Resilience In A Risky World
Culture is a popular word in many organizations today. The term is often used by organizations to define who they are and how they project themselves internally and externally. There are many variations on this theme: a culture of innovation; of customer service; of quality improvement. The list seems endless.
We would argue that in the highly complex, interconnected, interdependent digital world, the most important culture to be realized and pursued is the culture of resiliency.
If the 20th century was aligned with the principles of The Deming Cycle and a culture of quality and continuous improvement, the 21st century demands a new imperative. Today’s market is global, as are its opportunities and vulnerabilities. A company’s interdependencies are greater than ever before, which means that if resiliency is lacking, a company can be quickly overwhelmed by a variety of events.
Resilience doesn’t mean eliminating or avoiding risk. That is simply impossible. It means you create an environment and structure to mitigate damage in a way that the organization not only survives, but also keeps functioning. In our view, there is no one more important to creating and sustaining a resilient enterprise than the CEO and their leadership team.
Frankly, many leaders don’t know how to deal with this, which is understandable. Global connectedness is changing at lightning speed. Recent history makes clear that the 9/11 terrorist attacks and Hurricane Katrina are not the only examples of large-scale catastrophic and disruptive events. Events like Superstorm Sandy, the Boston Marathon bombings, cyber attacks against our defense and energy sectors, and widespread hacks into ATMs around the country remind us that the United States and its economy remains a target for terrorists and criminals. Both physical and cyber threats are trying to destroy our people, institutions, and our way of life. This raises significant concerns for American companies active in the global marketplace.
As part of our company’s work with C-suite clients conducting tabletop exercises, we are seeing a greater understanding of the gravity of poor planning. Some clients come to us because they are proactive, and as part of a comprehensive risk management strategy, they want to include exercises at the most senior levels of their company. Others come to us after a disaster to help fix the gaps exposed by an event.
During exercises, we put the CEO alongside the CFO, the general counsel, the chief security officer, the chief risk officer, the chief communications officer, and those who run the company business verticals, and present them with a mock crisis. We quickly find out if they’ve ever really discussed the roles, responsibilities, and plan execution should an enterprise-wide crisis occur.
Too often, people in the business verticals think, “Emergency planning is for the security and risk management staff—not for me in my vertical.” There are many organizations that still hold to the belief that “it won’t happen to us.”
They say this despite watching the damage that catastrophic flooding in Thailand had on the global supply chain. Despite watching the cringe-worthy response by BP to a catastrophic environmental event. Despite expansive geopolitical unrest in regions where corporate leaders are banking their future, such as the African continent. They are willing to gamble that inaction is a risk they’re willing to take or that if something bad occurs, someone else will fix it.
It’s a natural human response. We don’t like to think of ourselves as vulnerable, but we are seeing a shift in that way of thinking—particularly in light of a growing number of threats in cyberspace. For a long time, we understood physical attacks more than we understood the damage or toll of a cyber threat. We saw the virtual world as a vague world. Now, all of that has been flipped on its head.
The Growing Cyber Challenge
This entire country, including our economy, runs on a digital backbone that is under daily and growing assault. We read about denial of service attacks and cyber breaches almost every day—on our financial institutions, the alphabet agencies of our military and intelligence organizations, and our media outlets. The cyber assaults have come from nation states, lone wolf hackers and organized crime. They are getting more sophisticated, even now aiming for our infrastructure and defense systems.
The threat expands when we consider the interdependencies of a globally connected world. The largest global hubs for transnational data flow are within the United States, Western Europe, Japan, and coastal China. Consider the effects of cyber attacks on off-shoring and supply chains in those hubs or multiple hubs—on financial, transportation, and energy systems in a world where just about everything moves with electrons.
Cyber attacks are illuminating everything. They are demonstrating to many companies how they are not prepared to deal with a range of threats in real time, and not just cyber threats. They are showing how unprepared both government and the private sector remain to deal with cyber attacks—particularly in a coordinated way that supports national resiliency. They are also showing what’s getting in their own way.
If you have to move at lightning speed in the midst of a disruption, will you discover that your legal and procurement processes aren’t aligned with resiliency operations? In other words, if a typhoon in Asia has brought your supply chain to a screeching halt, will it be days and weeks before your lawyers and procurement folks can be aligned to secure the appropriate response and restoration services you need to stop the bleeding? If so, your culture of resilience has just bottomed out.
