In the digital era, as businesses become increasingly reliant on IT, a potentially devastating cyber-attack or other type of disruptive cyber incident is inevitable. Being prepared is the single most effective action that those responsible for information security can take.
So it's really true. It's not marketing high-level content world-class speakers. We will have the enterprise blockchain day on the 13th of October and onto on the 27th of October securing industry 4.0, both online only, and both for free and a sneak peak towards our hybrid event. The cybersecurity leadership summit 2021, which will be hybrid. It will be also online and it will be in person in Berlin, in Germany from the 9th of November to the 11th. And I would be really happy to meet you there in person. So three events coming up to online only, and for free and the third onsite and hybrid, and looking forward to talking to you soon, that's it for the, for the intro part regarding KuppingerCole very quick, and I hope you find the time to join us in one of these events or all of them, the housekeeping notes, audio control. First of all, the participants are all muted centrally. These are, these features are controlled by, by my colleague and there's no need to mute or unmute yourself, but that does not mean that you cannot contribute. We have polls. We will run two polls during this webinar and Tom and I will discuss the results during Q and a and where if there is Q and a, we need to, we need to have questions. So there will be a Q and a session by the end. And you can enter your questions during the webinar using the question section of the go-to webinar control panel, which is somewhere on your screen, please, please, please do provide your questions. The more, the more specific questions you ask us, the better results you can get from this webinar. I will pick the slides and discuss at the slides, the questions afterwards, together with Tom, after having discussed the polls.
And then you can get the results that you want from Tom or me, recording and slides. Finally, we are recording this webinar and the online version of the podcast, the video will be made available. Short-term usually some time around tomorrow, and we will also provide the slide decks for download so you can rewatch it or recommend it if you want to, to your colleagues and share the video and the link to the video when people registered for that as well. That's it for the housekeeping very quickly. And before we actually start with the agenda and with my presentation, which is not that long, I want to start with a quick poll as we are discussing today, disaster planning. My first question is to the audience and please feel free to answer as openly as you can. How advanced is your organization in defining and implementing comprehensive disaster planning?
We have four options. Not yet started. We were working on it, but we are at an early stage. We are working on it on it and we are well-advanced already, or we already done. We are, we have it designed and implemented and we are working on continuous improvement. Please provide your aunts. And now we have a few more seconds for you to take action a few more seconds, and then we'll close down the Paul and we look at the results later in the Q and a section final seconds and are looking forward to the results because this is of course also important for, for Tom and me to learn where you are right now in your process of defining that.
So we're done and let's start with the actual agenda that we have. And this is a quick overview of the agenda. I will have a quick section about why disaster planning is so crucial in this digital era that we're in then, and you're in for a treat Tom Langford. We'll talk about sailing the seven seas. And as mentioned before we have the Q and a section as the third part, I aim at something below 20 minutes, Tom will then continue with them 20 to 25 minutes. So we have 15 minutes packed of your questions and our answers. So please provide your questions. That would be great. So to have a bigger picture of why disaster planning is so crucial, let's first of all, have a look at what we need to prepare for and to do. So what I did is I went to the international Federation of red, red Crescent societies IFRC and I looked what they define as disaster as hazard.
And they have a quite disturbing list of hazards that they distinguished between natural hazards. And I don't read them out, but if we look at them and especially into the brackets, we will find issues and, and hazards and actual incidents that should look and sound familiar to us as we look at the news and the recent time. So these are not theoretical hazards. These are real hazards. If you look at floods, if you look at tsunamis, if you look at landslides earthquakes, these are really important things to consider when planning for your business resilience. And if you look at the disease epidemics we've been through that, not really a completely. And the other section that the IFRC looks at are technological hazards. So manmade hazards, and so from complex emergencies displaced populations up to, and this is something that I added to the list of cyber attacks, because I think these are technological.
They of course, manmade, and they are really important. And I think Tom and myself, we'll have a look at that as well, including also these aggravating factors where we combine all, some of these hazards that are listed here together to a, to a real stressful situation situation. So this is what we do need to prepare for, but these are the generic aspects that we should look at. If we look at that from a different perspective, let's move more towards what an organization will have a look at when we're looking at at risks at hazards, at disasters, at incidents. And this is usually done by an, a team, a department at discipline that's called enterprise risk management. And they typically, you look at these four categories of, of hazards, of incidents, of dangers, of risks. And of course the first two through the upper left is hazards.
