Security Management Under Crisis Conditions

Security Management Under Security Management Under Crisis ConditionsCrisis ConditionsJune 3, 2009 June 3, 2009 --

1:40 1:40 --

2:40 PM2:40 PM

© M Corby & Associates, Inc.

SummarySummary•• This session will present several alternatives to This session will present several alternatives to

maintaining an effective and compliant security maintaining an effective and compliant security program despite changing budget limitations and staff program despite changing budget limitations and staff reductions.reductions.

•• Success in the past several years has depended to a Success in the past several years has depended to a great degree on how well your program can weather great degree on how well your program can weather the requirements to cut spending and headcount in the requirements to cut spending and headcount in response to the almost universal economic downturn.response to the almost universal economic downturn.

•• In 45 minutes, you will have a plan for responding to In 45 minutes, you will have a plan for responding to Board and Executive demands for reducing security Board and Executive demands for reducing security budgets.budgets. Many of the tools and techniques will Many of the tools and techniques will actually provide for permanent changes that can reap actually provide for permanent changes that can reap eternal benefits.eternal benefits. Others will provide you with Others will provide you with effective measures to keep a program (and your effective measures to keep a program (and your career) on track until the recovery happens.career) on track until the recovery happens.


What Constitutes A Crisis?What Constitutes A Crisis?

•• Is a Crisis something that happens by Is a Crisis something that happens by surprise?surprise?

•• Does a Crisis need to result in permanent Does a Crisis need to result in permanent change?change?

•• Can a Crisis become an opportunity?Can a Crisis become an opportunity?

•• Must a Crisis exist to create an effective Must a Crisis exist to create an effective solution? solution?


Surprise! CrisisSurprise! Crisis

Name a Crisis ________________Name a Crisis ________________Was it a Surprise? Yes or NoWas it a Surprise? Yes or NoHow long did it last?How long did it last?Was its duration a surprise?Was its duration a surprise?Will it happen again?Will it happen again?Will it surprise you if it does?Will it surprise you if it does?


Crisis = Permanent Change?Crisis = Permanent Change?

••

Fact: Crisis Responses always create changeFact: Crisis Responses always create change••

Fact: The change lasts until the next changeFact: The change lasts until the next change

••

Fact: Change itself can be a crisisFact: Change itself can be a crisis••

Conclusion: Life is hard, and will probably not Conclusion: Life is hard, and will probably not get any easierget any easier

••

Action Item: Get ready for continuous change Action Item: Get ready for continuous change


Crisis Crisis OOpportunity?pportunity?

Examples of Crisis Conditions creating OpportunityExamples of Crisis Conditions creating OpportunityOil Price Fluctuation Oil Price Fluctuation --

>>

Tainted Tylenol Tainted Tylenol --

>>Hazardous materials in toys Hazardous materials in toys -->>The VictoriaThe Victoria’’s Secret Fashion Show s Secret Fashion Show -->>Your own story Your own story --> >


Crisis Dependant Solution?Crisis Dependant Solution?

••

Can real change occur without a crisis?Can real change occur without a crisis?••

Maybe it can.Maybe it can.––

The Personal ComputerThe Personal Computer––

The InternetThe Internet––

The PDAThe PDA

••

Maybe it canMaybe it can’’tt––

Energy efficient automobilesEnergy efficient automobiles––

EncryptionEncryption––

Digital IdentificationDigital Identification

••

Who Knows?Who Knows?––

GPSGPS––

Anything else?Anything else?


What Can We Do? What Can We Do?

•• InsureInsure

•• DefendDefend

•• AnticipateAnticipate

•• ReactReact

•• NothingNothing

•• BlameBlame


InsureInsure

•• Cyber security/Errors & Omissions Cyber security/Errors & Omissions

insuranceinsurance

–– Several carriersSeveral carriers

–– Fairly ExpensiveFairly Expensive

–– Covers Direct Operating Costs, Legal Costs and Covers Direct Operating Costs, Legal Costs and

JudgmentsJudgments

–– Does Not Cover Brand Damage and ReputationDoes Not Cover Brand Damage and Reputation


DefendDefend

•• Build up defensesBuild up defenses

–– Works for some natural disastersWorks for some natural disasters

–– Alternative sites, suppliers, infrastructureAlternative sites, suppliers, infrastructure

–– Cannot help defend from global issues (Oil Cannot help defend from global issues (Oil

crisis, tainted supplies, general distaste)crisis, tainted supplies, general distaste)

–– How much are you willing to spend on a lottery How much are you willing to spend on a lottery

ticket?ticket?


