Blog

Groundhog Day - A CEO's least favorite movie.

Groundhog Day is likely every CEO's least favorite movie, because it clearly conveys the  message that sometimes change takes a long time and that you can’t truly move forward until you get things right.

Imagine that your a CEO of a major organization and security incident occurs where significant data has been stolen or sensitive customer information has been compromised. By itself, this would be a nightmare for any CEO. The organization will have to come clean about the attack. The company will have to notify customers of the loss of data (which will most likely result in some of them choosing not to do business with you in the future), the press will run with the story and sensationalize things. Potential customers may refuse to do business with you for fear of a breach of security impacting their organization. You may even be subject to additional fines, penalties, additional oversight etc. A bad day to be sure. 

Now imagine that shortly after you have a breach of security, your IT staff tells you that things might not be over. They have detected additional attacks in other areas of the infrastructure. The press release from your first attack has announced to the world that you were not ready to handle an attack and a big neon sign has now been lit up telling every nefarious computer user that your organization is ill-prepared. 

Attacks happens over and over again and despite the best efforts of your IT staff, attacks continue to happen. They are stuck in reactive mode, always responding to the next attack only after it has been detected. As a CEO, you would get pretty frustrated. After all, who really wants to keep having the same conversation about security incidents with the folks in IT only to issue another statement to shareholders and the press about yet another cyber related incident? 

In the movie, the actor Bill Murray plays a meteorologist who is stuck in what seems to be a never-ending loop, repeating the same day again and again. Every morning he wakes to find the exact same people doing the exact same things. Each day, he tries to change different things only to find himself right back where he was the previous day. According to movie director Harold Ramis, this cycle repeats for for over 33 years in movie time. I don’t know about you, but to me 33 years seems like a little more time than I am will able to spend to figure how to improve my organization to address one obstacle.

The Office of Personnel Management recently had a Groundhog Day of their own. As indicated on their website, “OPM recently discovered two separate but related cyber-security incidents that have impacted the data of Federal government employees, contractors, and others.”

In April 2015, OPM discovered that the personnel data of 4.2 million current and former Federal government employees had been stolen, including full names, birth dates, home addresses and Social Security Numbers.

In early June 2015, OPM discovered that additional information had been compromised, including background investigation records of current, former, and prospective Federal employees and contractors. OPM and the interagency incident response team have since concluded with a high degree of confidence that sensitive information, including Social Security Numbers (SSNs), for 21.5 million individuals was stolen from the background investigation databases.

As a result of these two incidents, which impacted at least 25 million people in total, the Director of the Office and Personnel Management resigned. 

A smart person learns from their mistakes, but a wise person learns from others mistakes.”

In IT, we try to hire the smartest security specialist(s) we can find, hoping that with a little luck and some hard work, we will design, build, and implement highly secure IT infrastructure. We focus on technology and process within IT and hope for the best. If we do get attacked, we take comfort believing that we have an expert on staff who can diagnose the situation and bring our infrastructure back on line. After the fire is out, we may try to learn from this experience and attempt to figure out how our security measures were breached. We may even make some changes to prevent a recurrence in the future.

The problem with this approach is that the stakes are too high to afford such a steep learning curve. We must wait for something to happen before we can identify what needs to change. We are then always one step behind the ever-evolving threats, locked in a constant game of action and reaction like a bad episode of Spy vs. Spy. This reactive cycle usually repeats until a major attack occurs and significant damage is done to the business, inevitably resulting in a change of leadership and sometimes even the closure of the business for good. 

To survive in today’s world, we have to be able to learn from our mistakes. But simply learning from our mistakes is not enough. A smart person learns from their mistakes, but a wise person learns from others’ mistakes.

What if we change the paradigm slightly? What if, just for a moment, we stopped looking for the answer internally?  What if we looked beyond the capabilities of our IT security staff and the limitations of our IT infrastructure? Instead, perhaps we should shift our focus to look for the ways in which other organizations have already become more resilient to cyber attacks. Maybe other organizations have learned their own hard lessons and now have a few tricks up their sleeve that we can leverage to improve our own organization’s IT security. If only there were a way to tap into that knowledge…

What would having access to best practices in cyber-resilience be worth to your organization? If we were to ask that of the Director of the Office of Personnel Management, it may have been worth their job.”