What we have done before this is of course also something that enterprise risk management has to look at, but it goes beyond that. It looks as far as financial risks and they can, they can come from different reasons. So for, from a liquidity shortage of falling prices on the market or changing prices or the supply chain not being available, making prices rise, these are important aspects to look at as well. And these are risks you need to take care of beforehand. Operational risks are all the risks that are related to assets as assets as your customer satisfaction and or the product. And especially if you're providing digital products, operational risks are immediate. It risks. So these are enterprise risks where you need to look at, but also quality management for your actual products would be something that falls into this category and strategic risks are long-term risks.
The risks that relate to the market, to your competitors, your strategic orientation, their strategic orientation, and the achievement of the objectives of your organization. So also these strategic risks need to be taken care of. If we want to take care of that, we need to look at different aspects. I know Thom we'll have a look at that in much more detailed than I do. So I just give a rough overview, but I first look at the non it side before we actually look at it solutions at, at yeah. Technological solutions that provide help in achieving that. The first thing that we think are, is, are important, is actually looking at the key prerequisites and that is team, organization and communication. And we will have a look at that later as well. So having the right people in place, having them around, having them hired, or at least as a contractor, having the right organization to deal immediately when something is identified as an incident and to provide proper communication.
These are three important prerequisites to look at. And I know that Thom will have a look at that in more detail, three essential steps. Once we have the team, once we know what the hazards are that we want to look at, we need to identify what we want to protect, identify your assets, what you want to protect, provide and conduct a proper risk analysis that is essential to make sure that you have the right business areas, processes, systems, applications, whatever, identified to protect next step. Once you know what to protect, protect them, prevent adverse events, make sure that all incidents possible are prevented, but everybody knows it. Cyber security cannot guarantee 100% security. So you need to have also the, the third step in place, actually understanding how to handle the incidents once they are happening, knowing what to do when things happen in the right order and with, from the right people, having right communication in place, et cetera.
So really identify your assets, prevent the events and prepare to handle them three essential steps that we will come back to later. And if we have this typical it side, then we usually talk about prevent, detect, respond. This is this mantra of cyber security. So prevent some bad things to happen, to detect when bad things happen and respond to them. Once they have happened and you have detected them. This, these figures are a bit old, 2018, but things have not changed dramatically. 90% of organizations have invested in two prevention, 55 have invested into detection. So really monitoring your user activities, identifying outliers, unwanted undesirable behavior, to identify the risks once they are manifesting. And only 13%. When these figures, as, as identified in 2018, say we have also a formal incident management plan. That's the reason why I'm so interested in the results of the first poll, because these figures, they do not match well. And the question is how good is prevention and detection? If you are not well-prepared for response and response is often underestimated.
The typical chain of operations that usually will be done once the incident has happened. So prevention has failed. Something has happened. So I don't also, again, read all out, read out all the details, but it's always this process of detection. You know, there is something happening because somebody has told you, I T security, your users, your customers. Then you need to find all the information to make sure that you really fully understand the situation. And that is of importance to get all the signals that you're required to provide this triage that is required for all the next steps. And the next step of course, would then be contain the threat, the incident, make sure that you isolate the systems, not switch them off and let them running, but make sure that they cannot provide further damage. Next step, once they are contained, eradicate, remove everything that is unwanted, be it malware, be it an hijacked account.
Be it some other incident on your systems. If something has been broken, if data has to be deleted, make sure you restore the data, but also restore the systems. Maybe even having backup systems in place that are capable of taking over on the fly. That would be, that would be great. Next step notification, tell everybody who needs to be notified that something has happened for regulatory reasons, for whatever reason, you want to have a look at it. So really make sure that you communicate well and have this communication well-prepared. And finally, the lessons learned part often ignored, but this is especially important when it comes to having a proper incident response management in place review, what has happened, learn from what has happened, make your detection better and make all the other phases, containment eradication better based on your review. So this is really important and you need to be prepared for every step that is on that slide.
