The Six Serving Men of Cyber Resilience

Article by Richard Preece

“I had six honest serving men. They taught me all I knew. Their names were: Where, What, When, Why, How and Who.”

Rudyard Kipling, The Elephant’s Child

Board members and executives are busy people. They are constantly bombarded with this, that and the other, all of which claim they must be the priority! One of these bombardments is that resilience, sometimes with a specific prefix of business, organizational, cyber, operational, etc, is a priority and is a board issue.

The reality is resilience needs to be considered strategically and embedded into strategy. All good strategy involves choices. So the first choice and strategic decision, is recognise and to treat resilience as an enabling goal. A goal that can enable your organization to be more agile in seizing of opportunities, whilst mitigating the risks that may impact your organization and stakeholders.

So let’s take a simple six serving men approach of why, what, who, when, where and how resilience can be addressed by boards and executives to integrate resilience into strategy and implement it (95% of strategy!).

Why and What.

All good strategy starts with a diagnosis of the challenge, or “what is going on here?” This diagnosis should seek to identify the critical aspects of what can appear to be an overwhelming complex reality, with lots of fluff, fear, uncertainty and doubt (FUD), and buzz phrases. Alas this article may be a bit guilty too!

By taking a more systems thinking approach (see figure below), which looks below the surface of events, it is possible to identify patterns and trends, some of which may be hard trends (will happen), whilst others may be soft trends (may happen). Looking further below the surface, systems structure becomes more apparent, including how the different parts are related and what influences the patterns. Finally, by challenging mental models and worldviews, values, assumptions, and the beliefs that shape the system can be identified.

The deeper the understanding that this diagnosis is, the greater the ability to find and leverage strategic advantage as the basis of strategy.

From a resilience perspective, there are perhaps five overlapping mega disruptive forces, which are creating a polycrisis in the 2020s. These disruptive forces overlap and influence each-other and may be summarised as:

• Geo-political tensions between collaboration, competition, confrontation and conflict;
• Climate change, adaptation and the energy transition, leading to changing resources, connections and dependencies;
• Demographic and culture changes as the population grows, with different age ratios and immigration flows;
• Democratic and financial mis-alignment with rising debt, inequality, vulnerability and economic risk, leading to a new but unclear socio-economic model in the West; and
• Digitalization with exponential growth in use and value of data, technology, innovation, opportunity and risk.

Individually each disruptive force should drive the imperative for greater resilience and a strategic approach, not just at the organizational level, but internationally, nationally and the personal level. When combined, they make the case to not just to have a managed capability that satisfies regulators and other authorities. But provides clear focus on delivering organizational essential outcomes and understanding the potential impacts upon not just your organization, but on customers, other stakeholders and the environment.

Once this diagnosis of the challenge to your organization is understood, then a goal seeking strategy, to guide the overall approach to cope with the disruptive forces and to overcome obstacles to achieving your resilience goal, within your organization’s wider strategy.

Who, What, When

Diagnosing the challenge and identifying the strategy approach is important, but only 5% of strategy. Implementation through a set of
coherent actions to deliver a resilience capability is 95% of the strategy. Further, due to the complexity and dynamic changing context,
this will need to become a constant endeavour from board room to server room and across the organization and its wider eco-system.

To assist with this a strategy based upon stable, certain, simple and clear (SCSC) objectives, can provide the mechanism to deliver coherent actions to develop resilience capability across the organization. These objectives should be underpinned by principles (outputs and outcomes to achieve) with supporting guidance and indicators of good practice to interpret and apply the principles to context. Whilst specific standards may be appropriate for well-defined use cases.

The sum of this strategic approach enables top[1]down governance to set the overall strategy and provide oversight, with supporting accountabilities and responsibilities. But also enables bottom-up de-centralised decision-making, empowered by a unifying purpose and framework. This purpose and framework can create stable structures and processes, but with a dynamic agile capability that can anticipate opportunities and mitigate risks and inevitable disruptions.

The evidence is clear that in the sort of polycrisis environment displaying characteristics of volatility, uncertainty, complexity and uncertainty (VUCA) this mixture of top-down strategy and bottom-up implementation with effective governance, is most likely to deliver success

This does not undermine compliance-based approaches, but does overcome one of the most common obstacles, that of bureaucratic excesses of adherence and the associated risk adverse escalation of decision-making which stifles organizational dynamism.

How

Ultimately this is about culture and in particular the knowledge, skills, attitudes and behaviours (KSAB), that are both explicit and implicit in the organization.

This requires leadership and commitment from boards and executives, to make clear that resilience, in whatever form (business, organizational, cyber, operational) it is focused upon, is a strategic goal. That it requires integrating capability into the organization, that because of the insights based upon the diagnosis, it is necessary for fulfilling the purpose, wider strategy and essential outcomes of the organization.

Finally to communicate that this is an endeavour that will be resourced and invested in. That it will ultimately lead to both continuous improvement and innovation, that exploits the disruptive opportunities, whilst mitigating the harms and risks of disruptive 2020s.

As with all cultural change, this starts with developing people, through awareness, education, training and on-going support. This KSAB is the foundation for empowered and motivated people ready to act through a set of coherent actions to deliver a resilience capability and strategic goal.

Don’t be the next boardroom cyber victim!