Security & resilience post-COVID14 June 2021
A reflection that’s leading to positive change
by Oscar O’Connor.
Guest contributor Oscar O’Connor is many things. Cybersecurity philosopher and storyteller, CISO, executive and non-executive director, optimist, ally, mentor, coach and player of the infinite game. His views both inform and challenge.
I was introduced to the world of information security in the late 1990s. At the time I was managing a risk and business continuity management programme for a global pharmaceutical firm, and the Millennium Bug was causing concern. Despite rumours to the contrary, much of the quality control and quality assurance technology, as well as core IT systems, did indeed require updates to avoid failure on January 1 2000. This period was a salutary lesson in the differences in perception between the professionals, the commentators and the general public.
At the time, cybersecurity as a term had not been coined, those involved talked about information security or information assurance. The terminology of cyber is relatively new and seemingly intended to give a bit of sex appeal to a relatively complex and dry subject. Though the acceptance of cybersecurity as a requirement for all organisations who use information and communications technology has spread, there are still many organisations that regard it as, perhaps, a necessary evil rather than a positive contributor to organisational performance.
Since I first became involved in this domain, I have heard or read hundreds (or perhaps even thousands) of professionals bemoaning the difficulties they have with communicating the importance of cybersecurity and resilience to their boardrooms. Public commentators’ views on this subject, as was the case more than 20 years ago, seem to depend heavily on their political positions or vested interests and the need to sell copies or attract social media endorsements. The general public is, naturally, confused and not a little fearful about what to believe and how to behave.
The past 14+ months of pandemic have caused many people, myself included, to take stock of what we do, how we do it and why we do so. Reading Simon Sinek123 has influenced my thinking in this regard, as has research into the B Corporation4 movement. Being a parent to a late teenager — and a relatively new grandparent — have also had a significant influence. I would encourage everyone to explore these books and ideas as we enter a future in which deadly pandemic is a fact of life rather than a line item in a risk register that nobody takes seriously.
A gradual realisation
Working from home, for all knowledge workers, has proved that we do not need to be in offices to be productive. There are many good reasons to go to an office to work but it is clear from the past year that it is not a fundamental requirement. Like many people, I have missed the social interaction during and after work. But I have not missed commuting at all and have found myself able to manage my workload in a much more family-friendly way during this period. Opinions on LinkedIn (anecdotal and not the least bit scientific) seem to indicate this is a common view. But I recognise I am hugely privileged, being in the later stages of my career, with my own home, a spare room to convert into an office, a big garden to wander around and a very supportive family. Not everyone is so lucky. Not every nation’s population has the luxury of those choices.
That said, this period of reflection has brought me to the conclusion that Sinek’s view that we are happier, more productive and more successful if we believe in what we are doing and work with others who share that belief, is correct. I also agree with his hypothesis that the world in which we live and work, and the organisations we belong to are involved in an infinite game where the concept of “winning”, as it relates to sports or gambling for example, is misplaced. Survival of the organisation for the long-term is far more important than making short-term gains at the expense of our belief systems, our environment, our families and our colleagues.
Nothing exists in a vacuum
My journey to these conclusions started back in the 1990s, when I was appointed to write a business continuity plan (BCP) for the pharmaceutical firm. I was in a lucky position. Pharmaceutical discovery, research and development, and clinical trials are long-term activities requiring a healthy risk appetite and long-range vision5. In that context, it became clear early on that, in order to deliver on the business continuity requirement across all areas, we needed to consider not only the internal technology risks associated with the Millennium Bug, but also the risks associated with the raw materials (controlled substances), the locality (a business park with one entrance, one power supply and limited space for expansion) and the potential impact on the local community from risks such as fire which have little dependence on technology. Because of these factors, the programme morphed to focus on risk management in each business area and the organisation’s resilience to the risks identified.
While this may seem like a classic example of scope creep, I prefer to think of it as a collective realisation that writing and testing BCPs would not, in isolation, deliver the long-term benefits the business required. That experience has influenced a great deal of my work in the 20+ years since.
Resilience — the new way forward
As the UK and other nations consider lifting restrictions on social interaction, travel etc, like many people I am trying to make sense of what political leaders around the world are doing. How will the different approaches influence how organisations across private, public and third sectors respond and set themselves up for the next period of their existence? Since we cannot go back in time, and we would not have chosen to start from here, in my mind, resilience in its widest sense should be the watchword from this point forward. This is where my research into the B Corporation movement has had a great influence. In IT, we have been taught for decades that we need to consider “People, Process and Technology”. However, I am convinced that the B Corporation requirement to consider the environment in its broadest sense, as well as reflecting more deeply on our core purpose and the impact on people, is the way ahead.
I also believe that while, as an industry, we talk about people, process and technology, generally speaking it is the reverse order when it comes to priorities… find the tech, rejig the process and force the people to work with the result is not an uncommon experience. This broadening of the thought process is, I believe, equally important in the fields of security and resilience. I might even go so far as to say that cybersecurity is but one factor in a resilience strategy – vitally important for sure, but not everything.
Our collective obligation
By now you are probably wondering “what is the point of all this rambling? Simply put, I believe very strongly that as an industry, or collection of specialisms, we have an opportunity or even an obligation to rethink, in the light of our pandemic experience, the way we approach and talk about cybersecurity and resilience. I imagine a world in which human and environmental factors feature as strongly in our thinking as technical and financial, where we give due consideration to the nature of the markets/domains we operate in and recognise that no organisation exists in a vacuum. For decades, organisations have been marketing themselves as treating their people as their most valuable asset. But how many of your employers tout this mantra without really believing or meaning it? I know I have worked with a few. I’m betting you have as well.
About 15 years ago I gave a talk at the BCI Symposium in Amsterdam. Most of the audience had flown to that wonderful city for the event and as I was talking about risk and resilience, I asked for a show of hands… “how many of you flew to this event?” Roughly 80% of the 500 or so audience put up their hands. Then the follow-up question: “Keep your hand up if you would have done so if your company or organisation’s IT department had been responsible for the software that controls the ‘plane?” Every hand went down. That to me, then and now, is immensely troubling.
2 Sinek, Simon. Start with Why. Penguin Books, 2011, ISBN 9782924412688
3 Sinek, Simon. The Infinite Game. Portfolio Penguin, 2020, ISBN 9780241385630
5 That COVID vaccines have been developed, trialled and delivered to millions of people around the world in less than 12 months is frankly astonishing and worthy of great respect, admiration and gratitude.