Good morning everybody. Welcome to Berlin. Welcome to the Cybersecurity Leadership Summit 2022. We are live, we are onsite. We have a lot of people onsite here in the workshop room and we also have a lot of online attendees. So first and stupid question if you're in a team session is, can you hear me? Please give a short feedback in the chat whether you're able to understand me well. So their thumbs up. Perfect. First of all, for the people onsite, these are the access data for the wireless land. So K C A in capital letters and analysts is a password for CSLs 2022. Perfect.
So if you have any technical issues, just feel free to ask one of us then we can probably help to to solve this. Okay, so let's start with our workshop strategy, Risk and security Building, Business resilience for your organization. That's a topic where we will talk about the next three hours. As mentioned, it is a workshop, so it's not just sitting around and listening to interesting presentations. This will also be a part, so no worries. It's also time to grab some coffee after one and a half hour and that's planned for today.
What we usually also do, so a lot of more attendees, great, just come in morning.
What we also plan and a short hint for the online audience, please mute yourself If you have any kind of question, it would be better, but you could also come back. That's no problem.
Two, three, someone muted us. Okay, perfect. Okay then probably it's time for a short recap. Please give me a short feedback. If you can hear me right now, quick note in the chat.
Yeah, perfect. Okay.
Again, we share the chat and the video of the online participants as well. So please be aware of that. If you don't want to see yourself all the time on the screen, just enable your video, that's fine. Otherwise be aware, we can see you. If you have any kind of question, we would highly recommend to just write it down in the chat. That's a little bit easier. We also have some interactive part where we discuss to to each other. Then it's makes sense depending a little bit on the amount of attendees to also open the session here as well.
Okay, perfect. So as we have a lot of interactive part and also want to engage, there are too many joining people here. Sorry. Also for the people in the room, it might make sense if you join with your mobile or with your computer to the session a little bit if you have some kind of pull, but it's not necessary. Can also do it here just to, sorry, too many popups.
Okay. We will use the new future feature of teams, which gives you the feedback of Pulse. This is just a short test of how you feel today from mine. I say all good.
Maybe just for the online participants and for those of you who are joining with the mobile, just gimme a short feedback. As you can see, we have 13 responses right now and probably we can see the results here as well. Yeah. So we have 12 answers, 100% positive, 0% negative. And the question is how can we remove this, Paul? It's probably in the main session. Perfect. Okay. Regarding to the time, maybe it makes sense, just a short feedback from your end.
Maybe it's we are too many attendees for name and function, all that stuff, but maybe just who of you has a concrete understanding or expectation from today's workshop in the open realm. Maybe that's a little bit easier. What do we expect from the workshop today, for instance?
Not sure.
Oh, I'm not sure what to
Expect. Oh, perfect. That's also an answer. Someone else? Any expectations or experience with business resilience management or is this really starting by zero here? Almost by zero. That's perfect. Perfect. This is a topic we will cover today. Absolutely. Okay. So any feedback from the online attendees? So I can see the chat here,
Except that they're complaining that they're all admins, but this is trust in our participants, so that's fine.
All participants are admins. I thought this is, Ah, okay. This should not be what exactly do you mean with admin?
Maybe you give some feedback. Usually you should not be able to share or or whatever. Otherwise we should take care of that and please do not share something stupid. That would be great. Thank you.
This is also some kind of business resilience, by the way.
Okay, so let's talk about the agenda for today. We have a lot of topics. We have only three hours or two hours and 50 minutes, minutes left minus a short break. We will start with some basics here. So you cannot predict the future, but you must prepare. So some really basic insights into why business resilience is a topic, why you should prepare, what are the most important topics. Then for sure business resilience management in a nutshell. And then we go through different pillars. We have five of them. Maybe one of you have read our research on equipping a call website.
We have a great insight page where you can see the basics and we dive into this, this specific topics today. And that's basically what we do. So we cover a lot of topics, starting business continuity, crisis management,
Crisis management, IT service continuity, and also the testing part is really a relevant topic, what we will learn later on.