And if you are prepared for that and we already get to the final slide of my presentation, we get to the benefits of this proper disaster planning. When you are well prepared. There are lots of benefits because if you have a plan of know what to do, you can start out immediately. And that means faster response. So you can mitigate the costs as faster and react faster. You gain time. You have the time for root cause analysis rather than throwing your hands in the air and trying to understand what, what should I do first backups really important when you have prepared for proper disaster planning, then you will have data and systems as backups of for recovery. You will end up with fewer errors because you have not an uncoordinated, but a well-coordinated team and organization that makes things work hand in hand. Good communication, cooperation, communication.
As I said, predefined pre-written as far as it can be so that you can really pull out the right set of yes, talk, speak, press release at the right time, without thinking too much about it, cooperation with your experts, internal, external, maybe hire somebody, maybe get an international approach when it is required. And finally, a benefit would be the regulatory requirements that they are fully met so that you, for example, can, can keep the notification periods that you need to keep. For example, when we look at GDPR requirements or other data protection regulation requirements, and these benefits are really important, and I think they are, if they are fully understood, they lay a good ground foundation for yeah. For making an organization invest into disaster planning. And that's my final slide now, and we get to the final poll. So I really would, I like to ask you that question and really like to have your answers there as well, all these benefits that are presented or parts of them are they well understood within your own organization and the options quite easily are yes. Well understood and communicated or not yet we need more work to be done, to explain it, to communicate to sea level, to the team, to the, yeah. To the complete set of employees. What is your opinion for your organization? Just it's this well understood this disaster planning, just a, an afterthought or it's is it well woven into your organization?
A few more seconds for this Paul and I'm also looking forward to these results as well. So yeah. How is the, the paradigm understood for disaster planning? Can a few more seconds for you to provide your feedback to this poll? So there we are, before I hand over to Thom, I would like to remind the audience to use the questions panel, to provide us with the questions for our Q&A section. And so that we can the term and I can start out here again. And with that, I would like to hand over.
Thank you very much. We, well, I think the scene has been set very, very well, certainly a lot of work to be done prior to the case of an incident or a crisis. What I'm looking at in this particular talk is, you know, what happens when it goes wrong? It's never a case of if it's, you know, something somewhere will go wrong. If you're a large organization, tens of thousands of people you'll probably have, you know, potentially two or three incidents a week of some kind of scale, you know, albeit, you know, from the very minor through to the very major. But you know, in other cases you may only be invoking your plans once a year, if you're lucky, hopefully a lot less than that. So yes, we're looking at the seven CS and looking at some principles that will allow you to ensure that the plans you have are actually fit for purpose.
So the first things we're going to look at, here's a brief agenda. I will say right now that my marketing people do not like me using this font. It's very difficult to read. So you'll only see this once, but I'm trying to set the scene. I'm trying to make us feel a little bit nautical since we are sailing the seven seas, but we're going to be looking at the terminology, business alignment, business contribution board, and executive leadership industry standards. We're trying to look across all of these five areas to see the best way that we can implement crisis management plans to be as effective and flexible as possible as always very often. I always like to look back in history, look back in time so that we can see how we've actually dealt with things in the past. The first example here is the, the Roman empire.
They used to effectively promote the most qualified person to lead, to be the, the Roman emperor for the period of a crisis. Normally a war of course, or something like that. And it could be a family and it could be a drought or something, but they would promote somebody to be the absolute ruler. What they said goes, they had complete power over the entire resources of the empire during the period of that crisis. When the crisis came to an end, they would voluntarily give up that power, but it did. But what was really key here was it was the most qualified person. If it was a war, obviously it was a senior general or something similar like that. So it was the most qualified person for that particular crisis who then stood down at the end of it. Let's fast forward. Quite a few centuries are to 2010.
I think it was the awful BP oil spill in the Gulf of Mexico. This had a massive ecological impact. The animal life impact human life impact whole livelihoods were lost. Whole coastlines were destroyed. It was a particularly challenging and traumatic time. BP obviously threw a lot of resources at it. And from a technical perspective, they addressed this quite well. What they failed to do though, was communicate well. Their spokesperson, Tony Hayward became well renowned for his work well, awful things that he said. At one point, what's been surrounded by human and animal suffering and this massive ecological disaster. He implored the press to say that he was looking forward to get his life back to normal. So, so very, very deaf to what was going on around him. Of course, that had a massive impact on the perception of BP as a result, no matter what they did to actually fix the problem.
