a
such as the
– Deepwater Horizon Oil Spill that may yet cause BP’s demise, but seems to have been caused by a failure in the relationship with its drilling contractor, Haliburton
– Target(USA) hack which saw tens of millions of credit cards stolen due to weaknesses in service provider security.
Or chronic failure
such as Kodak’s failure over decades to manage the transition to digital imaging, despite the fact that it’s own researchers had discovered the technologies in the 1970s.
A resilient approach
Resilience is the capacity for complex systems to survive, adapt, evolve and grow in the face of turbulent change. Resilient enterprises are risk intelligent, flexible and agile (Adapted from www.compete.org)
A ‘Resilience approach’ does ignore risk assessment and management, it builds upon it to address weaknesses in terms of dealing with unknowns (known and unknown) and perception bias. Particularly those ‘high consequence low likelihood events’ – the black swans, that sit untreated at the bottom of any risk assessment, or fall off the bottom because nobody wants to think about them, or are not acute but in the chronic creeping ‘must deal with it sometime’ category. Worse still, they may be completely unknown.
Resilience approach allows enterprises to put in place mechanisms ‘deal with the gaps’ in the risk approach – those things that have been missed or underestimated.
As the world becomes more complex and organisations become more complex themselves. A resilience approach is the only option.
The resilient organisation
Develops organisational adaptability. A culture of making things work in spite of adversity. This creates a capacity to deal with adverse events – adaptability to deal with rapid onset of shocks. They also analyse to see whether improvements can be made out of any adversity.
Organisations look for mitigations that are able to treat a range of threats, because these techniques are likely to be more adaptable than highly specialised methodologies.
Testing – Organisations test systems to breaking point and beyond in the most realistic scenarios possible.
Resilience from Chaos (Monkey)
An example of testing to breaking point in a real environment is the ‘chaos monkey’ tool developed by Netflix. This application/agent randomly turns off parts of the Netflix production environment simulating the failure of different parts of their infrastructure. It is set to only do this during working hours when engineers are about to respond. In this way, the system is tested in the best manner possible short of the real thing.
This post is based on a presentation I gave in Singapore. Here are my slides
Resilience Outcomes would like to acknowledge the assistance of Emirates Airlines for getting Alex to and from Singapore in great comfort.
That’s why Alex Webling has accepted a nomination to join the Australian Standards Committee for Security Standards and to join the Australian Delegation to ISO TC292, Morioka, Japan in March 2015.
We congratulate Alex on this recognition of his security knowledge and expertise particularly in the areas of enterprise security and resilience and his work in the Australasian Council of Security Professionals and its successor, Security Professionals Australasia.
The Technical Committee will have the following provisional title and scope:
Scope: Standardization in the field of security, including but not limited to generate security management, business continuity management, resilience and emergency management, fraud countermeasures and controls, security services, homeland security.
Excluded: Sector specific security projects developed in other relevant ISO committees and standards developed in ISO/TC 262 and ISO/PC 278.
The committee temporary structure covers the following areas;
ISO/TC 223/WG 1 – Framework standard on societal security management
ISO/TC 223/WG 2 – Terminology
ISO/TC 223/WG 3 – Emergency management
ISO/TC 223/WG 4 – Resilience and continuity
ISO/TC 223/WG 6 – Mass evacuation
ISO/TC 223/AHG – Professional development
ISO/TC 223/AHG – Information exchange
ISO/TC 223/AHG – Continuity management
ISO/TC 223/AHG – Revision of ISO 22320
ISO/TC 223 TF – Task force on strategic dialogue
ISO/TC 223/AHG 4 – Communication group
ISO/TC 223 DCCG, Developing countries contact group
ISO/TC 247/WG 1 – MSS for security assurance
ISO/TC 247/WG 2 – Terminology
ISO/TC 247/WG 3 – Guidelines for interoperable object and related authentication systems to deter
counterfeiting and illicit trade
ISO/TC 247/WG 4 – Product Fraud Countermeasures and Controls
ISO/TC 247/WG 5 – Document Fraud Countermeasures and Controls
ISO/PC 284/WG 1 – Management system for private security operations – Requirements with guidance
The best indicators of the future are the events of the past, yet the past is not an absolute indicator or future events. Outlier events are becoming more common and threatening the existence of organisations – Is enterprise risk management to be thrown out?
The vast majority of organisations that have ever existed are not around today. Of the top 25 companies on the US Fortune 500 in 1961, only six remained there in 2011.
The few that survive broadly did so for two reasons, which Alex Webling, Treasurer of the Australasian Council of Security Professionals will discuss with examples at ASIS Asia Pacific 2014 in Singapore.
I think we all understand that small businesses come and go, but this lesson is true for large organisations as well.Research carried out on fortune 500 companies in the USA showed that the average rate of turnover of large organisations is accelerating. The turnover has reduced from around 35 years in 1965 to around 15 years in 1995.
Alex has talked about this topic before and will be expanding on his observations and research with conference participants about how they might assist their organisational longevity.
Resilience for organisations is bound to their adaptability to climate change both in the short and long term.
