Fred Thiele [00:00:00]:
When you talk about business resilience or, dare I say, business continuity, it’s a bit of an old school term, and it and it conjures up images of people dusting off an old binder in the corner and trying to understand what their core business is. And it’s not exactly on top of everybody’s list. But as security folks, we tend to get a bad name because we tend to think about the worst things that can happen, and we can be pessimistic. I prefer realist, but, you know, by thinking about the worst things, you really do get going to prepare yourself for the worst. And then the better you’re prepared to handle those things, the better you’re gonna be prepared to keep your business running in a time of crisis.
Karissa Breen [00:00:49]:
Joining me today is Fred Thiel, chief information security officer from Interactive. And today, we’re discussing the importance of cybersecurity for business resilience. So, Fred, thanks for joining and welcome.
Fred Thiele [00:01:04]:
Thanks, Karissa. Thanks for having me.
Karissa Breen [00:01:06]:
Okay. So let’s talk about business resilience. So everyone talks about cyber resilience, now business resilience, but what’s your sort of definition? Or how do you how would you define business resilience in your words?
Fred Thiele [00:01:17]:
I take a pretty simplistic approach to most of this stuff. And and to me, you know, business resilience is really about the ability, how it is that you protect your core business and the the ability for your core business to operate under a wide variety of adverse scenarios. So I don’t know who said it, but somebody said it. Hope for the best, prepare for the worst, and be unsurprised by anything in between. And I think that’s kinda how I like to think about it. You really prepare for the worst thing that you think could possibly happen, and, you know, that normally prepares you in the business for, you know, whatever may come. And then if you are prepared for that, then nothing in between is really gonna surprise you, and you’ll be able to sort of ad lib and continue to keep the business running through that particular business resilience period.
Karissa Breen [00:02:04]:
So you said before prepare for the worst or the worst thing that could happen, would you say people are thinking like that? Because and the reason why I asked that question is simply because everyone’s trying to keep their head above the water. Look now it’s Christmas time. Everyone’s trying to get everything done. Do Do you think people are sort of sitting back and saying, oh, well, you know, what is the worst thing that could happen? Or are they just so busy with their day to day that sometimes these conversations is are sort of pushed down the proverbial laundry list?
Fred Thiele [00:02:27]:
Yeah. I think they do get pushed down quite a bit. And, you know, when you talk about business resilience or, dare I say, business continuity, it’s a bit of an old school term, and it and it sort of, you know, conjures up images of people dusting off an old binder in the corner and trying to understand what their core business is, you know, what kind of applications they have, what’s really important to them. And it’s not exactly the on top of everybody’s list. But, you know, us as as security folks, we tend to get a bad name because we tend to think about the worst things that can happen, and we can be pessimistic. I prefer realist, but, you know, we can we can kinda think about the worst things that happen. But, you know, by thinking about the worst things, you really do get going to prepare yourself for the worst. And then the the the better you’re prepared to handle those things, the better you’re gonna be, prepared to keep your business your business running in a time of crisis.
Fred Thiele [00:03:17]:
So I do think it gets pushed down. I do think everybody’s really, really busy, but I do think it’s also important to take the time out and, you know, really understand where you are. What are your most business critical applications? How do you protect those things? When the last time you tried to operate without one of those or ran a scenario, those, for example. And a lot of those can come come in really handy when you’re speaking to ELT or boards. They tend to really like to see that business continuity in action because it’s no longer a a matter of of if, but when, as we all know.
Karissa Breen [00:03:49]:
Okay. So the operative word you said prepared. So everyone on this show, just in general, you know, we gotta get prepared. We gotta get a, you know, an IRP, like your plan and we gotta, we gotta get practice it. But then I feel like sometimes when push comes to shove, like getting a plan and all of that and practicing it, but then when you’re in the real life incident, some of those plans go out the window. So what would be your approach around getting prepared? Because we can get prepared all we want, but sometimes it when, like, it’s the day, the plan and the preparedness sometimes gets missed.
