The attacks in Paris on 13th November and London on 7/7 show the planning and preparation spent by terrorists and other groups in gathering information to assist with the target selection and operational planning. Any thought that these events occur by chance or on a whim should be banished.
Risk, Business Continuity and Resilience - are we getting the landscape right?
Imagine trying to describe or just outline what a Rhinoceros looks like to someone when you have only have seen a small part of the whole animal yourself, perhaps just a foot or an ear.
When you haven't seen the whole thing it makes it awkward at best, perhaps even impossible. Its certainly rather tricky eh? You could end up with a Donkey, a three toed Camel or indeed a host of bizarre critters. To describe a Rhino properly you have got to step back and get the whole picture. (We know this is usually done with elephants, but we prefer a rhino for this analogy... its an ear thing!)
We’re using this example to illustrate one of the most interesting topics emerging across the Risk and Business Continuity Sectors - Organizational Resilience!
A lot of people are talking about it and the discussion underway is really interesting.
Dentons is a global law firm driven to provide clients a competitive edge in an increasingly complex and interconnected world. A top 20 firm on the Acritas 2013 Global Elite Brand Index, Dentons' clients benefit from approximately 2,600 lawyers and professionals in more than 75 locations spanning 50-plus countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US.
The Firm serves the local, regional and global needs of a broad spectrum of clients, including private and public corporations; governments and government agencies; small businesses and start-ups; entrepreneurs; and individuals.
‘solitary, poor, nasty, brutish, and short; is not a description of the career of the average cyber security officer. It’s a treatise on a life in a constant state of war by Thomas Hobbes (1588 – 1679).
The response received from most small businesses when we talk about the threat that they expose themselves to simply by connecting to the Internet, is normally along the lines of, “Oh we’ve got that covered”. When we’re met with such a blasé attitude, we sense some sport and probe a little further.
The term ‘covered’ turns out to be an interesting phenomenon, as connecting to the Internet can be likened to waking up one morning and finding a rabid dog sitting on your bed - if you’re lucky you’ll be fine, but there’s a very strong probability of things going horribly wrong, resulting in a potentially deadly infection. For most, a more technical definition of ‘covered’ is probably the router provided by their Internet service provider (ISP) and some free antivirus software.
Connecting Cyber & Information Security with Business at the Top
Each month seems to bring us a new report showing that business needs to be doing more on the threats to their IT. Almost daily there are media reports of companies systems being breached by hackers, of data being lost and increasingly sophisticated criminal activity. The Internet has become ever more part of our business processes around the world bringing new dimensions of communication, information sharing and performance. Our companies IT systems are critical, not just to business performance, but to organisational survival.
You are implementing a business continuity management system (BCMS) for the first time and you discover that one of the requirements is to conduct “internal audits”. What do you do? Who should be the auditor? Do they need to be trained? All valid questions (along with scores of others which you will doubtless ask yourself) which invariably will be rushed through without much thought into what is trying to be achieved (apart from a tick in the BCMS/certification box).
Done well, audits are an excellent way for your business to learn what’s working and what needs to be improved but done badly they soon become robotic and worse, potentially divisive. Internal audits are a requirement of any management system standard so if you are committed to implementing a meaningful BCMS you might as well do it properly from the outset.
In May 2012, the International Standardization Organization (ISO) published ISO 22301 – Business continuity management systems – Requirements. Although this standard was long in the making the response has been very positive - and with the promise of ISO 22313 – Business continuity management – Guidance – before the end of this year, it seems it was worth the wait.
ISO 22301 blends the requirements from several national standards, including those from the USA, Japan, Singapore, Canada and Australia. The similarity with BS 25999-2, however, is most evident. A comparison of the BS and ISO standards reveals little difference in the requirements. And in Clause 8 of the ISO, where the business continuity programme requirements reside, the text is identical in many places.
Business Continuity is defined by the International Standards Organization as the:
"capability of the organization to continue delivery of services or products at acceptable predefined levels following disruptive incidents"*
*Source ISO 22300 Vocabulary
Why is Business Continuity important?
