The threats impacting businesses today are complex, insidious, and almost always have an up or downstream impact on technology. Cyber attacks are also borderless and can impact core operations as easily as business partner and supply chain operations. Therefore, when companies look to increase their resiliency they must weigh equally their operational and technological vulnerabilities.
One challenge that many organizations face is that there is no single entity governing cybersecurity and crisis management. With different reporting structures, separate budgets, and uncoordinated planning, they struggle to stay in sync. This partnership takes aim at breaking down those silos and helping organizations to get an honest and holistic view of their risk landscape.
For more than 10 years Lootok has pushed the boundaries of traditional crisis management and business continuity (BC). “I launched Lootok with the singular vision of doing BC differently,” said Lootok CEO, Sean Murphy. “Global volatility and increased competition have escalated the need for companies to prepare for disruptions. While everybody knows that they should have a BC program, nobody wants to do the work. BC is only important when it’s too late, and when an incident does occur, any data and plans that have been collected typically remain untouched.”
Lootok continually confronts these challenges by offering fresh points of view on industry standards and new ways to transform programs to meet today’s highly networked environment. Sean Murphy explains: “I knew that BC was an essential part of business. The negative returns I so often saw were not the result of BC itself, but rather how it was implemented. At that point, I saw a major opportunity in going beyond the cookie-cutter approach and offering something of lasting value.”
With this goal, Lootok based its services on a deep understanding of industry expertise and interdisciplinary sciences. Why integrate interdisciplinary sciences? It is a simple answer, according to Sean: “We get better results. Through integrating cognitive sciences, gamification, and branding concepts we capture higher-quality data, buy-in at all levels of the organization, and sizable costs savings through self-service and automation.”
2017 marked a reflective period in Lootok’s history, where the company restructured areas of the organization to yield even greater innovation and sharpened its services to Lootok clients. Lootok is excited to announce that there are four changes in its talent pool that set the stage for this evolution.
In our business, we can all identify with the feeling that something bad is looming—the next big power outage, unprecedented snowstorm, or vicious cyber attack is right around the corner. Sometimes it can feel like all we’re doing is getting ready for a negative event.
Many industry activities—things like assessments, plans, exercising, and auditing—help to create this “wait-for-impact culture.” As we evaluate endless industry standards, regulations, and consulting methodologies, there is a hyper-focus on documentation, policies, procedures, steering committees, and audits.
This methodical approach works with well-defined risks, or those threats that are so familiar to us that we’ve integrated them into the way we do business. But what about complex risk? The most procedural checklists and plans don’t account for managing those threats that we’ve yet to figure out. Risks that are still emerging and largely unknown are the ones that could actually leave us vulnerable.
Ten years ago, we developed Lootok’s BCM Model®* because we realized that it wouldn’t ever be enough for leaders to simply respond. For companies to stay competitive, leaders must be more proactive than ever to also consider threats that are on the horizon.
The Brit seemed like our perfect partner, and we feared it too good to be true—technical sophistication, strong reporting/metrics, and flexibility? Our self-defense mechanism kicked in, and we couldn’t help but try to dig up some dirt. So, we asked others, “Hey, what’s the Brit really like?”
But despite our best efforts, all we could scrape up were rave reviews from their existing clients. By all accounts, the Brit seemed reliable, stable, and drama-free.
Though it may seem shallow to admit, we also wanted to date someone with a pleasing, modern aesthetic—and the Brit was recognized globally for its good-looking user interface. Having seen so many clunky platforms, we bonded in our mutual love for user-centered design. We spent many a weekend waxing poetic about the need for “simple, unobtrusive, intuitive planning.”
Years ago, we were seduced by software that promised to solve all of our problems. Maybe it was our fault for being too naïve. The software only ended up being way too complicated, and left us feeling so overwhelmed and abandoned that there was no choice but to eventually break up. The whole experience burned us so bad that we swore never to enter into the software market again.
Maybe we’d just been in the BCM scene too long, but we didn’t want anything flashy or something just “good enough.” Perhaps our standards were high, but we vowed to ourselves not to make the same mistake again.