Fred Thiele [00:04:19]:
And I think this is where the ad lib comes in or where the be unsurprised by anything comes in. Because if you have the right people who are trained up, and maybe maybe you’ve you can dream up hundred things that could go wrong with the business, focusing on just those maybe just focus on the top five things that could go wrong, and you get everybody trained up. You get everybody understanding what does happen when these really important business applications go down. What does happen when we can’t provide our core business to our customers? And you run through a few of those scenarios. It’s not just about running through the scenarios. It’s about understanding things like what’s the decision making framework when bad things happen? Who’s in charge? Why are they in charge? What decisions do they make? What authority do they have to make? What decision do you have in that decision making framework as a CISO or a CIO or a CFO? And when people understand their roles and they’re trained up properly, you know, you’ve got the technology, the people in the process like everything else in tech and and within a business. And the more that those people are trained up, the the better you’ll be able to ad lib. And maybe you didn’t cover the step by step scenario that does present itself someday, but you have the right people in the room.
Fred Thiele [00:05:32]:
They’re trained up in how it is that the business continuity framework works. They’re trained up on who gets to make decisions and why and how. So all of that comes together into a machine that can take on and be unsurprised by anything that might present itself.
Karissa Breen [00:05:47]:
Okay. So I wanna go back to decision decision makers. So one thing that you would know, and we’ve seen this in in breaches when you’re trying to get a response, but sometimes, you know, obviously working in media, there was a large retailer, they got rage, etcetera. I was trying to chase them for a comment. They eventually gave it to me, but it was like, oh, I have to ask general counsel. It was like general counsel is not a cyber person. Right? So it’s like, we try to make these decisions, but sometimes the decisions are being in the hands of people that aren’t necessary. They don’t actually actually understand how all of this works to the nth degree.
Karissa Breen [00:06:17]:
So how do you sort of divvy up the pie where it’s like, okay, this person’s responsible for that. There’s a lot of interdependencies with these things, but how do you manage it where it’s like someone has to make a decision. However, is the person making a decision informed?
Fred Thiele [00:06:32]:
Yeah. And there is a bit of an art to that, but I think, you know, by defining what roles you have in a room and what those roles, can decide or can’t decide, technical decision making, for example. So some some of the things that I’ve seen in business company with plans in the past are things like if there’s, you know, you would typically have, say, during a cyber incident, you would have a cybersecurity incident response plan that’s very specific to, say, a cyber incident that’s running. And that’s gonna be very different from what the overarching business continuity plan says. Is a business continuity is how do we keep the business running? What do we need to do if these, applications or services or people aren’t available? What’s the alternative, etcetera. But when you’re dealing with a cyber incident or any kind of specialized skill set could be, you know, if your physical security could be terrorism bombings, that kind of thing, whatever the specialty is, you need to have playbooks for those things so that when the general counsel comes or the CEO comes and says, hey. We need to talk to our customers and make a decision on how to communicate with our customers. You know, the having the right people in that decision making framework.
Fred Thiele [00:07:38]:
So the the specialty skill, whether that be the the CIO or the size that comes in and says, look. Here’s where we are with the incident. Here’s the rundown. We’re following our incident cybersecurity incident response plan. And you can feed into the right place where that decision gets made, whether that be with legal counsel. Let’s say you’ve got some privacy concerns about something or, you know, you need to communicate with your customers about your contract contractual requirement being missed, or maybe the CEO needs to go out with messaging to all the customers because the service isn’t available, you can if you’ve got the right people in that in that room, you can give all of the information or provide what we like to say in cyber is all the situational awareness for that particular information so that or for that particular scenario so that the, decision can be made knowing as much about what we know about at any given point.
Karissa Breen [00:08:31]:
So you mentioned before, Fred, keeping the business running. So one thing that you, and you would probably know this more than myself, but one thing that’s coming up a lot in interviews and just conversations is recently with the, the outage that was there, that sort of was interesting because look at, Delta airlines, like how much they impact their business of not being able to operate like all of their flights and how much revenue they lost due to that and forget about reputational and all the other things, but just the business not being able to run at all, how much that impacted them. So do you think now the shift is we have to keep things running at all times and we are beholden on a lot of these technology companies out there. But would you say that now the conversation is shifting towards purely on the business can’t stop, so therefore peep and they’ve seen it happen multiple times, not even just an incident, an outage. And now I’ve seen people’s mindset change a lot. Do you have any insight on that front?