So the actual communications in the optics of a situation are extremely important during some kind of crisis. And let's go back a little bit, 1985, many of us, well, I guess gray hairs and no Hayes may remember this story that the Coca Cola company decided after spending millions of dollars in research and lots of consumer feedback, et cetera, and taste test that they would go into upgrade their Coca Cola, their classic Coca-Cola that hadn't changed to new Coke. They had the data that supported the fact that this new Coke was a much, much better flavor. Nail riots erupted as a, of this and only 79 days later, which is not a long period of time, really everything they did around replacing the old Coke with this new coat was reversed completely a complete U-turn and there and within, I think it was six to 12 months.
They were back up to outselling Pepsi in any other competitors, by at least two to one, if not three to one and more. So it just goes to show that the willingness to listen to the people who are affected the most by something, your customers in this instance, and actually changing a course of action can divert and stop a crisis from, from snowballing and go and beyond going beyond problematic in the first instance. So there's some three examples of how much it's not just about the technology and buildings and things like that, for instance, but actually how you manage it from a slightly more human perspective, you know, be it qualifications to do the job bit, the ability to communicate effectively and also the lack of hubris and admitting that certain courses of action were wrong. And these are all vital parts of crisis management.
We, as it specialists, as as security specialists, we tend to focus on the security, sorry, on the technology more than anything. When actually frankly, the technology tends to look after itself. What we do very badly is actually projecting the right image and making sure the optics are correct. So what are we actually talking about here? What are the, the areas that we're actually looking to address? So there's three ways I look at, or there's three things that I feel are absolutely fundamental when it comes to a crisis management or incident management. The first one is facilities, the actual rooms, the, the offices, the buildings that you operate from. And obviously now that includes people's homes, but the facilities that you operate from the second one is the people. We know that when lots of people get sick and hands up, all those CSOs who up until last year had been desperately trying to get funding for their pandemic plans and then were able to finally say, I told you, so it was going to happen, but it's about people as well.
And then also, as I said, it is technology. When technology fails, we need to address it. So when we put these three together, the, these are the three things that we're looking to address the most. When we talk about crisis management. Now I've already said crisis incident management, there's even terms of coordinator, business resilience, for instance, business continuity, planning, all sorts of terms out there. The key thing is it doesn't matter what you call it, or how many different terms you have for each different elements of say facilities, people in technology what's key is that it's consistent throughout your organization. If you say crisis management and somebody thinks, oh, that just affects people in facilities because actually technology is disaster recovery, but you're including technology in there. That's going to be problematic. Somebody is going to be doing things, not informing the bigger picture because they feel it doesn't form a part of crisis management crisis management can be whatever you want.
All three, one of them, two of them, it doesn't matter. As long as it's consistent, there are some industry standards out there. You know, for instance, I think it's ISO 22, 3 0 1, and I'm happy to be corrected on that. But what we'll actually put labels on this and using industry standards can be useful, but every company is different. Even every language and culture is different, but the key thing here is make it consistent with the rest of your organization so that everybody knows what it is that they're talking about. When you mentioned one F one phrase over the other. So let's actually start looking at the seven CS themselves. Now I present these in a kind of logical order. And to a certain extent, they do happen in this order, but there's plenty of parallel task in that can happen across, throughout this process. So don't feel that you have to finish one to move on to the next, et cetera.
They do continue throughout. But like I say, there is a kind of logical order. Just don't read too much into it. The first one is a command. So I like a ness to making sure just like the Roman empire, you get the right person, the most qualified person in charge straight away, or as quickly as possible. Now that may be the most junior person. It might be the most junior person because they're the one who's qualified to gather people together, be that in a virtual environment or be that because they're from a help desk or whatever, it doesn't matter. They need to have the credence and the approval and the support of senior leadership to demands that these people get together so that the process can start. It could be that within five minutes of that meeting, convening that someone else takes command. But it is a very clear and formal handover of commands that has been done in order to ensure that he's clear who is in charge at any given point.
