X-Events. The Collapse of Everything

Author: John Casti

The book is written “For the connoisseurs of unknown unknowns” and is divided into three parts.

The first part – Why ‘normal’ is not normal anymore – talks about complexity theory. The complexity theory means that each issue has two (or more) sides, for example a service delivery of an organization has an organization side and a customer side. Both have a certain degree of complexity. Without going into the definitions of complexity here, but from the gut feeling, we can view the delivery of electricity in the USA as an obvious example. We can say that the demand side is very complex: different quantities, different times, different needs that have grown throughout history as a very complex system. But there is an outdated infrastructure that has a low complexity with regard to the current state of technology. Between both complexity levels there is a gap, which according to the complexity theory is a source of vulnerabilities, and can trigger an extreme event to correct the system. For example, a blackout. This example is a simple illustration of the theory, which is obvious. The best solution for the continuity of the customer side and the supplier side in this case is an increase of the complexity on the supplier side, until it equals that of the customer side. In other words, a technical upgrade.

The first part ends with seven complexity principles:
– Complexity: Main characteristic
– Emergence: The whole is not equal to the sum of the parts
– Red Queen hypothesis: Evolve to survive
– For nothing the sun sets: Exchange between efficiency and resilience
– Goldilocks principle: Freedom levels are ‘just right’
– Incomplete: Only logic is not enough
– Butterfly effect: Small changes can have huge consequences
– The law of the required variety (this is the somewhat important one): Only complexity can control complexity

Part two is a collection of 11 chapters, each of which deals with a separate case, in which the complexity gap is shown each time and how a disaster can arise from it.

In part three, the author argues that the breadth of the gap or the excess of complexity can be seen as a new way of quantifying the risk of an extreme event. This, however, without really going into formulas.

Finally, the author determines three principles with which the gap can be made smaller or can be prevented.

– A first principle is that systems and people must be as adaptive as possible. Because the future is unprecedented but increasingly dangerous, it is wise to develop the infrastructures with a large degree of freedom, to be able to counter or use what you encounter.

– The second aspect, resilience, is closely related to the first principle, that of adaptation. With this you can not only collect hits but also take advantage of them.

– The third principle is redundancy. This is a proven method in the security sciences to keep a system or infrastructure going when faced with unknown unforeseeable and foreseeable shocks. Actually this is about extra capacity that is available when, for example, a defect occurs.

Exponential Organizations

Authors: Salim Ismail; Michael S. Malone; Yuri Van Geest

Humanity has been busy with productivity since time immemorial. Production provided people with scarce resources that were / are worth a lot due to their scarcity. In the last decade, the Internet has come to the forefront, including the concept of “Creative Destruction” and “disruptive technology”. The big companies usually thought about the Internet 15 years ago as “something that is a phenomenon of time”. Nowadays, after an explanation about exponential organizations, they realize that the internet is a phenomenon that is the beginning of everything.

But what are they, those “Exponential organizations”?

It is usually small organizations that make use of the latest technology to come up with new solutions for market demands, for which solutions sometimes already exist. Through the new application they conquer the market in a very short time, in an exponential way. Examples include smartphones and tablets, which have given the photography and the paper newspaper world a problem.

The “nice thing” about this phenomenon is that because technology has become common good, an adolescent in a garage can do an invention that can turn the world of a gigantic company with thousands of employees upside down in a very short time.

That is why it is important that all organizations transform themselves into exponential organizations and tackle themselves disruptively. Because if they do not do it themselves, someone else will. Hence disruption as a means to do risk management and business continuity.

In the book, which is the result of a study by SU (Singularity University), the authors give a number of points of interest. These are given by the mnemonics MTP, SCALE and IDEAS.

Very important is that in contrast to large monoliths the small ExOs are very Lean and Mean organized. The book does not go very deep on this, but large monoliths can also benefit from their advantages by collaborating with existing ExOs or by creating ExOs at the borders of their organization.

Good Practice Guidelines – 2018 Edition – The Global guide to good practice in business continuity

Published by The Business Continuity Institute

This edition of the GPG differs according to its own saying in numerous ways from the 2013 edition. Some of those that stayed with me are:

–    More collaboration of the BCM employees with other employees in other management disciplines.
–   
Supply chain was integrated more into the story.
–   
More links are being made to ISO standards.
–   
Risk assessment has gained importance.