A review of US public companies shows a number of climate related risks and costs. Their ability to adapt and become resilient to climate change is starting to affect their finances.
The document reveals that USA S&P 500 companies are seeing climate change related risks increase in urgency, likelihood and frequency, with many describing significant impacts already affecting their business operations, according to a new report from CDP, which collects environmental performance information on behalf of investors.
Threats include damage to facilities, reduced product demand, lost productivity and necessitated write-offs. The impact of these threats being realised comes with costs that can reach millions of dollars.
Importantly, the proximity of the threat is quite near. 45% of the risks S&P 500 companies face from extreme weather and climate changes are current, or expected to fall within the next one-to-five years, up from 26% just three years ago. 50% of these risks range from “more likely than not” to “virtually certain”. This is up from 34% three years ago.
Around 60 companies describe the current and potential future risks and their associated costs in the research, which highlights excerpts from the companies’ disclosures to their investors between 2011 and 2013. Ironically, even NewCorp made the following contribution to the report.
“Climate projection models make it difficult to know exactly how business might be impacted by episodic weather events. However, it is clear from past severe weather events that some of News Corporation’s businesses are susceptible to such extreme weather.”(p6)
The media release accompanying the report asserts that
Dealing with climate change is now a cost of doing business
Making investments in climate change related resilience planning both in their own operations and in the supply chain has become crucial for all corporations to manage this increasing risk.
Resilience Outcomes has the skills and expertise to help your organisation develop its organisational resilience strategy to take into account how it will adapt to the changing environment. contact us via the form below or at [email protected] to discuss your needs.
CDP is an international, not-for-profit organisation providing the only global system for companies and cities to measure, disclose, manage and share vital environmental information. We work with market forces to motivate companies to disclose their impacts on the environment and natural resources and take action to reduce them
One of the most important aspects of resilience in the information age is understanding the environment in which we exist. Resilience is adaptability in a changing environment, the more we understand that change, the less painful it is. Here are a few current issues that might help your cyber resilience.
Cyber Security Summit – Stanford November 2013
In the shadow of the Snowden revelations about the US and UK, security experts and leaders from more than 40 countries have been at Stanford University in California, USA for a gathering on cyber security.
If you have a sense of irony, you may have listened to the debate on Syria and comparing that to the NSA / Snowden / Internet debate.
– US Secretary of State John Kerry has recently made broad and I think reasonable statements saying that
President Assad had lost the moral authority to rule Syria.
– However that same test can be made against the USA.
The USA has lost its moral authority to control the Internet
through the activities of the NSA and other government agencies. The full text of Secretary Kerry’s Syria speech can be found here via usembassy.gov. Of course although the USA is the biggest culprit here, the UK, Canada, Australia and NZ have all been shown up.
China was prominently represented at the conference. The Minister of State Council Information spoke about China’s problems. In his speech Cal Mingzhao said that in the first six months of 2013, 20,000 websites were hacked and 8 million servers compromised. According to Minister Mingzhao this indicated a rise of 14% year on year.
It is good to read that Scott Charney ex US Department of Justice and current Microsoft VP on privacy and security is publicly calling for the US to show more information about what it collects and what happens to that data. Few sensible people disagree that the US and its allies should use maximum efforts against terrorists.
The US has lost support because it has strayed away from its stated goal of combatting terrorists and towards industrial espionage and employed tactics which compromise the majority in the pursuit of this goal such as the backdooring of encryption algorithms.
In other news
The Canadian Office of the Superintendent of Financial Institutions has released a ‘Cyber-Security Self Assessment Guidance for Canadian financial institutions, but which provides some good advice to any organisation looking for a template to help them.
Unlike the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Preliminary Cybersecurity Framework, which was released for public comment on October 22, 2013, the Guidance does not prescribe a common language or mechanism for financial institutions to control and manage cyber security risk nor does it expressly build on existing standards, guidance and best practices for managing cyber security risk. In fact, in the Guidance, OSFI indicates that it “does not currently plan to establish specific guidance for the control and management of cyber risk.”
Rather, the Guidance sets forth an 11-page self-assessment template that sets out “desirable properties and characteristics of cyber security practices that could be considered by a FRFI when assessing the adequacy of its cyber security framework and when planning enhancements to its framework.” Of course if you’re a Canadian bank trying to do business in the US..
I can just imagine it – “Our little Johnny fixes our firewall whilst we sit him on the potty…..” But seriously, of course keeping kids safe online is important in the same way as keeping them safe in the real world, but maybe they should learn to read first.
News that the New York Times was hacked by the Syrian Electronic Army is interesting not because of the fact that NYT was hacked by the hacking group, but by the method of gaining access.
According to this article, information security at the NYT fell over because they forgot that cyber-security doesn’t stop at the perimeter. It would seem that MelbourneIT , an Australian hosting company for both Twitter and NYT was breached. This then allowed the Syrian Electronic Army to gain access to the DNS records of domains owned by Twitter and NYT which they then proceeded to change.
A number of quick conclusions
This was a well planned attack almost certainly took some time to conceive, research and operationalise.
