If you’ve been involved in the security industry in some shape, form or fashion, you’re undoubtedly familiar with the concept of resiliency and being able to bounce back quickly following a dramatic event – be it natural or manmade. However, while many private and public organizations may think they have the right plans in place for dealing with potential calamities, the truth of the matter is that many people remain woefully unprepared. Two sessions held at this week’s Secured Cities conference in Baltimore offered different, but profoundly important perspectives on the subject.
According to Lynn Mattice, managing director of management consulting firm Mattice & Associates, U.S. businesses are facing an unprecedented array of threats ranging from the effects of sequestration cuts to massive cyber espionage campaigns and insider threats. During a recent intelligence briefing, Mattice said he learned that the Chinese, who have long been regarded by many as one of the largest state sponsors of hacking, have about 200,000 PLA (People’s Liberation Army) troops devoted to attacking computer networks around the world.
The people hardest hit by hackers, according to Mattice, are not large Fortune 500 companies, but small-to-medium-sized enterprises which are responsible for the majority of new technology innovation. The problem with being an upstart company, however, is that they often times don’t have the resources necessary to devote to fighting or mitigating against this threat that seems to grow by the day. “The further out you go, the harder it is to get the focus of these people to look at their risks,” Mattice told attendees.
Mattice believes that the resiliency of the U.S. is dependent upon the nation’s economic security, which is directly impacted when businesses fall victim to cyber criminals. To help alleviate this problem, Mattice, a former head of security for Northrop Grumman, Whirlpool and Boston Scientific, has founded the National Economic Security Grid. He described the NESG as a “virtual neighborhood watch program on steroids” and said that one its’ main goals is to create an intelligence center that can be utilized by SMBs to share information on a variety of threats.
When it comes to protecting organizations against traditional physical security threats, Dr. Stephen Flynn, director of the Center for Resilience Studies at Northeastern University in Boston, said that despite the nation’s focus on terrorism prevention, he has yet to come up with a scenario, short of the detonation of a nuclear weapon, that can compare with the damage that can be inflicted by natural disasters. Flynn has extensively studied the preparation and response of public and private entities to Superstorm Sandy and has found dramatic variations in their resiliency to the storm.
For example, Goldman Sachs, which had recently completed a new headquarters building in Lower Manhattan prior the storm, stacked sandbags 15 feet high around the facility and thereby prevented extensive flooding. Another large bank nearby, however, hardly took any preventative measures at all and suffered the consequences as a result. “You would think big companies with deep pockets would protect their assets,” Flynn told the audience.
Another example provided by Flynn included the actions taken by New York's Metropolitan Transit Authority (MTA) and New Jersey Transit in the time leading up to the storm. Though the MTA suffered flood damage to stations, the transit authority protected its’ trains by placing them in shelters out of harm’s way and also kept the majority of its employees on duty to aid in the recovery efforts. However, Flynn said that 345 trains belonging to New Jersey Transit were damaged by flooding during the storm, causing $120 million in damage.
Flynn said that a shift needs to occur in people’s thinking away from protection to resilience. “We have to not be focused on the asset, but the function of the asset,” he said. “A resilience focus keeps you focused on the function.”
To do this, Flynn said that organizations need to:
1). Identify the critical functions
2). Map or model components and operations, evaluate the boundaries (governmental jurisdictions) and governance of the infrastructure, system or network that provides critical functions
3). Evaluate vulnerability to the risk of disruption
4). Consider the worst-case scenario/test to failure so as to fully understand the consequences
5). Based on these steps, identify and adapt resilience design, features, processes and protocols that mitigate the risk of disruption and speed recovery
“This country has no method by which we go and learn after these events,” Flynn said. “We do a lot to invest and protect, but have no plan when it fails.”