To view this article in its original location, please click here.
There’s no doubt that threat intelligence is a hot topic today. The debate goes on about how best to collect and analyse information to identify existing and emergent threats. Attacker techniques and capabilities are scrutinised to draw up plans for defence. Software applications allow organisations to draw up ‘attack trees’ to methodically describe the security of their systems. These methodical approaches have merit because they encourage organisations to think through different scenarios and reinforce their business continuity management appropriately. However, threat intelligence also needs to go further. It needs thinking that is ‘outside the box’ (or outside the system).
Part of the challenge in effective threat intelligence is its narrow definition. The term ‘threat intelligence’ in business commonly refers to attacks on information assets (data, systems, IT and networking infrastructure). ‘Business threat intelligence’ and ‘strategic threat intelligence’ also refer back to the IT-oriented view of the world. With IT now such an important part of professional life, it is natural that it should be a focus of threat intelligence. But limiting the discussion to IT-based techniques designed to uncover IT-centric threats would be dangerous for at least two reasons.
Firstly, attacks on information assets are not always IT or even technology-based. Social engineering and simple theft of mobile computing devices have proved that point. Threat intelligence therefore needs to cover a wider span of possibilities (including someone trying to set fire to your data centre for instance). Secondly, threats in general to an enterprise or an organisation go beyond incidents in IT servers. The SWOT (strengths, weaknesses, opportunities, threats) acronym for instance is used in business planning. It takes into account financial, market, regulatory and competitive threats, among others. All of these are important for business continuity too. So while you gather your (IT) threat intelligence, remember to look at threats beyond IT to keep your business continuity effective for the rest of the organisation as well.
In business continuity we often discuss objectives, processes, systems and technology. But of course people are also a key part of how most organisations function. While stop-gap solutions and third-party assistance may save the day and keep operations going on a short-term basis, employees provide the creativity and innovation to keep a company viable for the longer term. So for everybody’s sake and for good business continuity, it makes sense to create a work environment in which employees can react constructively to emergencies and perform optimally at other times. For this, one theory says “don’t do more, but less”.
It’s called the 70 percent rule (now you can see where the 30 percent in the title came from). The idea is that productivity and motivation can both increase if people work at a less intense pace than ‘full-on all of the time’. Sportspeople know the wisdom of this; in fact, athletics was where the rule originally came from. Arnold Schwarzenegger for instance consistently followed a routine of one day on (working out) and one day off (resting) to become a body-building champion, before turning his talents to acting and politics. This kind of alternating routine can prevent injury for athletes and burnout for other professionals.
Practically speaking, the 70 percent rule in an organisation can be applied by working smarter instead of harder, taking the vacations and breaks that should be part of the job anyway, (politely) refusing unreasonable work demands and leaving a part of the working day unscheduled. Improved output and less work sounds like a dream. The 70 percent rule says you can have both, starting with less work! If there is a temporary peak in a workload or a crisis to be handled, employees then also have the additional capacity that can make the difference between business continuity and discontinuity.
Have you met the management acronym AOSTA? It’s a nice one to know, because it links assignments all the way through to actions (we’ll explain below), providing a handy checklist for business continuity practitioners in particular. It is also the name of a picturesque town in the Italian Alps, with picture postcard images that can make a handsome PC screensaver and handy daily reminder! But let’s talk about why AOSTA can help you to get business continuity right by using it both forwards and backwards.
Here’s what AOSTA stands for:
- A is for Assignment. This is what people ask you to do or what your boss instructs you to do
- O is for Objective. This is what you really should do. Hopefully it’s the same as your assignment. However, if you see divergence between what is asked for and the business continuity your organisation really needs, be prepared to politely but firmly argue your case.
- S is for Strategy. This is how you will win the war, so to speak, so that your business continuity objectives will be properly met. It’s your overall plan, like deciding to use outsourced or cloud-based resources to do secure data backups, run important enterprise applications, and so on.
- T is for Tactics. Each battle to be fought may need its own approach, and these are the tactics you use to win it. For example, to get the Finance department to agree to move its accounting to a cloud-based platform, you show them possible cost-savings as well as improved availability.
- A is for Actions. This is the list of things to be done, such as reviewing cloud service providers and selecting one, organising and completing application migrations and so on. Some actions will be yours, but others will be done by the different departments concerned.
The beauty of laying out the chain like this is that you can also use it in the opposite direction. If you are thinking of a particular business continuity action, you can check to make sure that it really does relate to a tactic that supports a strategy that helps to achieve a useful BC objective.