'Scraping through by the skin of our teeth' may not sound like an inspired business strategy, but in the case of serious incidents and disasters, it may be all that can realistically be hoped for - and it sure beats the alternative. The key point, of course, is to get through.
The poster image is meant to be strangely disturbing. Facing up to the stark realities of impending business collapse is tough, but someone has to do it.
November's NoticeBored module covers "survivability", the capability and the determination to survive things that are so drastic that they threaten the organization's viability. It picks up where previous modules have left off, extending awareness topics such as risk management and business continuity.
Discussing such extremes in the awareness program means treading a fine line between failing to motivate people to pay sufficient attention to the topic, and over-stating the risks to the point that the program loses credibility and people turn away - exactly the kind of awareness challenge that we enjoy!
As well as discussing the resilience, recovery and contingency approaches typical of business continuity management, we took the opportunity in the module to explain the key purpose of business impact analysis, namely to identify the most critical parts of the business. At a superficial level, practically everything employees do contributes to the business, but once we delve into the details and complexities of the business and the supply chain, distinguishing activities that are absolutely essential from the must-haves and nice-to-haves is trickier than it might have appeared. Dependencies are the killer.
The management seminar translates a military definition of survivability to the information security context. We point out in a recent survey on business continuity the marked discrepancies between the disasters that managers fear most (such as fires), and the disasters that most often occur in reality (such as floods). Having promoted the business value of a sound approach to business continuity management, the seminar closes with a somber reminder that failing to plan and prepare for disaster is untenable, no matter how unpalatable it may seem.
The awareness materials for IT professionals delve further into the technology aspects, of course, while gently reminding the audience that IT systems are only truly critical to the organization if they directly support critical business activities. Laying out the spectrum of business criticality helps them shift their thinking from 'everything we do is important' to 'some things are more important than others'.
The staff stream relates business survival with personal survival. The preppers' idea of planning and preparing for disasters at home is conceptually similar to business continuity planning at work (albeit without so many gas masks, powdered soup and AK47s!).
The overall message in the module is that proper planning and preparation put us in a better position to cope with almost anything that life throws our way. Promoting a survival culture may be something that few other security awareness programs cover, but we think they are missing a trick. Employees' dogged determination and resolve to get through is at least as important as the first aid kits and emergency water supplies, the fancy disaster recovery plans, or the evacuation exercises. In a crisis, optimism based on genuine strength sure beats fatalism and the doubt that arises naturally when confronted with something so scary that it triggers visceral responses.
When the chips are down, will your employees fight or fly?