Fred Thiele [00:09:28]:
Yeah. I think, you know, you refer to the outage and that was, you know, I I don’t know if that’s gonna be a once in a lifetime type of event. You can certainly imagine a scenario where it could happen again. But it’s all about understanding what is core to your business and, you know, in business continuity terms, you like you refer to it as a c one, c two, c three, criticality one, criticality two, criticality three type of process or or technology that runs your business. There’s an understanding around each one of those class classifications of, you know, how long can you go out without having this process in place. So for example, you might classify one of your criticality one systems as something that you cannot operate the business over four hours of outage, for for example. It might be that critical, whatever that might be. Could be, you know, flight terminals or, you know, gate information or whatever it might be from an airline’s perspective.
Fred Thiele [00:10:19]:
I can give you an example. You know, we had a we had a fairly big cyber incident that ended up taking out all of IT. So whether it’s laptops, servers, applications, and this was a business that had, I don’t know, 40 or 50 some business applications that were running at any given point. All IT gone. When I arrived at that company, their business continuity plan was basically one line, fall back to pen and paper. And you can’t help but look at that and go, okay. Well, it seems to be a fairly easy business continuity plan. How how doable is that actually? You know, so there’s a lot of work around the BC plan for that particular company.
Fred Thiele [00:10:55]:
But then when when the stuff really did hit the fan, that’s exactly what they did. They went straight back to pen and paper. They’re a bit of an old school business, so they were able to do that. Now the key was not that there was no IT and those were all critical systems. Sure. They were. The key is how long can you actually operate your business on pen and paper or within that business continuity scenario. Right? Because what ends up happening is that you might run really well for the first hour or day or week or whatever, but over time, the business starts degrading.
Fred Thiele [00:11:29]:
And, typically, that’s kind of like a hockey stick type of degradation where you’re you’re chugging along, everything’s fine, fine, fine, and then it kinda gets a little bit worse and a little bit worse, and then it gets a lot worse. Because all of the things that you rely on, whether it be, you know, things that happen on a weekly basis automatically within your technology and processing systems, those aren’t available anymore. And so in this particular scenario, IT was gone for five or six weeks. This was a company that that really needed a lot of those systems. It was a safety critical operation. So when those aren’t available or you have to fall back to manual transactions for a period of time, those really start degrading the company. So if you go back to the outage, if the outage was more than, you know, six hours or what whatever it ended up being before things prided themselves a bit again, I know some people had a longer longer period of time than that, but, you know, you should be able to evaluate those systems and go, where are my single dependencies? If I didn’t have those, how am I gonna continue to operate the business? And for how long can I reasonably operate the business under those conditions before I really start to feel the pain? So nothing’s gonna be a % up, and you’re never gonna have a % uptime. But the key is to really understand what those critical systems are and how long you can operate without them under those conditions.
Karissa Breen [00:12:41]:
So going back to the pen and paper, how long was it that these you was it did you say four to six weeks that they could operate like that?
Fred Thiele [00:12:48]:
Yeah. We ended up operating like that for I think it was five or six weeks. And that really started really started to hurt. The people were hurting. The systems were hurting. Things started to fall out of date fairly quickly. There was a lot of pressure to get everything back up and running.
Karissa Breen [00:13:03]:
So then going back to your comment around reasonably operate, wouldn’t you say with today and how things are built, it’ll be quite instant that people would start feeling the pain four or five weeks cut. I couldn’t even imagine majority of companies handling that at all. It’d be a few hours if that people would start to feel pain. Even when, the telco incident happened, I didn’t have any internet. I couldn’t do anything. So even just that impacted because and it couldn’t even make I think you could make phone calls, but that was it. So with that reasonably operate, do you people would just be impacted straight away, wouldn’t you say?
Fred Thiele [00:13:38]:
Yeah. Again, it depends. It depends on what the service is. Obviously, telco, internet, people are gonna notice that straight away. You know, when your flights aren’t taking off on time and there’s four hour delays or three day delays, yeah, that’s that’s impacting people. Right? That’s huge. So I think there’s there’s thresholds, and and it’s really important for businesses that run those kinds of critical systems, those time critical systems, know what those dependencies are. And you may or may not have a backup plan.