Okay, let's start with predictive food future. What we already did is the short warming up. Paul and I will start another poll again, this is, here we go. So also the people in the room, maybe we do it that way. What are your top cybersecurity concerns here in the room? Is it more ransomware? Is it more attacks and critical infrastructure, More software supply chain attacks, or is it malicious insider C or fraud? So maybe just raise in your hand number one, ransomware. What is the most, Is this the most critical thing you see?
Or 1, 2, 3, 4, 5, 6 attacks on critical infrastructure.
Three software supply chain attacks, text.
Oh, so the others should attend some sessions here. This would be the second option where I would raise the hand distributed denial of service attacks. That's not yesterday. It should be yesterday. Business made a compromise also. Two. So not too many.
Malicious, insider targeted, advanced persistent threats. Oh, number two. And CEO fraud.
C fraud, No one. Okay, perfect. So let's see what the online's audience answered. Ransomware is number one, a text on critical infrastructure. Can we maybe make it a bit brighter, wider chat that's a little bit easier to share. So we have ransomware, a attack on critical infrastructure number two, software supply chain attack. So four for online attendees and we have business compromise one and targeted advanced threats. Also one no ci offroad and no malicious insiders. So that's great. We also did this survey online.
So our responses from 268 respondents is mainly it's about ransomware number one and business may compromise, which we have online only one.
And I think here it was three malicious, insider and text on critical infrastructures for sure. Also very important. So we have multiple topics that are relevant where we need to take care for our business, but this is not everything. We also have topics like the human error, we have problems with the equipment, we have power failures, fire floods, flood terror attacks, and for sure epidemics or pandemics, pandemics as well.
And these are topics where our business needs to be prepared for. So we need to create some kind of resilience to be prepared for something like an ransomware tech. This is a very technical topic, but as well for as for empower, failure, flood, fire, whatever. And this is something how to achieve that or at least starting to understand what you need to do as a topic for today's workshop.
This question, I really like it at the beginning of the, of such an workshop, what or how well do you think you are prepared for an incident within your business?
Would you say you are very well prepared, well prepared, not well prepared or not prepared at all here in the room? If you want to raise your hand, that's fine.
If not, then just it's okay For the unattended attendees, it's a anonym. So would you say we are very well prepared here? Someone so one well, very well, sorry, well prepared, not well prepared. Not prepared.
Okay, so most people between two and three, that's not really a surprise. Maybe the answer will change during the time. So online we have 70 or six, it's changing 12 four we are well prepared, and eight, four, we are not well prepared.
So again, it's between two and three.
This is just for me as an understanding and probably at the end of this workshop with some insights you might answer a little bit different.
Okay, so business resilience management in a nutshell, this is a beautiful phrase from our insights page. What is business resilience management? It's the ability to adapt quickly to risks and disruptions while maintaining key business workflows and safeguarding employees assets and brand reputation. So really a lot of topics around your organization to ensure that you are able to work.
I don't want to bring this topic too often, but Covid was really a good example of organizations that really became struggle from business model perspective to operation topics, process topics and all that stuff. When you are not able to work from from your company, you're not able to produce or not able to sell your product, you need to be resilient in some way.
And for, for this topic in the past nobody was prepared and on the list we had a lot of other potential threats against or threats for your organization where you need to prepare yourself as well.
So how do you start to build up something like an business resilience management? The first step is a little bit boring, but it is necessary or boring, depends on your, on the things you really like. You need some kind of policies or some kind of governance.
If you are ISO 27,000 or one or ZA or all the other standards validated or approved or working on that, you have usually something like an information security management system, which includes policies around business continuity, about preparation, incident management and all the typical stuff. But these are very often just static documents that describe on a certain level what you need to do if something happen. And business resilience management is usually a step deeper. It describes for concrete scenarios, for concrete things, what do you need to do? And you also simulate something.
So if you remember the five pillars we will have in the pillar number five, something like simulation and testing training that you understand what would happen if we have a fire in our server room if for for instance, all computers are locked by a ransomware tag.
Something like that. And then you go through it in your mind there are different options. This is something I think Kai will talk about later on, but this is really the foundation and for sure you need some proper framework of policy and governance before you do that.
