If there is one lesson that technologists need to understand in order to be successful, it’s that business is ultimately more about people than about process or technology. At the end of the day, how people think, behave and operate will have be the greatest influence on the success of any organization.
With that said, it has been my observation that every single business operates in two contexts or modes. For now, we’ll call them Mode 1 and Mode 2, where Mode 1 is the normal or typical mode of operation, and Mode 2 is the mode of operation in or around the timeframe of “an incident.”
From a technology perspective, the nuances of Mode 1 and Mode 2 are somewhat different depending on whether we are discussing general technology management or information security management. For general technology management, the issues tend to be related to the following:
- Redundancy (system, application, network or site)
- Disaster Recovery and Business Continuity
For information security management, the items in question tend to be related to the following:
- Access Control
- Segregation of Duties
- Logging and Monitoring
- Operational Risk of any kind
Remember, the following is true of every business…
In Mode 1, or normal mode, the business moves along as fast and as seamlessly as possible. This is the mode of getting-things-done, and the goals are to increase business, improve revenue, and get things out of the door. Under regular circumstances, this mode is supported, condoned and many times even sponsored by the organization’s senior management team.
Mode 2 is the mode that gets turned on immediately after “an incident.” An incident can be anything related to a system crash or failure, a broader outage, a security breach, or anything that requires PR or other customer communication. It can be anything that affects our IT Operations or Information Security considerations listed earlier. The severity of the issue or incident will dictate how long Mode 2 remains in effect.
As soon as it is recognized that something highly undesirable has occurred, the senior management team – or its duly elected representative – leaps into Mode 2, and tries to drag the entire business with it.
Mode 2 is where security and high availability are really and truly taken seriously.
Generally speaking, most IT operations teams try to operate in Mode 2 as often as possible, but over time, they will get worn down to the point where they hang out in a sort of Mode 1.5 state. Information Security teams, however, have are motivated by more paranoia, and almost always remain in and around Mode 2 . (This tends to annoy other people, who are likely to suggest that the InfoSec folks lack people skills or don’t understand how business needs to operate.)
Despite this general grumpiness about the relentless Mode 2 focus of the InfoSec team, as soon as there is a security incident – or even a near miss – the senior team jumps into a Mode 2 context, and starts trying to find out why the business hasn’t been in that mode the whole time!
Nothing is more frustrating than being blamed for something happening that you saw coming but were not allowed to reasonably address, when the blame is coming from the very people who could have facilitated the solutions.
Some points about corporate mode switching:
- The larger the organization, the harder it is for the senior team to get everyone out of their normal mode and into Mode 2 during an emergency.
- After a while, no one is fooled by the switches between Mode 1 and Mode 2 – not the employees and not the customers.
- Systems engineers and administrators that have grown weary with the futility of trying to do the right thing, ultimately stop trying, and just do whatever they can get away with. This increases the number of incidents, but they no longer feel the torture of the inevitable blame.
- We should be very, very afraid when Information Security professionals get worn down by the same futility, because the stakes are higher.
While it is generally accepted that people are the weak link in any security model (or any operational technology model, for that matter), it is rarely recognized that the low-level employees are not the biggest problem. This is because the employees on the bottom part of the org chart can only pose a risk to the operational or security posture of the typical business if the folks in the upper portion of the org chart allow them to by the corporate culture that is created, nurtured and enforced.
Still think this is not a regular situation in the corporate world? Then take some time to look at the next set of breach notifications or outage notifications, and see if you can identify organizations that have temporarily escalated to Mode 2.
And, trust me, you’ll have plenty of opportunities to look at some high profile outage and security breach notification in 2013…