Fred Thiele [00:14:03]:
Right? But part of this is just knowing and understanding, okay, this is a really critical system. If this widget process set of people go away, whatever the case may be, my business is going to be hurting. But just knowing that, often just getting to the bottom of that with all the complicated systems that we all have in place to run, say, in the airline business, the orchestra that is, you know, takeoff and landing. There’s a million different things that happen, and all of those are interconnected. So understanding what those real process points are that will absolutely kill the business and, you know, impact people, it’s really important to first understand those because I think a lot of companies just simply don’t understand where those pain points are within their massive infrastructures or processes. But two, if you’ve identified those things, then what is the fallback plan? And, you know, one of the things that’s really interesting about first identifying those systems is that you can then take those to ELT or board and say, we’ve identified these systems, and we have zero backup plan if they ever go out. And you can test that. You develop a scenario to see what would happen if those things did go down, and then that provides insight and findings into, alright, how are you gonna fix this in the future to make sure that those worst case scenarios that you just imagined that you prepped for them, or at least you have the right decision making framework in place to continue the business operating in times of crisis.
Karissa Breen [00:15:24]:
So I wanna talk about reliance now on systems technology companies. Like I said, people people are not operating on pen and paper. So obviously we’ve moved about, you know, we’ve moved past that and we are reliant on these companies to stay up and running. And like you said, things can happen. We’ve seen that if large company had an issue, people were impacted. Would you say Fred, the conversations that you’re having, are these people really worried about this? Because there’s no other way around it. Like, they have to use these companies to run their business effectively, which means there’s always gonna be that risk and stuff that they necessarily may not be able to control either in terms of the supply chain. So would you say companies now, after what we’ve seen in recent times and years, people are quite worried about what could happen?
Fred Thiele [00:16:09]:
Absolutely. And I think it’s one of those things where you go back to one of the one of the previous points we were talking about was having that subject matter expertise in the room. It it becomes really important because a lot of these things will be invisible to business leaders and people running running a business, especially nontechnical leaders. Right? The more reliant on technology, the more that we need people who are familiar with technology concepts and vendors and that kind of thing in in the decision making chairs. And before the outage, there’s many people in the world who wouldn’t have ever heard of that product before, and and now it’s plastered all over the news. Right? So, you know, there’s an awareness piece there of, yep, we’re dependent on a lot of different vendors that require subject matter experts to run them, to configure them, to keep them operational and world class companies to keep them up and and to fix things when they do break. But, again, you know, if you look at what’s happening in the cloud space, public cloud, for example, people are have been branching out now for for a while into different public clouds. So one public cloud, even though they might have 16 nines of availability, sometimes, you know, that whatever two or three hour outage isn’t gonna cut it.
Fred Thiele [00:17:19]:
So you have a concept of multi cloud. So if one cloud goes down, another cloud can spin up. But then that adds not only redundancy, but also complexity because then you’ve gotta get the systems to work in those multiple clouds when one does go down. And so I guess I’m kinda painting a picture that, yeah, it’s complicated out there, and people are trying to find ways to to diversify and make sure that they’ve got the right things in place so that when their critical systems do go down, they continue to operate. But, you know, we’ve seen a lot of vendor consolidation. We’ve seen a lot of critical points via vendors. You know, when a vendor has you know, sits in the middle of a laptop in an operating system and watches everything that goes by suddenly goes down, well, that’s that’s gonna impact a lot of things, and that’s just core to how it is that, you know, laptops operate these days. And and very similar with public cloud, if something gets in the middle of of your public cloud, your website, or your ecommerce side, or whatever the case may be, you’ve gotta have an answer for that.
Fred Thiele [00:18:16]:
Do you fall back to prem? Do you on prem? Do you go back to a different cloud provider? Do you, you know, go back to pen and paper and have a bunch of people calling a call center and, you know, a bunch of people spun up to to start continue to take orders during during those outage periods? It’s all really important to understand how that how that all fits together. When you mentioned about third or fourth parties, that’s a whole different ball of wax that, you know, a lot of regulation is is currently driving requirements into businesses on how to deal with those things, and it’s there’s no easy answer for it.
Karissa Breen [00:18:48]:
So when you were speaking, what was coming from my mind around leaders and boards and executives? Traditionally, a lot of these people at that level don’t have any background in IT. So do we, will we start to see an emergence of people at that level that have an IT background? Now I’m asking this because one thing after writing reports, as you know, for for executives that a lot of these people at times, it just assume that technology works. It’s like electricity. I just turned the light on at work. So when it doesn’t work, you notice it. So will we start to see more leaders now? And I know that, you know, SISO and, you know, and friends are getting more seats at the table. I know it’s sort of coming in, but in terms of even like CEOs and CFOs, like if they don’t have a very strong background in tech or understanding it, it’s gonna make it harder to get that buy in. But also, like, all these companies are all built on technology now.
