“But it ain’t how hard you hit; it’s about how hard you can get hit, and keep moving forward.”- Words made famous by a portrayal of resilience himself, Rocky Balboa.
Without resilience, the internet probably wouldn’t have been created – if someone gave up every time their project went awry, the Internet of Things would be as foreign to us as teleportation. Luckily though, the trailblazers kept going and we are more connected electronically than ever before.
Imagine then, if one day there was a massive glitch in the U.S. infrastructure and a national power outage occurred (or even more digital weapons released- remember Stuxnet)? Would you be able to get your work done? Would you be able to even cook or pick up your kids from school? How easily would we be able to bounce back from that, how easily would our systems be able to bounce back from that?
Resilience is commonly defined as the ability of something or someone to spring back into shape and quickly recover from difficulties. I also like to think of it as how well we continue on, as resilience can be chipped away with time.
The good news is, being resilient with systems and security is within our control. In fact, human behavior alone is both the core issue and solution surrounding cyber resilience of organizations.
A former study that I conducted looked at the effects that the division of labor had on a company’s overall security. I found that physically dividing co-workers by department and teams has a negative impact on overall resilience as information was siloed. Seems pretty straight forward right? Well, the surprising part was, that even within teams, the understanding of security was skewed. There was no standard or base level knowledge that was required of anyone, and in fact, the employees themselves were the biggest threat to the company than anyone else.
As the definition above states, being resilient means being able to snap back into action. The company studied wouldn’t have had enough knowledge between teams to have a unified crisis plan, to be able to regain stability after an unsavoury event.
Organizational Resilience
Contrasting this, an example of a highly resilient company, comes from a study a former professor of mine published. He had been observing stock traders in NYC for quite some time when 9/11 happened. After their office in NYC was shut down from the attacks, the trading company moved to a separate office in New Jersey, which hadn’t been utilized previously. The study found that after 9/11, when the employees were forced out of their office and halted their capabilities, they set up the office in NJ as similar as they could to their old one, and all had the mentality of gaining normality again after such horrendous events had happened. With their collective approach to just keep going, they restored their business function six months after the attack and didn’t lose a single employee in the process.
Now, something important to point out is that in the stock trading world, you are used to chaos. There’s always a level of uncertainty and stress surrounding you. However, in regards to resilience, this is actually incredibly positive. The study found that having had a reasonable level of chaos on a daily basis, actually helped the traders bounce back, and all the more resilient they were.
So how do we make sense of this? How do we get from the first company mentioned, who had very little to no resilient practices in place, to the second company who was able to overcome a tragic event?
When an entire team has the same baseline knowledge, and are able to act and react both proactively and retroactively to security threats, is when a resilient system is then created. For if a system goes down and no one knows how to solve it, or if different people know different information that could solve it when pieced together but don’t, then there really is no hope.
But what’s even more important, and sometimes overlooked, is having a diverse workforce. While working security knowledge and core values should be shared amongst teams, having different thought processes and backgrounds keeps ideas from going stagnant and lowers the possibility of group think.
Think about antibiotic resistant bacteria, how these organisms have reshaped and changed based on new threats to them like antibiotics over centuries. The most resilient ones are the ones who were able to evolve with the ever changing environment, and not remain the same.
When it comes to organizational resilience, we’re only as strong as our weakest link, therefore it’s up to companies to create a stronger security culture and general awareness of each other in order to become more resilient.
Here are a few ideas on how you can build organizational resilience:
- Treat everyone equally – have a base level of security knowledge everyone needs to know
- Have drills – be able to respond under attack (phishing campaigns for one)
- Have a diverse team and continuously challenge the process. Embrace new ways of looking at issues/topics. This starts in your recruitment, and is driven by your leadership teams.
- Have backups – every organization should have a business continuity plan intact, but take this a step further, consider different locations you could work out of, how you could rebuild and what you would need/how you would communicate to your staff.
- Accept that there are things that are so unknown, that you can’t prepare for them, and allow for mistakes to happen. Have transparency so that people aren’t afraid to discuss mistakes.
- Always get back up. Keep trying. Challenge the process. When you have a resilient culture, everyone helps out and collaboration sky rockets.