Organizations of all types and sizes, public and private are effected all the time by "disruptive incidents'. These can be extreme, such as a natural disaster or more likely something mundane, such as a burst water pipe, the loss of power or other services, ICT issues and other forms of incident that disrupts the normal work of the organization. The disruption caused usually impacts on the capability of the organization to perform its normal activities and as a consequence impacts on customers or other stakeholders, adding additional costs and creating the potential for losses in financial and even social terms.
There has been some fairly active discussion on a few of the industry forums recently about how standards such as BS25999 and ISO22301 are being seen as potentially even more 'red tape' by many businesses and SME companies in particular.
A key comment made was that many smaller organisations are under tremendous pressure at the moment, with more loaded on them by adding Business Continuity to the mix through the new ISO. It was summed up by the title … "It's unlikely that SME's will welcome the new standard with open arms".
While I have great sympathy with the position taken about the plethora of regulations, legislation and other seemingly nonsense GUMPF* that surrounds us and eats away our time, I confess unsurprisingly though it's very hard to agree this is at all valid when it comes to Business Continuity.
In August 2011, Gayle Hedgecock was the guest speaker at BANG! During an entertaining evening, she posed the question: "Just how many Continuity questionnaires must I fill in each year?"
In her case, it was scores of the things; others were lucky and had fewer to do, but it became clear that ALL the questionnaires were different, even though in reality they were asking the same questions. It was just that the questions were phrased slightly differently, or were in a different order. In some cases, they were asking questions that had little relevance to Continuity...
Over two days the London Cyber Conference 2011 delivered a truly international focal point to examine how our digital world is developing and share what needs to be done to keep the benefits, but remove some of the risks.
With over 700 people from 60 countries there really was a global presence and the issues discussed in the plenary and private sessions clearly communicated the breadth of the challenges being faced in cyberspace.
The Commons Transport Select Committee has issued its report on last year's snow chaos that shut Heathrow airport and disabled significant parts of the rail network.
Many roads including motorways were badly affected and it is reported that £280 million was lost to the UK economy each day.
Frank Mahdavi of MIR3 looks at the how Mass Notification has become a mainstream Business Continuity tool.
The Evolution of Mass Notification
Events that Heralded the Need - The Cold War
Electronic mass notification gained prominence in 1963 when the U.S. government implemented the Emergency Broadcast System (EBS) to quickly warn the entire population of any emergency. In that era, school children routinely participated in nuclear bomb safety drills, and many of us recall a voice declaring over the television or radio, “This is a test of the Emergency Broadcast System. For the next 60 seconds … this is only a test,” followed by a loud, one-minute tone.
That system was replaced in 1997 by the Emergency Alert System (EAS), designed to enable the President of the United States to speak to the entire country within minutes. The EAS also relies on TV and radio, but includes analog, digital, terrestrial, and satellite broadcast. EAS is effective for reaching a very large geographical area, but it isn’t flexible enough to target a specific area such as a county, city, or neighbourhood. Better solutions were needed for Emergency and Business Continuity Personnel.
Working in the business continuity field can be challenging, even frustrating, but sometimes there are moments of clarity, a time when you realise why the challenges and frustrations are worth the stress.
Over the past few months we have been working towards the launch of VSAT - the vulnerability self-assessment toolkit with NACTSO. It hasn't been too easy. The public sector is under tremendous financial pressure and money is more than just a little tight. For 18 months, the Continuity Forum and NACTSO have been working against time and budget constraints to develop a shared vision, something that can make a real difference to the safety and resilience of all our communities.
When you haven't seen the whole thing it makes it awkward at best, perhaps even impossible. Its certainly rather tricky eh? 
You are implementing a business continuity management system (BCMS) for the first time and you discover that one of the requirements is to conduct “internal audits”. What do you do? Who should be the auditor? Do they need to be trained? All valid questions (along with scores of others which you will doubtless ask yourself) which invariably will be rushed through without much thought into what is trying to be achieved (apart from a tick in the BCMS/certification box). 
There has been some fairly active discussion 
The Commons Transport Select Committee has issued its report on last year's snow chaos that shut Heathrow airport and disabled significant parts of the rail network. 
