Never did I think my living room would be wall to wall air mattresses accommodating friends whose houses had burned down. Never did I think this apocalyptic tragedy would be complicated even more by clients hitting a sheer state of panic because their businesses were at risk. While trying to manage all of this from the office at home, the power kept getting disconnected for varying periods. Luckily, I had several layers of redundancy to stay connected. The thawing meats that wouldn’t fit into the RV fridge forced us to make and eat soups, supplemented by pizza. We had hot water since the gas was on, but the thermostat requires electricity as does lighting, so we all rotated hot showers with flashlights in the cold. Moving out of the uneasy space became a force of consciousness; I kept reminding myself that fires do not burn the seeds that are in the ground. I know there is inevitably a bright future ahead. Insurmountable recovery efforts will be starting soon, with the Olympics as a golden target, just a few short years away.
Not to minimize so many that have lost so much, but this article will focus on the business aspect of maintaining continuity in a crisis situation. These are the items that so many of us thought were definitely in place as part of our DR/BCP tabletops. For some companies, getting to the instructions meant rummaging through the drawers and dusting off the binders. Or maybe finding that email that had the folder link for that magical pdf you think you remember getting a few years back from that one consultant, gosh what was that guy’s name. It would have been nice had there been enough time to find it all.
Yes, our businesses and jobs are our livelihoods. Many times, our identity, possibly our sense of pride, or even what causes angst, is attributed to our work. We will cover the business components after addressing the people first. Prioritizing people starts with simply knowing where they are and knowing that you’ve instilled in them expected behaviour patterns. Having a count for virtual and/or in-person workers reduces panic and lowers concern. If you believe that checking in with workers is a supervisory function, make sure your supervisors know this is expected of them. Instructions, drills, and reiterating expectations are critical here. This is not a back-shelf dust covered napkin scribble, rather an actively exercised methodology that’s part of everyday company awareness. Solutions here may include emergency contacts being housed separately from main buildings, knowing how to use a land-line rotary phone (don’t laugh, many have no idea how to do this), and having access to alternate communication methods &/or accounts. Putting political positioning aside, much of the coverage and connectivity the rest of the world received was made possible by Starlink, since many cell towers burned. Starlink is providing one month of connectivity free. The plan your company comes up with must be collaborative across departments and when done right, is not limited to an IT specific incident command hotline. It’s most important to drill, drill, and then drill the execution of your plan, followed by another drill. Regardless of what you call it, training, or tabletop exercises, or a drill, it must be done.
During conversations with our clients during the fires, we heard complaints that they didn’t know if their workers had survived. There was panic and concern. We reassured them that their workers must just be looking for housing and they were probably fine, but those were pacifying statements based on, well, nothing. As the days progressed, it became clear that the workers had no idea they had to notify anyone at work of their wellbeing. After all, everyone knew that LA was on fire. On the flip side, companies didn’t know who they were missing, so didn’t reach out. It was a complete disconnect amplified by lacking communications. As expected in a time of crisis, everyone was paralyzed with disbelief. This is why templatized communications, and headcounts, must always be at the ready. Prepare both internal communications and external communications as part of your normalized operations, in advance of an emergency. Internal communications can be department, role, or function specific – this is based on your audience. External communications can target varying recipients such as vendors or clients. Make sure that the person that needs to be contacted at your company is identified in your outbound message, and, that this contact person knows what kind of conversation to have when they’re contacted. These may be questions about injuries or needed support.
We did have an overachieving client that had an emergency communication template at the ready and had one person assigned to receiving calls from workers. Your company may require more than one person. The other aspect working in this client’s favor is they’d trained their workers on the necessity of providing notice of where they are in case of an emergency. This created a two-way well-paved road that removed guesswork, assumptions, panic, and fear. The client with a plan knew where everyone was, and their status, within hours – compared to other clients who were hoping and guessing, days later.
Now to the business of the business. Just like we need to know where our workers are, we need to know where our golden eggs are. For one client, golden eggs are vials of life-saving medicine that needs to remain frozen. Another client maintains a warehouse that is a critical component of a supply chain workflow. Potentially, your golden eggs support national infrastructure. Many of our clients consider their golden eggs to be data. Leveraging data classification principles identifies which data is the most important, or which inventory may be most important, so that proper protections can be built around it. For those that choose to hoard data and waste money on absurdities like encrypting publicly available data, stop. The bigger your dataset the more risk you have in accounting for it – for many reasons such as – too many vendors, too many backups all over the place, too many APIs that haven’t been maintained, too many admins, too many tools to rely on, too many more examples. Many in the IT space say that it’s impossible for each ticket to be a top priority – using this same adage, not all data is top priority. Without classifying your golden egg it’s impossible to prioritize recoverability efforts because the entirety of the data may be too heavy a lift.
Data retentions and protections work best when data purposefulness and minimization principles are aligned to your actual company operations. The following principles rely on Data Classification: retention, destruction, encryption, access controls (including logical, physical, and APIs), and of course recovery. If backing up and recovering golden egg data looks exactly the same as backing up and recovering publicly available data, there are some definite efficiency opportunities.
