Welcome to the SecAware blog

I spy with my beady eye ...

17 Jan 2020

NBlog Jan 17 - live-fire continuity exercises

Yesterday I blogged about the advantages and disadvantages of business continuity exercises. Today's topic concerns the alternative approaches, in particular the idea of 'live-fire' exercises in the business continuity context.

Vast tracts of prime agricultural land are set aside as military training grounds, allowing the armed forces to practice their maneuvers and, sometimes, fire actual bullets, mortars, missiles and bombs. Real ones, not dummies. 

There are, of course, certain health and safety risks associated with weapons (!), so why take the risks? What are the benefits of not using blanks and simulations?

Two obvious reasons are:
  1. To test, prove and improve the weapons, for example confirming the accuracy, range and effectiveness of a field gun firing live rounds towards a tank, building or bunker, with gusting cross winds, challenging terrain, engineering and operational variables.
  2. To practice, test, prove and improve the soldiers' capabilities, including dealing with the very real safety concerns when their weapons are locked and loaded.
These are still exercises, though, somewhat removed from genuine action on the battle grounds of, say, the middle East ... and it could be argued that even those are merely limited-scope live-fire exercise in preparation for for all-out global warfare.

So do we have the equivalent of live-fire exercises in the business continuity context? Yes, there are at least two types: 
  1. Actual incidents that occur routinely within the organization, ranging from frequent minor events up to the occasional more serious incidents, if somewhat removed from genuine disasters thanks, in part, to the incident management and disaster mitigation activities. Hopefully all that preparation and exercising pays off! It's straightforward for a responsible manager to "declare an emergency", initiating the disaster management activities even though that may not be strictly justified by the exact circumstances. From that point, turning the incident into an exercise may simply be a matter of going through the motions, perhaps simulating various facets that haven't been tested and proven lately. 
  2. Actual incidents that afflict other organizations. These can be valuable gifts in that we get to find out something about what actually happened under fire, without finding ourselves in the cross-hairs. 
A nice benefit of both approaches is that, unlike typical continuity exercises and just like real disasters, they are opportunistic, not pre-planned. They are unlikely to occur, conveniently enough, at the end of the working week before a long holiday weekend. Coping with the adrenaline rush of truly believing that a severe incident or disaster has actually occurred is an integral part of the event/exercise. The chaos and confusion are a step up from the usual cool, calm and collected exercises. True, there are risks too, but they are still less than the risks of being unprepared for incidents and disasters. Risk is relative not absolute, remember, and can seldom if ever be totally eliminated.

I'll have more to say about using third party incidents for awareness purposes tomorrow. Maybe later. Let's live on the edge.

No comments:

Post a Comment