Karissa Breen [00:19:40]:
And like, traditionally, in my experience in the last fifteen years, there hasn’t been a lot of these people that have really been across technology at all at these levels. So it’s kind of like, no wonder we’ve had a lot of issues because we’re dealing with people that don’t necessarily understand it.
Fred Thiele [00:19:55]:
Yeah. Agreed. You know? And it’s, I don’t know if it’s it’s, an old guard versus new guard kind of thing that we’re seeing the transition now of, but you can’t operate a business without without having some level of table stakes, I think, from a technology perspective. And whether that be making sure that you have the right technical expertise or at least know how within the company that, you know, you bring the right people to the table when a decision needs to be made. I’ve seen it firsthand as we’re going through that transition of more technical people or more technically aware people making their way into leadership, executive leadership, and even on boards. It’s really important to be able to tell that story, that business story in a way that’s understandable by people who may not be technical. And I think whilst it’s, I believe, incumbent on every anybody who’s in a in a leadership or decision making role to have some awareness around technology and some of the processes that run your core business. It’s up to us as technologists and technology executives to be able to have the words in our vocabulary, to be able to tell the story and how it is that everything fits together because it can get immensely complicated.
Fred Thiele [00:21:06]:
You know? Even if you’re doing, you know, product development or something and people might ask, well, why does it take so long to deploy x y zed feature? It’s like, well, there’s 15 things under the hood that we’ve got to build up and fix in order to get to this really simple outcome of automating process x, y, zed. Sometimes people don’t understand how deep that rabbit hole actually goes because we’re in a situation now technology wise where everything has been built on the shoulders of giants. It’s cliche I know, but, you know, when you look at public cloud and what sits underneath public cloud, you’ve kinda taken away all of the hardware maintenance and all of the stuff that used to do in old school data centers. You’ve given that over to to somebody else to manage. But all of the stuff that sits underneath there, it’s still somebody else’s data center. There’s still all these processes and procedures and things that go in place to keep those systems up and running. You just don’t see them anymore. So people just think, oh, flick the switch on and servers come up.
Fred Thiele [00:22:00]:
Well, there’s an army of people and automated processes that sit behind that to make that happen properly. And the more we abstract our way our ourselves away from the actual technology and the more these services service runs, or we have more AI thingamabobs that end up taking care of things just by, you know, typing in a question or a statement into a chat window and answers come back where things happen, the less that will really understand how the engine of technology works. So you always have to have some clued in people to understand how that works. But I think we’re seeing the emergence of a lot of people coming on to boards that do have that technology background. You’re starting to see CIOs and CISOs that have been in industry now for ten, fifteen, twenty years that have a really good understanding of how this tech fits together. You know, they’re starting to become company directors or nonexecutive directors and advise boards and advise startups and and these kind of things. So I think we’ll slowly be seeing that change, but we’re at a bit of a a bit of a tipping point, if you will, at the moment.
Karissa Breen [00:23:06]:
So, Fred, what do you think people overlook perhaps when it comes to business resilience? Is there anything that comes to mind when I ask you that question?
Fred Thiele [00:23:15]:
One of the things that I think people overlook is, you know, business resilience has a lot to do with keeping business continuity, keeping the business running. But oftentimes, and I think this is this is changing as well, cybersecurity isn’t really seen as a business continuity issue. And and from my perspective, and I’ve you know, if you talk to people in the in the critical infrastructure space, this is, you know, this is second nature to them because any issue that takes down their core systems, especially critical infrastructure systems, that’s something that they have a have to have a scenario for. So in my mind, cybersecurity is just another business continuity issue. So I think it’s really important that we pay attention to cyber and really build in cyber and some of those critical things that could happen into the business continuity process. Right? It’s not all incident responders responding to an incident. There’s a larger play here where the business is impacted. There there has to be that business decision making framework in place to understand, okay.