But on the other hand, and this is something we will have a look at today, you need to know about your risks. You need to understand the potential impact of what happens if a a specific scenario happens to your organization. And this is usually done by an tool tool, it's an, it's a process business impact analysis where you understand what happens if a specific process is not working anymore. It helps you to identify the related resources and then you can identify what is the need for preparation. Is there a plan B, whatever typical scenarios.
For instance, many organizations might have an SAP or Microsoft instance running for yourself.
What would happen if it's turned off now? Now are you prepared for that? Do you have the private or the mobile numbers of the people you want to talk to? And this is something you have have to have in your mind. And identifying those potential critical resources by using process based approaches is the business impact analysis. Then for sure emergency planning, which is then a little bit deeper in understanding what is the concrete need to do.
And other topic, and this is maybe one of you is aware, aware of incident management is the topic crisis organization. So if your computers are locked by an ransomware tech or your building is burning down whatever, it's a little bit too late to think about who needs to be informed, who is in charge of deciding whatever, where can I buy a new building, a new server, a new software, whatever.
This is something which needs to be prepared from an organizational perspective as well.
And this is really nothing you should do when you are in the middle of an attack or an incident and last or not last but not least, but from a content perspective, tests and exercises. So I mentioned very often in the last five minutes that you must prepare, simulate those attacks. So you need to be aware how to deal with that. And this is for instance, you will never be able to just shut down your sap, your Microsoft and burn down your building. So you need something like a simulation strategy, whatever. And this is much better than living with untested prepared plans.
But as mentioned, Kai will talk about it and for sure continuous improvement. We know that from all disciplines in cybersecurity, even if there's some kind of incident, we should take the knowledge, our internal approach, the way we handle that to improve and learn and improve the process. So this is the approach for business resilience management. Any questions so far as, Yep,
Thank you. What I'm missing a little bit, you have the word strategy in your first, in your headline for today.
So I'm asking myself, how is BRM built in the whole picture of information security in the company and how to, for example, convince the board that there is a need for doing this and yeah, so, so the little bit more in advance before that,
This is something we will, we will cover at the end in, in the last chapter a little bit, how to convince your board. I mean it's always a discussion. How do I get money from from the board? If it's too late, you get a lot of money, but before that, asking for money is a little bit different.
One option is to visit such workshops, understand the need and explain the board why they need it. But basically, or usually you take something like the risk based approach. There are different scenarios and if you talk about money with the board or impact to the company, this is a good starting point where you can use as an argument for, for getting budget for better processes and things like that. For instance, if you take SAP is not running or the building is burning down. Exactly. That's what, why I mentioning you have to talk about money.
That's,
Sorry. No, no,
Yeah, that's exactly what I, what I meant at the end. You need to translate it into expenses on an impact level, what would happen to the organization? We are not able to deliver, we are not able to work. We will lose, I don't know, so much money.
Yeah, sorry, we forgot to give them the the the microphone the the question from from the audience was as again how to convince the board they are not talking the language of technical stuff. Yeah. So you need to translate the, the, your technical, your security requirements into financial impact for the organization. That's basically what I wanted to see.
I think the perfect tool actually is translating the business impact analysis into something the board understands if you really execute this business impact analysis in a proper manner and use this as a tool for conveying the message.
What's, what does it mean if SAP fails for two days or for four days? They don't care about a technical fact, but they will know what it means that you cannot order any goods to produce your, your material yet that you are not able to, to direct your workforce, to direct your, your fleet to deliver goods, whatever. And if this translates into something that is tangible from a business perspective, I think this is the communication that you need to start with. And the business impact analysis is one perfect tool to do so.
Exactly. Some feedback from the online attendee.
It's Benjamin, he's writing simply what are the potential costs of not looking at business. Exactly. Resilience management.
Yeah. That's just confirming what what does it mean if you do not do it if you are not looking into business resilient man business resilience management, which goes beyond just continuity management. It's just being prepared on an ongoing basis and to improve over time. Any other questions from the audience here or from from the team back home
Question.
Sorry, clarifying question because I come from the ages that we were talking about bcm, business continuity management. So what's brm more than bcm?
Sorry, stupid question.
Maybe I explained a slide first and then it should be clear,
Speaker 10 00:23:48 But without the business impact analysis, you can't calculate the cost for report. So the the BI is essential.