Like I say, it doesn't matter how junior they are. If they're most qualified at that point, that's the person who should be in command. The second one is control. This is where you try and work out what is going on. Hopefully your procedures will have bought in all of the right people for that particular incident, whatever it might be, a technology, one, a facilities, one or something that affects everything. You need to understand how the incident, whatever it might be is affecting each and every department, you know, and that could be from HR, from legal. What are the implications of the incident to our clients? What are the implications to our staff? What are the implications to our shareholders? Let's understand what is going on. This is the period that is very often likened to the fog of war. You don't know what you don't know.
And so this control is literally about gathering data, gathering information and spending time, trying to ensure that you understand the situation as much as possible. This is where having a single person in command who can actually emphasize one area over another area, task people. Retask people is really important because if you don't get that right picture straight away, you will be in trouble. And in collaboration, this is fairly, fairly obvious in a sense. But the key thing here is there should be no shame or pride in anything that is done, just because the tech may have failed. That doesn't mean that everybody sits on the other side of the table to the CIO, but physically or metaphorically, just because somebody manages to find that crucial piece of information that brings it all together. Doesn't mean that that person is the savior of the day and should be lauded.
This is a massive team effort during a very stressful and emotional time. Egos and hubris needs to be checked before you even get into the room virtual or physical, and actually look to the long-term goals that are set out and agreed upon by the person who's in command to ensure that this crisis can be passed as easily and seamlessly as possible. And then communications obviously establishing communications amongst yourselves. And that could be a physical room where everybody sits or more likely at the moment. Excuse me, more likely at the moment, you know, a virtual war room on a conference bridge that runs 24 by seven until such a time as the crisis is over. So not only is this communications amongst each other, ensuring that everybody has the, the facilities and the time and the forum. So actually get together to, to share what they found.
But it's also about communicating, not just internally to the rest of the company, but externally to it, to be the public. So the regulatory authorities or to the shareholders. The one key thing I emphasize here is whilst the, what you communicate outside to what you communicate inside might not be quite so detailed, might not contain confidential information, et cetera, et cetera. It needs to be the same factually. The same was what's communicated to the rest of the team internally, because anything you share internally, particularly in large organizations, particularly if you are in the limelight or on the front page of a newspaper, heaven forbid you can guarantee that those internal communications will be shared. It's just a natural human traits. Just one of those things. And if what you're saying internally is in direct opposition to what you've said to the public, that will cause you even more problems, always assume that everybody knows what is going on and what the details are.
Otherwise you'll be accused of lying and covering up, et cetera. And so we come to the point where perhaps the crisis has, has come to an end, or it is closing down. We come to change. This is where you actually evolve your processes. You look back at what happened, what went well, what more importantly, didn't go well. And therefore what you change as a result, your plans have to constantly evolve to ensure that you are able to meet the constantly evolving threats that your organization and enterprise face. The other elements of changes. If the process that you're following, the procedures that you're following during the actual crisis, don't seem to quite work, then change them, do what is required as much as possible within the framework that you've decided. But to, to address the problem that doesn't mean you have to follow them blindly or wait a week until it's all over change is something that can happen immediately or after the fact, but use the opportunity to make the process better.
That might mean making it simpler or leaner, more efficient, or even in, in some rare cases, slightly complex to, to account for certain factors. Number six is compliance. Now I mentioned this before about standards and frameworks, and I think the creators of ISO 22 3 0 1 again, correct me. If I got that wrong are actually stated. They only expected about 15% of companies who use the standard to become certified in it. That means that primarily the standard is there for people to refer, to, to give them a baseline and a framework for which they can use to build their own internal capabilities and processes. This compliance element ensures that what you're doing is actually meeting more international standards is actually meeting what your clients might be expecting from you. It even gives you clues. And you know, jumpstarts as to how to even commence a program like this, because make no mistake.
This is a very large program to, to have to deal with, but it's ignored for 99% of the time. And then he's utterly critical when the time actually comes. So using these frameworks and standards is very useful to see that actually what you're doing makes sense. And finally, and I, I think this for me is the most important one complexity. Now, I, I remember working for organization. We don't one of the big five in lovely companies. I think it's big for now, is it? But lovely companies, very good. They produced a business continuity plan for us, which I believe was about 300 pages long, utterly, utterly not fit for purpose. Lovely document looked really good, covered everything to the nth degree, unfortunate. It was overly complex for what we needed. We actually ended up boiling it down to about 25 pages because that was all we needed to get the job done.