Fred Thiele [00:24:15]:
This is impacted. This is how we’re dealing with the situation, and these are the decisions that are going to need to be made. So I think, you know, that’s that’s one thing that I think people do overlook. And the second thing I think is that oh, we we’ve already talked about, I think, is that business resilience is really about business continuity. So it’s really about bouncing back in that face of adversity. And and we just need to be we need to be prepared for as much as we can so that that we have the skills to be able to to respond to anything that may come up in in normal PC language. And then finally, I think business continuity is really seen as that dirty word. You know, the the dusty the dusty spreadsheet in the corner, you go and blow it off once a year and once every two years, and and you kinda hope for the best and, you know, you identify your systems and that kind of thing.
Fred Thiele [00:25:01]:
Now one of the things that we’re seeing that’s changing that is a lot of regulation is coming up. That cybersecurity bill that just went through your parliament here in Australia, for example, that specifically calls out business continuity and making sure your cybersecurity, Internet response plans involve your business continuity framework. So, you know, we’re starting to see these things come together. At the end of the day, you know, cyber is not really a special snowflake. It really should be built in and baked into everything we do in operations. And I feel like sometimes that gets separated a little bit because there are so many unknowns and so many specialty skills required in the cyberspace that often we lose the plot and try to make it, you know, a little bit bigger than than something it actually is.
Karissa Breen [00:25:43]:
So you said before bouncing back during adversity. So how confident would you be that businesses or a lot of businesses would be able to do that and do it quickly?
Fred Thiele [00:25:53]:
I guess it depends on your business. Right? If you’re providing critical infrastructure, you see a lot of regulation coming now about critical infrastructure bill, you know, all of the different things that need to be put in place, and a lot of it’s regulatory compliance. But the heart is in the right place and that the reason that all this reg compliance is coming down is because exactly your question. You know? We need to have we need to be resilient, especially when you’re talking about food, water, clothing, transportation, education, health care, these kind of things. You know? The the amount of time you can you can be without those is very small. So regulators see that none of the progress is being made, so regulators make laws and regs to to to push that in to our environments. The outage does raise a lot of concerns around that when half the planet goes down because a piece of software blue screened, that raises a lot of concerns. And I think you have a lot of people looking at that scenario going out when it happens again, because it will, maybe not the same software, but, you know, we’re we’re depending on a lot of pieces of software these days.
Fred Thiele [00:26:57]:
How am I gonna deal with that? So what percent of the world’s companies can bounce back and are ready for anything? Your guess is probably as good as mine, but, you know, we do the best we can. But I think we need to do we need to do more, and we need to test this stuff. So I think that’s part of what the regs do, and it’s part of what we do as CIOs and CISOs and, you know, keeping the business who’s inherently focused on technology and keeping it running.
Karissa Breen [00:27:21]:
So I wanna sort of switch gears now slightly, and I wanna talk about maybe some of the factors that comprise business resilience or what what’s driving a lot of this. Anything you can share?
Fred Thiele [00:27:31]:
We’ve talked some about them, but I guess just to to kinda tick down some of the some of the things that I think about and some of the questions you go through when you’re doing any kind of business resilience exercise. So your systems, what are the most critical systems in your business that run your core business? Right? Identifying those systems, first and foremost, and having those be a part of your plan is is first and foremost. Right? Visibility is everything. And then it’s understanding not everything is the same criticality. Everything’s a high risk. Nothing’s a high risk kind of thing, but you need to understand the criticality in those systems. So I mentioned c one, c two, c three, c four earlier. It’s all about understanding how critical is that system to performing a core business and how long can I live without it? That’ll start to find things like what does your what are your uptime requirements for those systems? How often do those systems need to be backed up? What do we do in case of an emergency? And when it is when is it that we do need to enact that redundant system to take care and make sure that our business is resilient and and continuous? How long can you, tolerate those systems being down? We talked a little bit about that.
