In Cyber: Resilience is about Capabilities, not Plans

EXPERT PERSPECTIVE — Over the past 2 years, since I wrote the first version of this post, we’ve had a lot of opportunity to test our collective resilience. Resilience in the face of a global pandemic and the under- and over-reaction in certain ways to that, which in turn had knock-on effects that we also had to be resilient to. Resilience in the face of weather and seismic events, kinetic and cyber conflict, supply chain impacts, economic challenges, and increasing levels of disruptive and destructive crime. We will continue to be tested and who knows what is to come in the coming months and quarters.

Despite some bumps along the way I think it’s fair to say the world has shown a lot of resilience in the face of all this. Governments, organizations, and individuals have coped remarkably well. All have adapted and shown resilience and much of that was done not according to a plan but due to inherent adaptability utilizing capabilities built and established over time. For example, I know many organizations that moved confidently into the pandemic response of remote work not because they had an explicit documented plan to do so but rather because they had invested in the pervasive capability to support 100% continuous remote work for their workforce and had regularly tested that capability. This is just an example of where a portfolio of capabilities assembled in response to any event with the organizational muscle-memory to be flexible beats relying on arbitrarily comprehensive binders full of detailed plans and procedures for specific events. Such operational resilience is vital. Let’s take a step back and look at the correct focus on resilience as capabilities not plans.

Resilience can be thought of as the ability to absorb shocks, adjust as needed and continue operation in the face of adversity. In other words, to meet your obligations no matter what is thrown at you – perhaps with some graceful degradation of specific service levels. It is not simply the ability to deflect, avoid or prevent events. Events in this context can be across all business and technology risk domains – whether they are slow or fast moving – from cyber to pandemics. One of the common mistakes many organizations make is to think that resilience can be obtained by simply writing down comprehensive plans and procedures on what to do and how to respond to specific events. When someone thinks of a new event or scenario then a new plan is written and carefully filed away in a Big Book of Plans. Eventually there is a whole shelf full (or virtual equivalent) of these things. Sometimes plans are even tested to see if they actually work. There are three major problems with this, when facing the reality of actual events:

• In an actual crisis situation, adrenaline-fueled people are unlikely to take the time to consult large manuals to tell them what to do.

• Most crisis or significant events are unique and even if you consulted the plans it would be a lot of effort to contort them to the specific situation you are facing.

• Not all plans can be tested frequently and so the underlying means (people, process, technology) of implementing actions in those plans may not have been sufficiently maintained and may only be seen to be deficient when most needed.

The answer to these problems is deceptively simple but profoundly effective. That is to focus on capabilities not plans. Established capabilities are combined / utilized at a time of need by a trained workforce to deal with whatever event is thrown at them. Capabilities are constantly maintained and tested independent from crisis / event drills. Drills then focus on building crisis response muscle memory across the organization. I have seen many organizations shift to this approach and they are immensely more resilient for it – and those that operated in this way before the past 2 years of resiliency challenges have coped superlatively relative to their competition who hadn’t. More specifically (general) resilience comes from:

1. Baseline Capabilities. A set of people, process and technology capabilities that are maintained to defined service levels and continuously monitored as being able to meet those service levels. Examples: remote access services for your workforce able to support everyone connected simultaneously, dispersed physical offices and back-up sites, pre-negotiated contracts to expand office space or add new temporary locations, employee wellness / medical support, dispersed technology delivery, tested burst capacity, distributed voice and video communications including the capability to be used on non-corporate devices in secure ways, and critical business operations pre-dispersed among disparate locations or regions.

• Use the Capabilities. Run day to day business using these capabilities as much as you can, so that they are assured of correct operation. If you can’t, then test them regularly such that they meet defined service levels. Example: if your crisis communications technologies are not the same as the technologies people use every day then they are unlikely to be used successfully in a crisis, instead create inherently resilient / survivable communications approaches – and if do you need something totally different then use it regularly across your population such as holding staff meetings on the back-up communications system.

• Capacity. Understand the capacity constraints of your capabilities and if you can’t economically run with excess capacity then conduct regular testing of your ability to quickly ramp up.

• Scenario Catalogs. Develop a scenario catalog that can be used to assess whether your capabilities have the means to respond to and operate well in such a scenario. Pick scenarios that exercise the whole spectrum of t