AB absolutely, but I think the intention of, of the online respondent was exactly to, to make it more clear that the financial impact is relevant here. So for sure you cannot calculate, I have this in in a current project where the question is how to calculate the impact of a specific, if an SAP's example. That's why I'm talking about if it's not available.
So are these all the people who are working with SAP related to the time that are not working? Or is it the collateral damage? Is it the expense is not being able to pay your, your the invoices and all this stuff?
It, it's really dependent from the organization how exactly you calculated. But at the end usually it's the money.
Okay. So business resilience management mainly consists of five building blocks, business continuity, crisis management, crisis response, IT service continuity where business continuity is a part of. And then testing simulation and education. This is a topic or these are mainly the topics we will discuss together. We will go through business continuity, crisis management and so on. We will have a look at potential crisis scenarios.
We use here as an example, the standard of the German BSE number 200. They have a good foundation for that. We will do exemplary, really short emergency business impact analysis. Analysis together. We will talk a little bit about about emergency planning policies and governance and then also about the resilience of a business model. This is the first part. And then go through the other topics. Exactly. So maybe it's time just to start with the first chapter, how we do it that way. Okay. Business resilience management crisis scenarios. So usually maybe we do it this more in the open group here.
What would you say besides financial impact are typical scenarios you should cover in something like an business impact analysis? Is it, so I talked about something like fire, flood, I talked about financial impact. Is there something else you have in your mind as a
Brand damage? I repeat?
Yeah, that maybe better safety of people. That's a really good point. Just
Blackout.
Blackout. So power shortage, something like that. Yes.
Issues.
Legal issues. Yeah.
Yeah, exactly. Anything else? Also from the online attendees.
Competitors. Huh? Competitors. Sorry?
Speaker 11 00:27:00 Competition
Competitors. Competitors.
Sorry, sorry. Yeah, absolutely so's. Yeah.
Yep. Okay. So the base, it's BS I 200 minus four and this is basically the standard, it's, it's not really rocket science, we have for sure impairment of personal integrity, which is more or less the safety of people for sure. We have financial impact. So this is very relevant one, we have the damage to the image. Good example is, or a bad example would be the Tesla requirement. Some say it's good, some say it's bad, but it could have potential impact.
Some people are leaving, you are joining violation of laws and regulations and contracts and impairment of the performance of tasks. So these are the categories by the these I standard again, question to the audience. I have to start the online poll just a second.
This is, here we go.
Yeah,
Sorry. And we do it here again. So just raising the hand while the online people are voting is it number one, the impairment of performance of tasks, which you would say is most relevant and you are allowed to raise your hand more often. So a one for number one
Core business
Three, then violation of loss regulations and contracts. Two very good negative internal and external impact. Find natural impact.
Okay,
So more technical guys here. Impairment of personal integrity.
That's question
Speaker 11 00:29:19 I noticed when we all the discussion beginning about business resilience management is as a response to some sort of negative impact. I I put out there that also if you're truly resilient as a business resilient manage management, you also have to be looking and able to react to positive impact quickly and take advantage of it.
So it it's, it's interesting that it's all focused on how to respond to a negative event instead of also how to respond to a sudden say possibility of new business and that and be able to quickly
Yeah, it, it depends. Currently have a, or I saw this with many customers sometimes or usually something, some positive trend or whatever is sometimes handled in as part of the risk management as an opportunity, something like that. It's usually not, not part, it's business resilience management is more negative. Yes. But it really depends a little bit on on the organization.
This is but but this also depends on taking the business impact analysis. Is it, you could look have a positive impact, but usually it's more the negative one.
Sure, that's absolutely true.
But it's, it's, it is a good point because if you think of again, the pandemic and think you are Amazon and delivering goods to people at stay at home. Exactly. This is something that needs to be taken care of. But from from the management perspective that we're looking at here, this is done by other departments, by other, other team of people. It's more marketing, it's more business modeling.
It should, it should work together. It's
Speaker 12 00:31:05 Yeah, that's right. To really get to that whole business resilience.
Exactly.