Fred Thiele [00:28:38]:
What happens if you’re outside of that tolerance? So if your system is if you if your business processes are good enough for for four hours, according to your BC process, If you’re butting up against those four hours or the business is really starting to hurt without that, where’s the decision making framework to then go and spin up the next the next thing that takes the place of that particular system? How what what what happens as you approach that limitation? What happens if you’re outside that tolerance? Do you continue to operate without it? Do you spin up something else, etcetera? So understanding that tolerance is huge. Scenario training and really taking all that information about your systems and developing a scenario for the areas that you know you’re not resilient in. Because often when you do this exercise of going through, here are my most critical systems, here’s what we can’t live without for how long, you always wind up with a situation going, oh, I didn’t realize we really couldn’t live without that system. We’ve we don’t understand what we would do if that wasn’t available. How will we keep the business running? How will we process orders, etcetera? And then the decision making framework is really important. And I kinda liken this to I do a bit of sailing on the weekends, and one of the things that you never wanna do as a sailor is be out in the middle of the ocean and having to test your emergency equipment for the first time in an emergency in the middle of the ocean. So you take courses around sea safety and survival, and you learn how to use life jackets, and you learn how to use big life rafts, and you learn how to use flares and all the things that you keep at the bottom of your boat when you never that you hopefully never need. It’s a lot the same with decision making framework.
Fred Thiele [00:30:14]:
You do not wanna be in a situation where you have to run the business and continue to run the business without understanding what role people are playing in decisions, who’s making the ultimate calls. If you’re doing this for the first time under crisis situations, bad things are gonna happen, and you’re gonna get the left hand not talking to the right. You’re gonna get customer comms going out one way when they should have gone another. Really, not only things can start happening. So so really understanding and testing. You can’t test enough. You can’t you can’t you can’t train enough for this stuff. We all have limited amount of time in our day, so we have to we have to pick and choose what we test, but you really can’t train enough.
Fred Thiele [00:30:50]:
It’s a bit like the military. You just can’t train enough. So really understanding who’s making the call is is super important.
Karissa Breen [00:30:57]:
So the example that you used around the sailing. So and I want to talk a little bit more about, like, scenario training. So I’ve I’ve heard that a lot in interviews and in companies. But then, you know, to your example, if you’re out in the ocean and you haven’t done the training at the life jackets and the flares, like, you really do have a problem. And when you were talking through that, how often have people gotten on a plane and they do the old safety stuff? I mean, if something were to happen, I probably wouldn’t know how to handle that. All the all the flights I’ve taken in my life and everyone else. Would you say that we can do this training and this planning, but then when the day happens, there’s still people, they they panic. They don’t know how to deal in, you know, high pressure situations.
Karissa Breen [00:31:37]:
You know, people, their their their critical thinking, like, their their mind is not where it was when we were doing scenario and stuff like that. How how do you manage that as well? Because we’ve seen this multiple times, like in companies that I’ve worked at. And it’s like, well, it was all good, and then something’s now happened, and now people are panicked. How do you manage that when you’re in an incident and decisions do need to be made, and and perhaps people aren’t as effective as their their thinking was when they were doing the scenario training?
Fred Thiele [00:32:09]:
Yep. Well, we’re we’re all human, and we all have emotions and, you know, the flight or fight kind of things take over. I mean, our brains are hardwired for that. So there will always be that in any kind of an emergency, right, or any kind of crisis situation or any kind of high pressure environment. That’s just who we are as as humans. I hate to sound like a broken record, but going back to training, the more you train for these kinds of things, the more it becomes muscle memory and you don’t really have to think about it. You know, when customers are breathing down your neck and you’re actually getting 40 customer calls and it’s flooding your call center and you don’t have an answer and people are angry, or they’re threatening to take their business elsewhere like it. There there’s pressures that you just can’t feel in the scenario.
Fred Thiele [00:32:50]:
But when you do when you do have those decision making those decision frameworks and the scenarios set up, you know, one one of the things that I’ve seen is that this this isn’t a, you know, we’re gonna practice for a month and then be done practicing, or it’s not a we’re gonna develop a real life scenario and put everybody, you know, through it in real time. A lot of times, these scenarios build up over the course of months and years. So, for example, if you’ve never done scenario training within your exec team, you start really simple. You start by identifying those those really high critical applications and systems, then you go and develop a scenario around that. You you well inform the team that you’re gonna get together early on, and you do a bunch of pre training. Here’s what you can expect on the day. Here’s what’s gonna happen. We’re gonna walk you through everything, etcetera.
Fred Thiele [00:33:40]:
And then on the day, you might introduce a few lightweight scenario, sort of choose your own adventure decision points. But you’re really there to facilitate and walk people through that. Okay. You know? This is this is there’s a way through this. Right? Especially if you’ve not done it before. And and over time, what you do is you build upon that, especially if you’ve got a consistent exec team. You build upon that, and and you you ratchet up the heat in those scenarios. So let’s say you’re doing two in a year, four in a year, the first year, and a couple in a year, the second year.