That was a, certainly a lesson for all of us realizing that actually we know what we need. We just needed that hand and that a little bit of a support and confidence to actually do it. Hence why I say in the previous step, look at standards. So you need to reduce the complexity of your plans as much as possible without losing the flexibility and the ability to address the problems in hand, you cannot make a procedure for every single thing that might go wrong, because I guarantee you, if you create a hundred procedures, you, the one thing that goes wrong will be the one thing you never actually wrote a procedure for. It is different every single time. And there are different elements and so many variables at play that you're much better off actually looking at this from a keeping it simple framework that allows you to be flexible and address the challenges that you face.
So how do we integrate this into our systems? Well, firstly, what it allows us to do is to communicate upwards to our board or executive leadership and say, this is what we're doing. This is how we're working. We're working these seven CS principles because we're addressing all of these. We strongly believe that our plans are ship-shape forgive me. They also allow you to communicate them across to the company and your recovery teams. These are the seven principles that are in play to ensure that we can address things. This is the part you play within that. So understanding that they do need to step away from command, if they're no longer the most qualified, but actually they do need to check their egos and their hubris at the door before they start. And the reasons why are very, very important. And finally, you can push them down to your business organizations to ensure that they feel that they are represented in those plans as well.
So you can check a business alignment and the effectiveness of the plans themselves. So there's these seven CS allow you to communicate upwards across and downwards through your organization to ensure your plans are as effective as possible. So to the victors come the spoils. My summary here is three points. I always try and keep it as simple as possible. Then I can understand it and possibly remember it. Firstly, as I just mentioned, he picked simple. The simpler your plans are the more likely you are to remember them. If you can condense at some point, the, the starting process of your crisis plans to something the size of a credit card that can be put into a wallet and a purse, you will have achieved so much more than many other organizations. If somebody gets a phone call saying there's a crisis and they can pull something out that fits in their wallet or purse or more importantly goes onto their phone and they know what number to call, what role they play, et cetera, you have made a huge step towards actually addressing this issue.
Standards are useful, but they are not essential by any stretch of the imagination. If you don't know where to start, look at a standard, if you don't know, you know where you are in the middle of your program, look at a standard, look at a framework, see what they're saying, see where they're going. You don't have to adhere to it to the letter. And finally you can use these seven principles, these seven CS to S to validate and to communicate across your entire organization. Thank you very much for your time. I know I've run over just by about a minute and a half. You can contact me at Twitter and this email, if you'd like to discuss offline. But I do believe that we will be going into Q and a now.
Absolutely. Thank you very much, Tom, for your presentation. That was really interesting and entertaining, which is the good part, especially when with, with such a topic, which is, you know, preparing for a crisis, making that entertaining is, is great. My reminder, first of all, please, we have some questions already, but if there are any other questions, especially regarding Tom's presentation right now, please feel free to add them to the questions panel within your go-to webinar software piece on, on your screen. And we will be able to answer them immediately. So, but before we do that, I would like to have a look at the polls that we did before and look at the results. Maybe we can start out with that. All right. So that is okay. Your, your comment when Tom, first of all, before I say something,
Well, starting from the top, I'm glad everybody's got something in place, but working from the bottom, it just goes to show that actually very often these sorts of plans are never thought about until something goes wrong. And actually they are often underfunded under resourced and seen as a, a headache and an overhead very often because they're written, you know, we, we don't get the, the time effort and resource to constantly improve and review them.
Yeah, I would, I would fully agree that the good thing really is not, not yet started at 0%. So that means that incident management disaster planning is, is something it's well understood is in place already. It's not just an afterthought, but there is room for improvement and maybe, or maybe we can contribute for some improvement when it comes to simplicity to brevity, to, to effectiveness and usefulness.
What other things, one of the things to look at here though, is nobody actually has, as an implemented plan, they might have something that's halfway done and they, you know, they could probably get themselves out of it by using it. But according to this, and obviously it's all down to interpretation, nobody has an actual implemented plan,
Right? So maybe that we can, we can have that as some feedback through the questions panels as well, but maybe also that goes hand in hand with mine, with my second poll. So if are the benefits of, of these disaster plans well understood or is there more communication needed? And that is something that you said in your presentation as well. So to get senior management and also in touch with these principles and with what is going on and, and that is fully reflected here as well, right?