Oh, sorry, I'm
Speaker 11 00:31:17 Talking about at that point it's, it's truly about, if you're talking about business resilience management, it shouldn't be run inside of that. That is a overall business model that what I found is typically that's already being done at some point, at some level from the business itself. It's a matter of getting into that from the security standpoint, right? And making sure our risk and impacts are addressed in those. Cause most mature organizations are already have some sort of business resilience to some disruptive event happening to their business.
Right? But that's for this, for the topic of this workshop, this is where we want to bring them as of today to have the more holistic view to also benefit from events that are happening that might be adverse to others might be beneficial for us. That is a good point and a great point to make. We are currently cybersecurity people.
We are looking at the negative parts as
Speaker 13 00:32:25 S
Speaker 14 00:32:27 I Sorry, I think you're making actually a great point here because I mean of course as, as also you said it's a, it depends on the definition of resilience or business resilience, but I think what you were also referring to was stuff softer stuff like being at certain capacity, being at resources, being it knowledge management, the mindset of the people. So reacting not only to adverse events but also taking opportunity if something happens.
And I think that's really then part of the definition or the wider definition of resilience. I, from that operational risk perspective, somewhat I would call it here. Totally agreeing with that so far.
But yeah, I think it's really then in the beginning of, of what you define as being part of business resilience and how this is then kind of playing together. So yeah,
Yeah, basically coming back to the initial definition to risk and disruption. So it's really the negative, negative forecast of potential things that might happen hopefully never happen. Any other feedback?
Yeah,
So just a second keeping
Speaker 15 00:33:42 Please elaborate more on the fifth scenario, like impairment of personal integrity. So what do you mean by this? Thank you.
At the end, any harm to a person of the reputation, whatever related to to, to me, for instance, if I would say something that's maybe not a good, maybe it's a good example if I would start to say here something like the other company which is also doing Analyst stuff is much better than copy a call, which is not true by the way.
This is something disarms potentially coping a call or on the other hand if coping a call would say Christopher is talking something stupid, whatever, any kind of damage to, to an indy video. This is more or less the number five.
Yeah, but
This is the CSO is a good example. That's my other hobby. Hobby was coping a call you can prepare but at some point in time if there's really an incident and yeah,
Exactly, we're having to chat the example of the, of the, of the child, of the CEO getting kidnapped. That is something that of course is
The other
Example, impairs the integrity of personal integrity of course, which cannot be well prepared for because how can you, how do you think, think of the Pelosi incident that we've seen.
This is something that where where does protection end and where, where can you prepare for something like that? Of course you need to prepare for the, for the outcome of that in the organization, but you cannot prepare for the event being, being manifesting.
So that's, that's the issue here as well. But thank you for the comment. Yep.
So we have a lot of new attendees here. Enough space. Perfect. Okay. The online attendees for today answer can be seated here by the way. So number one was financial impact, right? Number no was not violation of loss regulations and contract was number one. Number two is financial impact. Then we have impairment of the performance of tasks and somewhere else. Negative internal and external impact. Damage to image is number three. And then two voted for impairment of personal integrity.
But I think this is interesting to see violation of laws, regulations and contract in the first place because this is also a shift in the mindset to understand that violating something like the GDPR can really can can really harm your business maybe even more or maybe more likely than than financial impact that comes from any other event that might be a s a landslide or or an earthquake. GDPR is much more tangible than an earthquake.
Okay. Business impact analysis on some more details. So just brought it down here. What is the goal of a business impact analysis?
So it's determining the impact on business interruptions and the result is something like measures that show you how big the impact of a failure, failure of a single resource or a business process is for your organization to understand do you need to prepare if something is happening or not?
And we will do this as an exercise here as well, but we will focus more on financial aspects because this is usually if you start to do something like business resilience management with a business impact analysis in most companies you really start with a financial aspect because you can also translate some of the other typical scenarios to potential numbers. So financial impact, even if the sounds in some cases a little bit strange, it is possible.
And business impact analysis is also something, this is nothing you do once and then you are done.
This is something you have to repeat more or less often and you have to start on different levels. This is something we discuss, we will discuss later on, but you are all all from organizations, biggers or smaller ones. And just think about all your business processes and having a look at the related resources and all that stuff. This is so much work and you really need to do something like top down approach and starting with a, the overall processes and topics like that.