There are other things that have changed, which are noticeable:

–    Throughout the work, the link is regularly made to information security, but without referring to the ISO 27K series.
–   
The BIA is still a 4-tuple, but the mandatory character has been changed to “use what you need”
–   
A distinction has been made between crisis management and incident management.
–   
There is a better explanation for strategic, tactical and operational plans in times of crisis. However, without mentioning that the choice is also important as a function of what one needs. This piece remained theoretically sharply separated.
–   
There is a beautiful table here and there with more explanation of what is meant, such as the table with specific core competences and management skills that are required by the BCM responsible, divided according to the 6 professional practices.

In the book, extensive attention was given to PP6: ‘Validation’. Practicing and validating the operation of the BC program of the organization is very important as the keystone of the cycle to its restart.

In summary, we can state that the book is important for the beginners in BCM, but also for the advanced as a reference book.

What I personally regret that lacks is a bibliography for each chapter. For further reading I have the feeling that the interested parties are somewhat abandoned. But then there is the URL of ‘The Business Continuity Institute’ where you can find more information. (www.thebci.org).

Business Continuity Strategies – Protecting Against Unplanned Disasters – Third Edition

Author: Kenneth N. Myers

In this book, the author discusses strategies for addressing two classes of catastrophic crises that can happen to an organization: the failure of computers, and violence and terror in the workplace.

Many times, the author fights two things concerning the first class:

–    Deciding too easily for a disaster recovery site where all business software is duplicated
–   
Making the wrong questions to the business people when determining the BIA.

As far as the latter is concerned, the consultants turn out to be asking the questions mainly structurally wrong, eg do not ask:

–    How long can you do without a PC?

Because then the answer is always something very short-lasting, like “24 hours”

Ask the question differently by confronting them with the actual situation that has occurred:

–    IT and the server network are available for 14 calendar days. What are you going to do and what do you need to continue / save the business?

Because of this other approach to ask the questions, the business people are much more aware of the problems that might arise and they start thinking better.

The author also gives a number of examples of alternative approaches to a number of branches in organizations during times of crisis, which can be applied in a large number of companies. This is to temporarily bridge the PC-less period, the time that the ICT department needs to make everything back up and running.

In this book the author tackles the question in a solid way. The first chapter is therefore about defining the issue. Then the chapters on computer problems and violence come to the workplace. Then he gives some advice on how to approach a contingency plan. He also gives some attention to awareness and training.

Apart from the number of alternative examples of the possible practices in case of a computer outage, for which a disaster recovery website is good and what is not, and how the questions need to be asked to the business for drawing up a BIA and the related contingency plan, the book remains theoretically at a good level. It therefore classifies itself on a level above that of beginners.

Business Continuity Management – Building an effective Incident Management Plan.

Author: Michael Blyth

In this book the author works steadily towards his goal in the first three chapters: demonstrating the importance of Incident Management Plans (IMP), in addition to a BCP.

In addition, in chapter 4 he describes the inevitable: “what if?” Is the key question for some 40 cases, each of which is explained in text form, with chapters 5 and 6 providing the promising basis for the elaboration plans and questionnaires.

Chapter 5 gives the guidelines of the plans, in which there is a principle of a triptych: a first table is filled in to get an idea of ​​which (part of) the organization is involved. An outline of entity, place, time … Then the steps to take are taken: these have been drawn up as a so called “Guideline”, not to follow slavishly, but by interpretation. The third part of the guidelines forms the framework with suitable organizations / key persons that can be contacted.

Chapter 6 provides questionnaires, one per IMP, that can be used to estimate the situation, in addition to the questions of “SAD CHALETS”, the mnemonic used by the English Police to get a view of the situation. In addition, this chapter also contains a template for a risk assessment, which can be used during the crisis, to estimate the evolution of the crisis.

The book also contains a URL with password, where you can find the English text of chapters 5 and 6 in a word document for further development tailored to your own organization.

The book is thus actually a book for doers, with, to a limited extent, an introductory theoretical exposition.

However, in terms of IMP for cybersecurity it has not been worked out enough (which I think could have been a separate piece). Other threats have been worked out. Some threats are becoming more and more relevant for affiliates in the USA and elsewhere with current climate changes. Other are more universal in nature.