You should assume your organisation will be hacked. Work out how to detect the breach and recover quickly.
Cyber-security is an evolutionary struggle between those who wish to break systems and those who wish to stop systems being broken. Quite often its the same people eg NSA
80-90% of the differences between good cyber-security and great cyber-security are not in the IT, they are in the organisational approach and culture.
In this hack, a variety of methods seem to have been used, including phishing and attacking the DNS servers via privilege escalation.
Cyber-security requires expertise in managing information, risk and developing resilient organisational frameworks, something often forgotten.
Everybody is your neighbour on the Internet, the good guys and the bad.
Cyber-security practitioners need to consider the risks to high-value systems that they are protecting from connected suppliers and customers.
This requires cyber-security practitioners who are good people influencers, because the vulnerabilities tend to be at human interfaces.
A biological approach to organisational resilience
By a lapsed microbiologist
“Organisational resilience is only achievable through adaptability”
Too many leaders start believing their own press and thinking that they are able to predict the future. Whilst it is absolutely true that the best indicators of the future are the events of the past. It is also true that the past is not an absolute indicator of future events because our view of the past is limited by our record of it. Some events are so rare that they are not recorded, yet they may have extreme consequences if they occur. So if we cannot predict the future with certainty, how is longevity possible for organisations? The answer is resilience, and at the core of resilience is adaptability.
The lesson from biology is that adaptation to the environment that has allowed organisms to survive and thrive. However large and seemingly terrible an organism is, if it is not adapted to its environment it will become extinct. The vast majority of species that have ever existed are not around today.
The same is true for organisations.
The vast majority of organisations that have ever existed are not around today
In simple terms the story is the same for each failed organisation. They were unable to adapt to the business environment before they ran out of resources. Those that survive a crisis are able to do so for two reasons
1 They have the resources, capital personnel leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or
2 They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities. These companies still suffer from the crisis at first, but emerge stronger in the longer term.
By my reckoning, 99% of companies that manage to survive a crisis are in the first category. In most cases, those companies are then consigned to a slow death (My Space anyone?). Sometimes however, the first crisis weakens them, but they then become more resilient and bounce back to ride future crises.
This is an era of organisational accelerated extinction
What is more, the ‘extinction rate’ for companies is becoming faster as society and technology changes more rapidly.
I think we all understand that small businesses come and go, but this lesson is true for large organisations as well. Of the top 25 companies on the US Fortune 500 in 1961, only six remained there in 2011.
Research carried out on fortune 500 companies in the USA shows that the average rate of turnover of large organisations is accelerating. The turnover has reduced from around 35 years in 1965 to around 15 years in 1995.
If you think about how much the world has changed since 1995 when Facebook barely existed and Google just did search, you might agree with the idea that organisations that want to stick around need to adapt with the changing environment.
So give me the recipe!
Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as agility and the ability to recover quickly from an event and an awareness of their changing environment and the willingness to evolve with it amongst others. This is difficult for a number of reasons.
1 increasing connectedness – interdependencies leading to increasing brittleness of society/organisations – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past
2 increasing speed of communication forces speedier decision making
3 increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decision makers
4 biology – Organisations operate with an optimism bias. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.
5 Organisational Inertia. The willingness to change organisational culture to adapt to a change in the environment.
Something about organisational culture and resilience
When discussing culture, resilience is more an organisational strategic management strategy, and less a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’. But both are focused on organisational culture.
Organisations, particularly large organisations, all have their own way of doing things. Organisational culture is built up because individuals within the organisation find reward in undertaking tasks in a certain way. This is the same whether we are talking about security culture or indeed financial practice. Organisational culture goes bad when the reward structure in the organisation encourages people to do things that are immoral or illegal.
Larger organisations have more inertia and so take longer to move from good to bad culture and vice versa. Generally most organisations that are larger than about 150 staff have a mix of cultures.
The more successful an organisation has been in the past, the more difficult (inertia) it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.
Maybe the Kodak company is the best example of this. An organisation that had been very successful for more than 100 years (1880 -2007), Kodak failed to make the transition to digital and to transition from film as fast as its competitors. The irony is that it was Kodak researchers who in the 1970s invented the first digital camera thus sewing the seeds for the company’s doom forty years later.
Where does my organisation start on the path
So what is the answer, how do we make sure that our organisations adapt faster than the environment that is changing more rapidly every time we look around? The only way is to begin to adapt to the changing environment before crises arise. This requires making decisions with less than 100% certainty and taking risk. The alternative is to attempt to change after a crisis arises, which historically carries higher risk for organisations.
It is a combination of many things –
developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
partnering with other organisations to increase their knowledge and reach when an event comes; and
Lastly engaging in the debate and learning about best practices
Are there two sorts of resilience?
But is resilience just one set of behaviours or a number. When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.
However there is another set of actions, which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.
Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.
How an organisation achieves this is the challenge that every management team needs to address if they want to achieve longevity.
If you wish to discuss any of the issues in this whitepaper, please contact us
 noting that the word dinosaur is directly translated as terrible lizard