What we’re finding is that more and more companies are realizing that cyber attacks have a real—not virtual—impact on the bottom line. They are learning that with all threats to the enterprise, resiliency is an investment, not an expense.
Some are also learning that after an attack, it would have been easier to invest in assessment and planning on the front end, rather than far-costlier remediation following an attack. Good risk management is pre-emptive. In the long run, the return on risk resiliency is high.
Resilience through Collaboration
In times of crisis, it’s important to remember that we improve our chances of recovery if government and industry work together. We’ve certainly seen during natural disasters that the private sector is often better equipped to bring in supplies quickly and distribute them efficiently. We can build in public-private sector resiliency. It can minimize the consequences in the short term and mitigate the prospect of disruption in the long term.
The same is true for cybersecurity. In order for the government to effectively deal with the country’s digital concerns, it must deal with an infrastructure that is primarily owned by private sector companies and shareholders.
There is no reason why there cannot and should not be the closest possible collaboration in this area. Unfortunately, many in government believe that the best way to work with the private sector is through regulation. There is something that too many in Congress don’t get—that the threats we face in the cyber world, even in the physical world, move faster than they can legislate and regulate. More importantly, mere compliance does not equal security.
Our frustration with this is particularly palpable when we look at the legislative debate on cybersecurity. Everyone agrees that information sharing is key, but we have become our own worst enemy. An information-sharing agreement falls short if it doesn’t have the liability protections in place so that you can share that information without fear of giving away proprietary information.
In our view, we have to ensure that industry has a seat at the table. This means everything from loaned executives; collaboration on policies, including the private sector in regional planning and exercises; and security clearances for private sector personnel. We have had pockets of success in these areas, but we have not yet realized a national culture of resiliency. Again, regulating or mandating the private sector will not work.
We also believe that government needs to be blunt with the private sector about the consequences of inaction. That goes back to what we discussed earlier—understanding what’s at stake before a crisis occurs.
The path to resiliency in a risk-based world is not a smooth one. It can be complex. Threats continue to evolve, meaning the way we must confront them will change. Corporate resiliency will be transformational in the 21st century because threats are more complex, and we are more globally interconnected than ever before.
Some companies will recognize the value of resiliency and thrive. Others will fall behind or by the wayside when the catastrophic storm, terrorist incident, or cyber attack wipes out tight margins in this age of austerity and efficiency. Overall, we only need to look at events like the Boston bombings, Katrina, 9/11, Superstorm Sandy, the Oklahoma City tornadoes, and even the financial crisis to know that Americans are resilient in spirit. It’s in our nature!
A culture of resilience mirrors our spirit of resilience. We have learned from past events. Now our challenge is to continue to take those lessons learned and make sure we convert them to lessons applied. We’re confident that within our country and companies, we will do just that.
The Honorable Tom Ridge is Chair of the U.S. Chamber’s National Security Task Force and the president and CEO of Ridge Global, leading a team of international experts that help businesses and governments address a range of needs throughout their organizations. He also serves as a partner at Ridge Schmidt Cyber, a cybersecurity firm, founded with former White House Cybersecurity Advisor Howard A. Schmidt. Following the tragic events of September 11, 2001, Ridge became the first assistant to the President for Homeland Security and, on January 24, 2003, became the first secretary of the U.S. Department of Homeland Security. Previously, Ridge served as Pennsylvania’s 43rd governor from 1995 to 2001. Ridge attended Harvard University on a scholarship and graduated with honors in 1967. After his first year at The Dickinson School of Law, he was drafted into the U.S. Army, where he served as an infantry staff sergeant in Vietnam, earning the Bronze Star for Valor. After returning to Pennsylvania, he earned his law degree and was in private practice before becoming assistant district attorney in Erie County. He was subsequently elected to Congress in 1982.
Howard Schmidt serves as a partner in the strategic advisory firm, Ridge Schmidt Cyber, as well as executive director of The Software Assurance Forum for Excellence in Code (SAFECode). He previously worked as special assistant to the president and the cybersecurity coordinator for the federal government. Schmidt has held various leadership roles at the Information Security Forum, eBay, and Microsoft. He also served as chief security strategist for the US-CERT Partners Program for the Department of Homeland Security. Schmidt has over 26 years of military service, and holds a bachelor’s degree in business administration and a master’s degree in organizational management from the University of Phoenix. He also holds an Honorary Doctorate degree in Humane Letters.