AnticipateAnticipate

•• Conduct a comprehensive risk assessmentConduct a comprehensive risk assessment

–– PeoplePeople

–– ProcessProcess

–– Physical PlantPhysical Plant

–– TechnologyTechnology

•• Include the whole industry, not just yourselfInclude the whole industry, not just yourself

•• Develop alternative scenarios to handle each conditionDevelop alternative scenarios to handle each condition

•• Time consuming and costlyTime consuming and costly

•• You must be You must be ““spot onspot on”” to be successfulto be successful


ReactReact

•• Create advance warning signsCreate advance warning signs

•• Organize a response team to interpret warningsOrganize a response team to interpret warnings

•• Meet frequently (daily?) to determine best course Meet frequently (daily?) to determine best course

of actionof action

•• You canYou can’’t take advantage of advance planningt take advantage of advance planning

•• Product/service approvals are impossibleProduct/service approvals are impossible


NothingNothing

•• CheapCheap

•• Faith in the environment and your good fortuneFaith in the environment and your good fortune

•• May be appropriate if competitors are:May be appropriate if competitors are:

–– NonNon--existentexistent

–– IneptInept

•• Or if youOr if you……

–– are within a few months of retirementare within a few months of retirement

–– Have a massive guaranteed bonusHave a massive guaranteed bonus


BlameBlame

•• Take out three envelopesTake out three envelopes

•• Get your attorneys on boardGet your attorneys on board

•• Be swift and decisive before people Be swift and decisive before people

figure it outfigure it out


How Can We Anticipate?How Can We Anticipate?

•• Look at the result not the causeLook at the result not the cause

•• Establish parameters that trigger the responseEstablish parameters that trigger the response

–– Be able to measure accuratelyBe able to measure accurately

–– Try to define corroborating data pointsTry to define corroborating data points

•• Train people and practiceTrain people and practice

•• Presume your competition is doing the samePresume your competition is doing the same


Reaction ProcedureReaction Procedure

•• Define process as thoroughly as possibleDefine process as thoroughly as possible

•• Have assigned key people managing the processHave assigned key people managing the process

•• Enter into agreements with qualified external Enter into agreements with qualified external

services who know services who know youryour programprogram

•• For all reactive processes, create a sunset For all reactive processes, create a sunset

program to return to normalcy program to return to normalcy


Signs of a Perilous ProgramSigns of a Perilous Program

•• Looks only at reducing costsLooks only at reducing costs

•• Conveys Conveys ““survival modesurvival mode”” mentalitymentality

•• Discussed only in executive Discussed only in executive ““closed doorclosed door”” sessionssessions

•• Makes no provisions for the opposite reaction to each Makes no provisions for the opposite reaction to each

potential change inpotential change in

–– DemandDemand

–– ResourcesResources

–– Support servicesSupport services

–– Funding availabilityFunding availability


Indicators of a Successful StrategyIndicators of a Successful Strategy

••

Focused on a story Focused on a story ““after the smoke clearsafter the smoke clears””••

Attention to reputation and brand imageAttention to reputation and brand image

••

Smooth path to Smooth path to ““ramp upramp up””

to normal operationto normal operation••

Deliver Deliver 100% of service100% of service

for for less than 100%less than 100%

of the of the

scope, not visescope, not vise--versaversa••

DonDon’’t get caught napping by:t get caught napping by:––

Regulations and government oversightRegulations and government oversight

––

Zealous competitorsZealous competitors––

Foreign companies and governmentsForeign companies and governments

––

Employees jumping the ship (and taking the doubloons)Employees jumping the ship (and taking the doubloons)


Questions?Questions?

Michael J. Corby, CCP, PMP, CISSPMichael J. Corby, CCP, PMP, [email protected]@mcorby.com

(508) 892(508) 892--2980 (O)2980 (O)

(508) 873(508) 873--7488 (M)7488 (M)

(774) 452(774) 452--4545 (Blackberry)4545 (Blackberry)

mailto:[email protected]

Security Management Under Crisis Conditions

Documents

Transcript of Security Management Under Crisis Conditions