I was working with an executive team on a crisis scenario, when one of the leaders asked a question on crisis communication. He asked, “How soon do we need to communicate? 5 minutes, 10 minutes, 1 hour, 1 day, …?” He was looking for a precise number to evaluate a few past incidents that were on top of mind for everyone in the room. I gave the common answer, but right answer, of “it depends”. He gave a look of dissatisfaction and made a discrediting posture. I went on to share a few basic statistics from Daniel Diermier’s research (author of Reputation Rules) such as “online news stories suggest that the typical window is only eight hours; 20% of all news stories on a given issue are published within an eight-hour period; so forth.” Some time has passed since the exercise. After some thought, I want to provide executives with six (6) crisis characteristics to consider when determining when and how to communicate.
I was on the phone last week with a data visualization expert and author discussing visualization problem solving—basically, how to solve problems or at least understand problems with pictures (i.e., drawing pictures). He asked a question about cyber security: “Why is a cyber threat so scary? Isn’t it just another threat?” He was right… in part—cyber is another threat, just like infectious disease, civil unrest, flood, power outage, fire, war, or accident. While we use common frameworks and capabilities for threats such as command and control, situation awareness, threat intelligence, common operating picture, common ground, and so forth, each threat has unique characteristics we need to consider. Why is cyber security on the top of every executive’s mind? It comes down to six (6) characteristics of a cyber threat:
There’s a mnemonic for these six (6) characteristics: “is wild.”
What’s the biggest challenge in risk management? If you ask risk analysis expert Yossi Sheffi, it’s the lack of an industry metric. For example, when you choose a supplier, how can you quantify how risky your choice is? When it comes to metrics, Sheffi says, risk still remains an area where gut feelings and opinions play a major role. And the biggest challenge for risk managers? Defuse the responsibility for managing risk throughout the whole company.
Risk analysis expert Yossi Sheffi discusses two fundamental resiliency strategies that organizations can use to recover from an incident: redundancy and flexibility. Using the examples of Intel and Southwest Airlines, Sheffi talks about the role of redundancies, flexibility and interchangeability, and communication and culture to provide risk managers with realistic and practical approaches to consider.
Risk analysis expert Yossi Sheffi explores the capabilities and limits of the traditional risk matrix, and adds another axis called “detectability.” Detectability has to do with time dimensions, or how much time we have to prepare and react to a threat. There are some events, such as a cyberattack or theft of intellectual property, that have no warning; you realize their occurrence only after they hit you. While the standard use of the risk matrix is influenced largely by the past, adding detectability means greater opportunity to tackle impending threats.
September marks the 10th annual National Preparedness Month – a nationwide, month-long effort sponsored by the Federal Emergency Management Agency (FEMA) to encourage everyone to prepare and plan for emergencies. Across the country, there are a host of free educational events focusing on topics such as CPR training, preparedness outreach, and family safety.
With the winter superstorm Nemo rapidly approaching the Northeast with expected impact in major hubs like Boston and New York City, make sure your people know what to do in the event of a severe winter storm. Here are some last minute tips on what to do when it strikes.
Major change initiatives like business continuity take time, but many programs are often declared failures and abandoned before they are given a chance to succeed. For this reason, it’s crucial to show immediate signs of success, particularly for programs that are newly initiated or being re-launched. New behaviors also take time to become habitual, so in order for a business continuity management program to be self-sustaining, it must be gradually built and adopted as part of the company culture.
In order to accomplish this, people also need what Fogg calls “triggers.” Triggers can be thought of as a cue, prompt, call to action, or request that leads to a chain of desired behaviors. In other words, as Fogg states, “Triggers tell people to ‘do it now!’”
Here’s something most of us can relate to – the desire to comfort ourselves with something shiny and new after the infliction of an injury. In this, corporations are just like the rest of us. When a company finds itself bruised after a continuity incident, business continuity shopping therapy begins. Eager to assure ourselves we won’t get caught unprepared again, we turn to the marketplace to build our arsenal.
Ah, Christmas…. a time of yuletide cheer, decorating the tree, opening presents, office holiday parties, and of course, eggnog. All the things that make the holiday season so special… and so dangerous? If you’re feeling overcome with Christmas cheer, leave it to the business continuity professionals to put a damper on those holiday spirits with this list of top holiday risks.