Welcome to the SecAware blog

I spy with my beady eye ...

10 May 2018

NBlog May 10 - mapping a troubled mind

Yesterday I said I'd invest some time into reconsidering and simplifying the awareness topic for June - "Incident and business continuity management". Specifically, I said I would have a go at mind-mapping on Post-It Notes.

So I did. I splashed out on 6 Post-Its and set aside 10 precious minutes for quiet contemplation. The first attempt broke down the processes associated with incident management into a conventional sequence - plan, prepare, exercise and refine ... but the sequence doesn't readily extend to cover business continuity, other than somehow 'coping' with incidents that turn out to be massive. And then I thought about focusing on the essentials, and added "Focus" as a reminder about focusing the incident and business continuity management activities on critical business processes. 

That doesn't quite work so let's try another approach. Still thinking about how the organization identifies its critical business processes, this time I came up with a set of basic questions, the kinds of things a worker coming across this awareness topic for the first time might ask themselves.  Why is incident and business continuity management worth addressing? What do the terms even mean? How are they done, when, and by whom?

That's all questions, no answers, so I'm not really getting anywhere here.

OK, onwards, upwards ...

Attempt #3: back to the incident management process again, this time extending it to cover not just fixing the immediate causes of incidents but addressing the underlying issues, thereby improving the organization's resilience and security.

That's better, and leads me to think about process maturity, the organization gradually refining and improving the approach over time.  Maturity is nice because it doesn't matter how good you are today: you can always improve. So, on to the fourth mind map.

Here I'm focused on the management activities, in other words how the organization might go about developing its incident management and business continuity management processes by:
  • Defining the objectives;
  • Clarifying and setting priorities, relative to other business initiatives;
  • Allocating suitable resources;
  • Measuring important stuff to know how well it is going, and to drive it along;
  • Using the metrics to improve, systematically, learning new tricks.
Mind-map #4 might serve for the management awareness stream, I guess, but it's of little relevance and interest to the others.

Fifth attempt: this time I'm thinking about business continuity management. The mind map has just 3 arms so at face value it is simpler than the previous 4 ... but I've added sub-items: the arms are fewer but more complex.

And it doesn't refer to incident management, at least not explicitly. I guess I could add it, particularly in connection with the 'recovery - correct - restore' arm which are important activities in most incidents. 

Well OK, #5 has some potential.

Frustratedly reviewing the previous 5 mind maps, I'm not making much headway here. Nothing really stands out clearly at this point - so it's time to try a radically different approach, a creative thinking method called 'reversal' - turning the problem on its head. 

Instead of struggling to find ways to describe what incident and business continuity management are, what are they not? What might be the consequences of not managing incidents and business continuity, of not bothering at all? Cue Post-It #6.

While the organization might essentially ignore or muddle through relatively minor incidents, above a certain point they become serious enough to cause material damage, all the way up to disastrous incidents causing total failure. But 'having faith' hints at an aspect barely mentioned so far: assurance is an important part of this. Organizations should not wait to suffer serious incidents to discover whether they will or will not cope. That's not good practice, not sound governance. Building confidence in the arrangements, strengthening and maturing them, is definitely something worthwhile.

My 10 minutes spent, I stopped brainstorming to scan the Post-Its and write this blog ... which took about 50 minutes more. All in all, that's an hour's slog with not much to show for it.

As my pal Lee used to say, "the floggings will continue until morale improves".

No comments:

Post a Comment