Yeah, absolutely. Absolutely. I mean, again, it's down to the interpretation of the question. Not yet means obviously it's been worked on et cetera, but you know, that's quite scary. It'd be, it'll be interesting to see how many people actually, you know, responded here, but it's quite scary to say that, you know, the, nobody said that their plans were understood and communicated internally that that's quite concerning. Again, I know the challenges, I, you know, it almost doesn't surprise me. I know how difficult it is. It's certainly not you judgemental of me by any stretch, but you know, given the what's happened over the last 18 months and the changing working styles and the other risks that brings, I think this is it's it's concerning and we should be rightfully concerned as an industry.
Right. And if you put it positively, it could be called, could be used as a call for action to really, to really change things starting tomorrow.
Yeah. I'll be, I'll be the doomsayer, but you know, you're, you're, you're in charge. You can boop spin the positive on this.
Sure. So the previous, just to both, okay then up to the questions you've, you've mentioned that there's the first question is really important to me. You said this, this large, huge well elaborated business continuity plan did not make any sense when it comes to operationalizing it. So, so how long should such a business plan actually being continuity plan actually be and what should it look like?
Well, I mean, like I said, it could, it could be as simple as a, you know, a credit card size piece of paper with somebody, with numbers and bridges to dial into and connect to when, when a phone call gets made. You know, if you start with that, like I said, you've got it, you've got a major step because if you get the right people with the right skills, able to communicate with each other quickly and efficiently, you're going to fix the problem. There's no question about like you will address the problem. And that's how very often tribal knowledge versus procedural knowledge actually works is because you scrambled to get the right people to actually address the problem. But if you can get them all in the same room virtually or physically to address the problem, you've, you've addressed that one of the largest challenges that there are of getting people bought in to address this.
Then there may well be procedures. And I, I mean, underlying technological procedures, people, procedures, et cetera, but your core crisis plan doesn't need to be massively detailed. It's almost more a set of principles on how you get people together who operates who's in charge and how, how things get done rather more than anything. And then you rely on the procedures that should be in place anyway, as part of an operational organization for how you move from a, you know, a production environment onto a test environments because the production environment has gone down, you know, that should be already produced in the first place. That's not necessarily part of the crisis plan. So plans, I think should be as, as short and as simple as possible, the shorter, the better.
Okay, got the point. But as you said, many of these of these procedures should be proper practice anyway, but if you read the literature, it always says you have to not only have a plan and write the plan and approve the plan, you also have to test the plan to actually execute some rehearsals. And when it comes to, to really being prepared for such an such an event, I think that the benefit of this large document was that there is a simple plan that can be easy to check and can be easily followed and easily tested and checked off. And it's done testing a smaller, lightweight thing. How does that look like then?
Well, the library thing is, is a set of guardian principles that allow you to address the problem in front of you. So there's a number of problems with having that big thick folder of a plan. One is it's often printed off and put on a shelf somewhere or hand it out and put it on the shelf somewhere. And then he finds you can't get into the building where the plans are and you can't access the plans because you know, they're on a service somewhere and you can't get to it because the crisis is the fact that you can't get to the surface, your network is down or whatever. So that's why I say that, you know, whilst those procedures are great in their own isolated areas, you can't have a globally efficient and operational plan. If you can't get to it, if it takes you two hours to read it in the first place to find out what you've got to do.
And the fact is nobody will read it in advance because it's too big and it's too cumbersome. So nobody will even have an idea of where to start. So if you start with simple principles of get us together, establish the sentences or whatever, establish some key principles of this is our problem. This is who's in charge. This is, these are the jobs each of you are doing, et cetera, et cetera. You're going to be in a far better position to address the greater problem whilst empowering the rest of your, to fix the issues, the actual technology or the building or the regulatory or the, or the, the health side of things, whatever that might be.
Okay. Got the point. Interesting question here is, but if you're talking about principles, I assume I can guess the answer then does this change from the target operating model? If you are running in the cloud, if you have, are in a managed service provider environment, do these principles change or it's just the application of these principles, how can we adapt these to different target operating models?