The result of a business impact analysis is you have a look at how long can you live without a specific process.
So whether it's one day, two days or two weeks, it gives you an overview about your time critical processes and the dependencies and you have something like or you, you get also some insight into the recovery time objective and the recovery point objective. So for instance, if you can live without a specific process two weeks, then you also need recovery time objective, which is a little bit smaller as another example I just have a look at after that slide. And recovery point objective is something like the backup idea, is it once a day, is it per transaction? Is it once a week?
It really depends on that stuff. This slide explains a little bit better. Hopefully when you do a business impact analysis you think about business processes. So just have an, let's talk again about sap, but this is an exercise later on or exactly after this slide.
Sap, SAP has billions of processes but something like I want to pay the invoices for suppliers, just take this process. How long can you live without that process? What would you say? Is it one week, two weeks, four weeks, eight weeks? Many volunteers, no volunteers. So no one from the financial department. Just a
Speaker 16 00:40:46 Guess maybe one day or two days and then the impact strikes. So I would say much less than a week.
Okay. Are you from a bigger or smaller organization?
Speaker 16 00:41:01 Midterm I would say.
Okay.
Interest
Speaker 16 00:41:03 A thousand employees but it's a financial sector and if you are down then the impact is really, really
Fast. Okay. Okay.
Speaker 16 00:41:11 So 24 hours money don't get money. The ATM is
Horrible. Okay.
No, my process was that you are as an organization not able to pay invoices via A from suppliers. Okay. So something like the oh 365 bill, which is monthly or your consultant from,
Speaker 16 00:41:31 Okay. Oh then then it's a longer time frame.
Speaker 17 00:41:35 Just a sec, sorry.
Speaker 18 00:41:39 Okay, so my first question is to you back to you is what is, what are your suppliers expecting? Because that's the first one. The second one for me is you normally, if you do a BIA correctly, you have business processes which will work when there is a technical failure.
So you need to know that. So this is the problem in a big large corporation that you have to tell the business my, IT can only work this and this much because of money problems or whatever. So you have to have these two things. You have to know when is the supplier expecting it. And to be honest, in very, really large companies you have the leverage. So it's not that important, but you can still send money in another way to need sap. So you have to think about that.
Exactly. So that's why I ask first, how big is your company?
Usually you have a, what's the English word, interval payment, interval whatever of 30, 60 days, three months, whatever. Sometimes you have some kind of discounts, 3% if you pay it within seven days, whatever. But this is not that important for for sure from a credibility score, if your company is not able to pay your supplier bills for, I don't know, 10, 10 month, this is horrible for your company.
But if you are able to pay one supplier or two suppliers or you have 10 of them and they have to wait one week, there is some invention called phone, you can call them and say hey, we have technical issues. On the other hand, if you're not able to pay your M 365 bill, someone from Microsoft in the room,
Just as an example, I would not expect that they wait too long before they shut down just your, or block your access in the worst case. And this has then something which has a lot of impact for your organization.
And this is the challenge when when you're doing something like a business impact analysis and I'm just talking about stupid payment of, sorry, about a valuable payment of an supplier with sap. That's just one process. What would be, if I talk about SAP at all or just about the overall process, you mentioned paying an invoice, which is more or less second or third level of of a process framework. And this is exactly the challenge when you do something like a business impact analysis, where do I start?
Usually you never start when you do something like this the first time on payment for SAP supplier, then you take SAP as a foundation because you want to identify your most critical, know I'm spoiling a little bit from the future, next slide.
But it really depends on the organization on the impact. And this is nothing where you have on standard blueprint which solves all your problems because here are you, you for sure can differentiate between smaller and bigger companies. There are some basic stuff but it really depends on the individual contracts and on your organization.
Oh, back to the slide because you are some relevant numbers explained. So first of all it's possible to share my ah, it's working.
No, not really. Okay, so on this slide you can see a two big process on the left side we have, if I'm not too fast, it's working. We have a business operation which is 0% percent and 100% level of business operation. And we have have an emergency operating level. So only if, let's say this sap, 50% of SAP is working, this might be my emergency operating level.
So this is sufficient. The normal operation level is here and the recovery point objective is what I mentioned. SAP is a good example because SAP is usually in transactional system in most or in many cases.
