As a consultant, I’ve been fortunate to see an increasing number of organizations accept that they need to improve their ability to respond to a range of emergencies and disruptions. While this shift has been slow, it’s becoming commonplace to see diverse organizations adopting the practices and methodologies that emergency managers have used for years, ranging from the creation of dedicated business continuity positions, to the widespread adoption of the incident command system. While I’m not ready to unfurl a mission accomplished banner, I can at least say that the majority of my clients are beginning to realize that having some level of internal emergency management capacity is no longer optional.
Unfortunately, the same can’t be said for my colleagues in the area of cyber-security, who have viewed this change in attitudes with envious eyes, and have begun to display the signs of frustration that were so common among emergency managers a few years ago. While the work of preventing cyber-attacks and breaches from occurring is a never-ending battle, I have noticed that few organizations have integrated their cyber-security and emergency management functions effectively…or at all. In most cases, cyber-security experts know how to respond to breaches at a tactical level, and problems arise when an inexperienced leadership team tries to respond to these events like they are “business as usual”.
In general, this is a result of how organizations tend to structure emergency management and cyber-security during routine operations. In most cases emergency management professionals are located within a health and safety portfolio, while cyber-security tends to fall under IT, and never the twain shall meet. However, there is a solution to this, one that I’m starting to see gain traction in several high-reliability organizations. Simply put, aligning these organizations within a well-developed incident management system can ensure that an organization is as effective at responding to network breaches as it is when dealing with fires and floods.
While the type of incident management practiced by municipal firefighters using the Incident Command System may not be the best fit for dealing with hackers, the foundational principles of these methodologies (management by objectives, chain of command, integrated communications, etc.) can still increase the effectiveness of organizations dealing with cyber-attacks. After all, it’s difficult for cyber-security experts to isolate a breach when they’re being bombarded with frantic emails from all levels of the organization. The trick is to ensure senior leaders understand that a disruption, regardless of the cause, is not business as usual. This can often be difficult, but if leaders can ensure their teams adhere to the discipline of an established system, they can ensure a better response overall.