So I, I believe these, these principles apply everywhere. Now, if you were to have these principles in place and then move to a, you know, to a different operating model, yes, you would have to review them. Yes, you would have to make sure they were still relevant, et cetera, make sure that they, they actually took into account these different operating models, but they won't change in to any great degree whatsoever because they're guiding principles, not, you must do this now, shall do that. You know, they're not, they're not a set of procedures that are fixed in stone. They can flex and ebb and flow as required according to the situation.
Right. And we've talked a lot about principles right now. What, what other technologies tools that, that should be used that could be used in supporting the implementation of these principles? W where are the areas where we could look at?
So one of the key areas that I was a revelation for me, and this is going back quite a few years, excuse me, was there, are, there are systems out there and tools out there that allow you to communicate with very large, with a very large group of people across multiple, multiple streams. So be that email mobile phone office, phone, home phone, et cetera, et cetera, even social platforms as well. Now, the fact, if you have one of these set up and integrated properly and have a set of, have a set of templates in there that broadly fits a set of criteria. So this is a tech, not, this is a, a mid-level technology incidents. Therefore these are the people that need to be contacted and sold and so on. Oh, this is a highly, highly critical facilities, people and technology issue. Therefore, slightly more senior people need to be involved. You can actually, we then minutes get people from around the globe onto the same virtual room talking about the, the challenge you face so easy at press of a button at the sending of an email that can trigger these kinds of systems. So for me, that ended up in the very first instance is where if you have limited resources invested in a communications platform that is outside of your organizational structure, because obviously your organizational structure may be affected as well, but can allow you to communicate virtually instantaneously, globally and intelligently at the same time.
Right? I fully agree this, this communication is important because it also will be the communication towards your other stakeholders, your customers, your partners, your supply chain. This is something that really needs to be informed as well. Yeah, we've been, when we talk about crisis management, we always have in mind, these large corporations, so huge enterprises, it's it's there, is there a limit for this, this business continuity incident management, recovery procedures being in place when it comes to the size of an organization and do these principles change in the applicability, or how do you, how would you deal with the different sizes of organizations?
Yeah, that's a really interesting one because I think obviously the smaller the organization, the less likely they are to have any kind of formal process in place, let's face it. You know, when something goes wrong, everybody, you know, in a 10 person company, everybody there probably has some kind of personal stake in the company. And he's just going to come in and fix the problem. Tribal knowledge. Only one person knows how the database works. Only one person knows how the network works, et cetera, very difficult to actually document something in situations like that. Just knowing what the seven C's are, will help just having those as principles of, okay, you're using command. All right, let's get control. Okay. Let's start collaborating and communicating to make sure that this thing is done. You could ostensibly, and I've not seen this in practice, but I don't see why it wouldn't work. You could, your plan could just be the seven seas in very small isolated instance like that. Obviously the larger you go, the more, you know, if you're communicating with a large group of people and whose phone numbers, you don't know whose emails you can't remember off the top of your head, who's who you've never met before in your life. That's a very different situation. And obviously you're going to need more detail and more potentially a third party technology to support that,
Right? So we're getting close to the end of this webinar. If we both were to provide a single recommendation as a, as the call to action, as we discussed before the what I start out very quickly, I would really say gain transparency and, and achieve communication with those who need to be aware and to pay for it. So really involving the senior management and making, having, having that backing from them would be one thing to do. Now, if it has not yet started, this is nothing to do at an it department or risk management level.
Yeah, absolutely. I would say any crisis is incredibly emotional, incredibly stressful, and can last for days, weeks, and months at a time. So the simpler you keep your planning the better, the more likely you are to be able to just get on with the job in hand, rather than checking to see if you're doing it the right way, or, you know, if the process has been followed to the letter, keeping it as simple as possible for me is the most important thing.
Perfect. And that's a great summary also because I think that sums it up very, very efficiently than the simplicity. And then the applicability of these simple principles. I think that is the starting point. Thank you very much, Tom, for that great presentation for the greatest question afterwards, if there are any more questions coming up, I think they can get easily in touch with you. You've mentioned Twitter. They can get in, get in touch with me also within Twitter. My Twitter handle is all around the website at KuppingerCole. You can find me easily and we are looking forward to having more feedback to talking to you and being responsive for, to the audience. If there are any other questions for the time being, thank you very much, Tom, for being here today and for presenting yourself and seas.
Thank you very much. It's been fun.
How can we help you