Fred Thiele [00:34:12]:
You really you really wanna start getting more and more towards that real life scenario. So almost role playing in real time how how things are gonna play out. So in the most mature companies, when you think about, you know, in Australia banking and insurance and the companies that have been doing this for a long time, they’ll take full days out with, you know, fifty, sixty execs in a room. And in real time, role play out a scenario. Somebody actually does call the CEO and initiate something. CEO actually has to call these people, actually, actually has to convene a meeting in a boardroom somewhere with the right people for the decisions that need to be made. Working through all of those things, and it’s all recorded and, you know, looked at for lessons learned and revisiting. So that’s the right side of the spectrum or there’s left side where you where you’re just getting going.
Fred Thiele [00:35:06]:
So I think ratcheting that up over time and really getting people trained up of and putting the pressure whilst it might sound a little bit cheesy that that artificial pressure can actually feel really real when you’re in a room with a facilitator who’s really driving those questions. Or if you’re really getting a call from what sounds like an angry customer, your brain can’t help but go to that flight or fight kind of scenario. So the more you can train those feel sounds a little bit weird, but train those feelings out or the more that you can make those scenarios more muscle memory, the the better you’re gonna perform in a crisis situation.
Karissa Breen [00:35:40]:
So can I ask more of a rudimentary question? And I know it’s gonna be it depends, but I’m just curious on getting some examples or looking at look at banking, for example. Or what what would your response to a bank, how often they should be doing these things, like with executives and, you know, their team and that, you know, the general counsel and all, you know, all the people that are involved, what would that sort of plan look like to you? Like, how often and, like, you know, the frequency of it, like, you know, the length of it? Do you have any sort of example that you’ve used in the past perhaps just to sort of give paint a picture for people?
Fred Thiele [00:36:12]:
Yeah. Look. I think annually for mature companies is is appropriate, and you don’t wanna test the same scenario every time. So if I look at cybersecurity scenarios, ransomware has come up over and over again. And, you know, I’ve seen endless amount of scenarios built around ransomware for the last couple three, four years. Right? Because ransomware has broad effect on a company, and it’s an easy one to kind of lean back on and and have mass impacts across the company. So I think that annual scenario is is really important to do for mature companies. But I think building up to that, you know, if you’re just getting started out, you know, there’s nothing wrong with a you know, taking twenty or thirty or forty minutes in a in a monthly ELT session.
Fred Thiele [00:36:54]:
You do it four times a year maybe and just really lightweight scenario training about things you’ve learned about your business continuity, what it is that people need to focus on, and and just start training up to that ultimate one year annual kind of scenario. You you’re starting to see it a lot in regulations as well where, you know, scenario must be, you know, you’ve gotta test your business continuity or cybersecurity and set response plan once a year. So it it’s starting to be mandated, and people see the value out of it. Invariably, nobody likes to go into these scenarios because, you know, nobody likes to be exposed or nobody likes to be in a scenario where they don’t know the answer, but often that’s where you learn the most. So checking your ego at the door a little bit and understanding that we’re not gonna have all the answers when you go into a scenario, that’s a good thing because you’re in you’re gonna get some learnings out of it, and you’re gonna be able to to take that back into the business and the operational teams and actually make that better so that you don’t run-in the to the situation that you’re testing.
Karissa Breen [00:37:51]:
So, Fred, do you have any sort of closing comments or final thoughts you’d like to leave our audience with today?
Fred Thiele [00:37:56]:
Business continuity, business resilience, it’s it’s not a dirty word anymore. It can’t be. We’ve gotta think about that as a as a core thing that we build all of our business processes around, whether it’s cybersecurity, physical security, or any other kind of resilience testing within your business. We’ve got to know what the weak points are because the more you can really pick at those weak points, the better off you’re gonna be and the better prepared you’re going to be for anything that might come down the line. So better to test often even if it is a big time commitment than it is to be caught out without the right decision making framework, without the right people in the room, or without understanding what those critical business processes are. So dust off that BC and the business continuity playbook, get it out and start testing as much as possible can.