Fortunately, the experts at Axelos have done the heavy lifting and have compiled the best practices in cyber-resilience into a clear and concise framework called RESILIA™.  RESILIA™ takes a comprehensive approach to cyber security, expanding the scope of responsibility for security from IT to the whole organization. The RESILIA™ best practice adopts a lifecycle approach to cyber-resilience, ensuring the correct focus on security beginning very early and extending throughout the life of a service. 

Too often, security is either an after-thought or considered solely an IT responsibility. RESILIA™ provides guidance for weaving security into both Business and IT strategic plans. Security is granted the appropriate visibility and oversight on an ongoing basis, based on the importance of the services and the information the company relies on to do business.

What would having access to best practices in cyber-resilience be worth to your organization? If we asked the Director of the Office of Personnel Management, it might have been worth their job. If we asked the 25 million or more people whose sensitive information was compromised, it might be worth the hours or days of their lives spent trying to straighten out fraudulent credit card charges and unauthorized loans. If we asked the leadership in our government, it might have been worth maintaining the trust and confidence of the American people. 

Everyone must answer this question for him or herself. Almost certainly, it’s worth a look at RESILIA™ to see if there is anything you can use in your organization to become more cyber-resilient and prevent your own Groundhog Day.

 

 

 Groundhog Day is the property of Columbia Pictures

 https://www.opm.gov/cybersecurity/

RESILIA™ is the property of Axelos Ltd.    www.axelos.com

Announcement, New Class, Press Release

Introducing RESILIA™

Edge is please to announce the addition of RESILIA to our training offering. RESILIA represents the latest thinking and approach to Cyber Security. 

At the heart of RESILIA is the idea that Security is much larger than just having the right technology and a few technical specialist in place. Good security has to be woven into the culture of the organization and must be driven from the top down.

In addition to a wider scope than other frameworks, RESILIA also follows a lifecycle approach to ensure that Cyber security is aligned and remains aligned to the needs of the business. 

RESILIA™  is a registered trade mark of AXELOS Limited

 

 

For more information about this course. Please click here.

 

New ITIL and ITSM Videos

Edge is pleased to announce the creation of our new YouTube channel. We are posting new videos online all the time. 

These videos help to explain basic I.T. Service Management ( ITSM) concepts for people who are thinking about ITIL or who would like a better understanding. 

Please feel free to check the videos out and drop a comment!

 

Our channel is located at:   https://www.youtube.com/channel/UCx4gGYD64GF8wYurXnzetDg

Here is a sample of what you can find on the channel itself.

 

Press Release, Announcement

IT Service Management Templates are now available

One of the comments we have heard for years about courses and the best practices in general is that "the library references specific documents like SLAs, OLAs, SLAM charts, and policy statements but, there aren't any of those available in the actual infrastructure library for us to use in our organization".

Of course consultants are more than happy to come in and help you create your own policies with their input, for a hefty fee!

If you are a self starter and you have a good understanding of the ITSM processes, as well as the other supporting documents, we offer a great value for money. Our ITSM policy documents are 90% complete. Just put in your company specific information, add or subtract some of the fine points in the document to make it applicable to your organization, socialize it with top management and  you are on your way!

Policy statements are one of the first and most important elements of standing up ITSM best practices in an organization. Without clear direction and understanding of what the business is trying to achieve, processes can never hope to help the business accomplish their strategic goals and objectives. 

You simply cannot figure out how you are doing to do something unless you first completely understand what it is you are trying to accomplish as well as why you are trying to accomplish it in the first place. Our templates help iron out all of those details.

Don't be fooled by other companies trying to sell you a bundle of documents for hundreds of dollars with what will eventually amount to being a whole lot of fluff. Download just the document(s) you need for the processes you are trying got implement. 

To make life even easier for you, Instead of having to read through dozens of documents to figure things out watch our instructional videos (access is included with your document purchase) on how to use the document(s) to provide their greatest benefit.

Search our templates

 

Announcement, Press Release, New Class

Edge IT Training and Consulting joins CompTIA partner program

Edge IT Training and Consulting is very pleased to announce that we have recently been accepted to participate in the CompTIA training partner program. This represents a big step in enabling our organization to provide a full line of accredited training courses for students regardless of where they are in their career. 

As part of the training partner program, Edge IT Training and Consulting has gained access to very valuable resources and some of the finest training material available today to help students prepare for and pass their CompTIA certification exams.

Be sure to check out our updated training catalog for the most recent information on all of our CompTIA courses.

To find out about our classes click here