Groundhog Day is likely every CEO's least favorite movie, because it clearly conveys the message that sometimes change takes a long time and that you can’t truly move forward until you get things right.
Imagine that your a CEO of a major organization and security incident occurs where significant data has been stolen or sensitive customer information has been compromised. By itself, this would be a nightmare for any CEO. The organization will have to come clean about the attack. The company will have to notify customers of the loss of data (which will most likely result in some of them choosing not to do business with you in the future), the press will run with the story and sensationalize things. Potential customers may refuse to do business with you for fear of a breach of security impacting their organization. You may even be subject to additional fines, penalties, additional oversight etc. A bad day to be sure.
Now imagine that shortly after you have a breach of security, your IT staff tells you that things might not be over. They have detected additional attacks in other areas of the infrastructure. The press release from your first attack has announced to the world that you were not ready to handle an attack and a big neon sign has now been lit up telling every nefarious computer user that your organization is ill-prepared.
Attacks happens over and over again and despite the best efforts of your IT staff, attacks continue to happen. They are stuck in reactive mode, always responding to the next attack only after it has been detected. As a CEO, you would get pretty frustrated. After all, who really wants to keep having the same conversation about security incidents with the folks in IT only to issue another statement to shareholders and the press about yet another cyber related incident?
In the movie, the actor Bill Murray plays a meteorologist who is stuck in what seems to be a never-ending loop, repeating the same day again and again. Every morning he wakes to find the exact same people doing the exact same things. Each day, he tries to change different things only to find himself right back where he was the previous day. According to movie director Harold Ramis, this cycle repeats for for over 33 years in movie time. I don’t know about you, but to me 33 years seems like a little more time than I am will able to spend to figure how to improve my organization to address one obstacle.
The Office of Personnel Management recently had a Groundhog Day of their own. As indicated on their website, “OPM recently discovered two separate but related cyber-security incidents that have impacted the data of Federal government employees, contractors, and others.”
In April 2015, OPM discovered that the personnel data of 4.2 million current and former Federal government employees had been stolen, including full names, birth dates, home addresses and Social Security Numbers.
In early June 2015, OPM discovered that additional information had been compromised, including background investigation records of current, former, and prospective Federal employees and contractors. OPM and the interagency incident response team have since concluded with a high degree of confidence that sensitive information, including Social Security Numbers (SSNs), for 21.5 million individuals was stolen from the background investigation databases.
As a result of these two incidents, which impacted at least 25 million people in total, the Director of the Office and Personnel Management resigned.
“A smart person learns from their mistakes, but a wise person learns from others mistakes.”
In IT, we try to hire the smartest security specialist(s) we can find, hoping that with a little luck and some hard work, we will design, build, and implement highly secure IT infrastructure. We focus on technology and process within IT and hope for the best. If we do get attacked, we take comfort believing that we have an expert on staff who can diagnose the situation and bring our infrastructure back on line. After the fire is out, we may try to learn from this experience and attempt to figure out how our security measures were breached. We may even make some changes to prevent a recurrence in the future.
The problem with this approach is that the stakes are too high to afford such a steep learning curve. We must wait for something to happen before we can identify what needs to change. We are then always one step behind the ever-evolving threats, locked in a constant game of action and reaction like a bad episode of Spy vs. Spy. This reactive cycle usually repeats until a major attack occurs and significant damage is done to the business, inevitably resulting in a change of leadership and sometimes even the closure of the business for good.
To survive in today’s world, we have to be able to learn from our mistakes. But simply learning from our mistakes is not enough. A smart person learns from their mistakes, but a wise person learns from others’ mistakes.
What if we change the paradigm slightly? What if, just for a moment, we stopped looking for the answer internally? What if we looked beyond the capabilities of our IT security staff and the limitations of our IT infrastructure? Instead, perhaps we should shift our focus to look for the ways in which other organizations have already become more resilient to cyber attacks. Maybe other organizations have learned their own hard lessons and now have a few tricks up their sleeve that we can leverage to improve our own organization’s IT security. If only there were a way to tap into that knowledge…
“What would having access to best practices in cyber-resilience be worth to your organization? If we were to ask that of the Director of the Office of Personnel Management, it may have been worth their job.”
Fortunately, the experts at Axelos have done the heavy lifting and have compiled the best practices in cyber-resilience into a clear and concise framework called RESILIA™. RESILIA™ takes a comprehensive approach to cyber security, expanding the scope of responsibility for security from IT to the whole organization. The RESILIA™ best practice adopts a lifecycle approach to cyber-resilience, ensuring the correct focus on security beginning very early and extending throughout the life of a service.
Too often, security is either an after-thought or considered solely an IT responsibility. RESILIA™ provides guidance for weaving security into both Business and IT strategic plans. Security is granted the appropriate visibility and oversight on an ongoing basis, based on the importance of the services and the information the company relies on to do business.
What would having access to best practices in cyber-resilience be worth to your organization? If we asked the Director of the Office of Personnel Management, it might have been worth their job. If we asked the 25 million or more people whose sensitive information was compromised, it might be worth the hours or days of their lives spent trying to straighten out fraudulent credit card charges and unauthorized loans. If we asked the leadership in our government, it might have been worth maintaining the trust and confidence of the American people.
Everyone must answer this question for him or herself. Almost certainly, it’s worth a look at RESILIA™ to see if there is anything you can use in your organization to become more cyber-resilient and prevent your own Groundhog Day.
Groundhog Day is the property of Columbia Pictures
RESILIA™ is the property of Axelos Ltd. www.axelos.com