There were two very succinct differences in our clients and how they handled this emergency. The clients who had too much data all over across vendors didn’t know where to start assessing had they lost any data, how to find the most recent backup time/date stamp, what data was involved really, and they couldn’t believe that one guy from IT forgot to update the recurrence before he went on vacation a few weeks ago. I heard too many stories about that darn lady from legal because she didn’t know where the current version of the vendor contract was that had the phone number absolutely everyone needed, despite the IT Director thinking he remembered seeing something about data backup in there when it was signed a few years ago.
As a general rule for most clients, their DR/BCP documents were weak. Some were so weak they were literally empty templates. But interestingly, they were marked as ‘done’ because they appeared in the GRC folder. Guess everyone in the chain chose to not interact with these documents – Not the role that was supposed to write them, or review them, or approve them, or use them to conduct a drill. The lack of these instructions is really only hurting themselves. We need to force ourselves to stop and think what these are really for, and it isn’t the auditors with their checklists. These are instructions for our people, our workers, our colleagues, our own folks, who just want to make it better and fix it. Just like the emergency communication templates that need to be created in a non-emergent situation, we have to document the instructions that need to be followed by our people who are in an emergency. There are countless sources of frameworks, best practices, approaches, recommendations and methodologies that can be followed when establishing DR/BCPs. If you don’t want to do it yourself, hire someone.
Make sure your program aligns to your actual operations, else it is not followable and basically irrelevant. This means do not take those endless rows of vague controls and wrap non-existent processes around them just to mark off the completion of a policy, feeding into our industry’s checkbox compliance madness. Another important element to consider if you are using templates is removing words that align to ethereal timing or promises, such as: occasionally, periodically, frequently, sometimes, and shall. Instructions must be able to be followed exactly, because someone in a panic may not be able to decipher what exactly “frequently” means. Is it every five minutes? Fifteen minutes? One hour? Tomorrow? Be exact.
I’m compelled to insert some thoughts about tools. In short, many companies are drowning in them. Our expectations of having our staff come in and swivel chair between 3, or 5, or 7 platforms is absurd and contributing to our cyber security burnout. Not only do we have too many platforms, but they’re all sending emails too – creating yet another input of work to keep track of. Many of these platforms rely on the same source data for alerting, they just have different UIs. We’ve confused our environments unnecessarily making it impossible to effectively prioritize. On a good day trying to simultaneously look at multiple sources, while focusing on one and keeping the others updated, is just unnecessary busywork.
During the fires, the abundance of tools had a direct impact to preventing focus and determining what was important. The panic, combined with the multiple unprioritized inputs, just froze people because they had no instructions. The spin that too many tools caused erased the ability to enact basic DR/BCP principles such as risk management decisions, isolating impacted areas, bringing up alternate sites, and suspending access – they were just stuck at trying to figure out what tool was telling which part of the story and were completely overwhelmed. They had no idea where to start or what to do because no one had explained their role in case of an emergency. Unless there’s a high level of maturity, compounding competency areas such as change management don’t even have impact assessments aligned to business functions. In the middle of the madness, we had to calm clients down to traverse up the stack to gain a better understanding of potentially impacted departments, and lines of business.
Yes, there were clients that had plans. But even for them, we found holes although they were significantly less impactful to the business since the basics were covered. The frequent drills that these clients conducted reiterated what each person is accountable for when dealing with an emergency. Thankfully, they all remembered their targets and attacked them heads down, even in a panicky situation. These clients knew where their golden eggs were, were making decisions based on one source of truth, understood their priorities, had their workers and vendors accounted for, and were ready to make risk-based decisions on how to proceed while keeping operations intact. Their preparedness resulted in zero impact to their business, while, the clients that were in disarray caused themselves agony. Some clients are still recovering from the panicky decisions that were made.
About the Author
Karina Klever is Chief Executive Officer of Klever Compliance. Karina has spent more than 35 years in technology, starting in 1989 as a computer operator. After programming and decades of project/program managing, compliance took a larger focus starting in the early 2000s. Karina would go on to establish GRC Centers of Excellence for Fortune 500 companies. Successes span industries, maturities, regulations, and frameworks. After years of witnessing compliance being implemented as nothing more than a checkbox exercise while leaving gaping security holes exposed, Karina opened her own boutique company to guide midsized companies into establishing governance programs that are appropriate for their particular industry, level of maturity, size, risk posture, and goals. Klever Compliance is on a mission to leverage appropriation and common sense across GRC Programs which results in better security and less unnecessary busywork.
Connect with Karina Klever www.linkedin.com/in/karinaklever. Follow Klever Compliance on LinkedIn https://www.linkedin.com/company/klevercompliance. Visit our website to understand our services https://www.klevercompliance.com/. Recordings of many past events, available for playback at your convenience, are available on our events page https://www.klevercompliance.com/events.