And if you lose one, especially in financial data, this is not really good for you. M 365 or teams, whatever, it's document based day based month, weekly based, whatever depends on the risk appetite of an organization. So the recovery point objective is really the how long can I live if I lose some kind of data here or the data that is related, the recovery time objective is the time that is needed to recover such a process. And the maximum tolerable period of disruption is the time, exactly what we discussed. How long can I live without that process?
Is it one day, one week, one hour, 50 minutes, 15 minutes? Really depends.
And this is the point where you need to get the business on board to translate to and to understand what this MTB D as a key figure actually means. And that needs to be translated into into actual tangible business outcome. What is no longer working, what does that mean? And these decisions are to be made by somebody who is, who is in charge.
So this doing this exercise on an, on an organizational basis that as Christopher said, this is nothing that you can do as a blueprint and take this from one organization to the other. This needs to be well formulated, well executed and well translated into business lingo so that they understand what to do and what it means. And then defining MTP D and then going backward to what does that mean when I create my business resilience management strategy. That is actually what, what needs to be done to get the, the, the, the board on board to understand what, what needs to be done.
And maybe I wanted to go back to the question, what is the communication that needs to be made? SAP is not available, it's not a language that they understand, but here you can tell them these are the processes that are no longer working and this is where you need to focus on.
No problem.
Speaker 18 00:48:20 Your example 365, I really liked, I had an experience like that 20 years ago and we, it's not a large company and the, the CFO was not telling us whether he was paying his bills. We didn't use SAP for the bill and I didn't know that he was not paying for my network.
So it was a, you know, the, the DW to DM at that time, he wasn't paying and he had gotten letters from the company that he wasn't paying. So on Friday afternoon I heard I was the chief for the whole technology there. He told me we are not going to have a network in an hour. So I like your thing because I was so angry at the cfo, I got him fired by the way, but this was, I did get it done. So we had to rebuild everything over the weekend because I knew that we had a problem there, but he didn't tell me.
So it's not just that you go to the business, the business has to come to you too cuz I didn't know that we had such financial problems and that's, that's the stuff it has to be bidirectional. Absolutely.
Thanks. Thank you.
Okay.
Any, Yep
Speaker 19 00:49:37 Everyone. So just a quick question. So since you are on rpo, right, what's the view of something that's acceptable rpo when you, when you look at the industry, I understand different clients have different RPO requirements, but then recently we had a client that asked for zero rpo. So what's your view about debt? Is it achievable and is it realistic? Thanks.
It depends. I I mean if you invest enough it's, it's possible you, you can make some recovery point every second or usually every transaction depends a little bit on the system.
In the real world, what I see with customers usually one hour is if have something like a traditional recovery point is the smallest amount here it has another question, but usually it depends from or it's most typical timeframes are daily and hourly and transactional.
Speaker 19 00:50:44 Yeah, so, so yeah, I think achieving zero RPO is quite difficult. Sometimes we rely on like cloud technologies, like let's say Azure and their backup schedules are like 10 minutes.
So the customer, if they're on Azure, they have to tolerate a 10 minute RPO because there's no way we could back up every second. It's not technically feasible. Yeah. So I think that's the challenge.
It depends a little bit on what you use on Azure. Exactly. Is it a cloud server service or SQL database?
Yeah, there are also some, some non-Microsoft tools that can be used to make something like a backup that's also typical for teams or all SharePoint stuff that you use, something like that. But usually one hour, 10 minutes for transactional. These
Are technical systems that you're trying to to, to to, and there's much more option to, to achieve something like a zero or almost close to zero rpo.
But there's an example in the chat that I like very much, and this is something where I would like to see you have a zero RPO that is the cell manufacturer and the plant in China is that is making screens is burning down but you are fully relying on that, on that partner and there is no second choice to, to have these screens for your smartphone being made and this will end up in a, in a lag of eight months. So there is not always the option for a zero rpo.
It's, it's not only cell phones. I don't know who of you bought in car the last two years or at least ordered one. It's horrible. And all these topics are still there. Business resilience management is a collaboration business And it,
Yeah, exactly. So business resilience management is a collaboration between business and IT and it's no nor says independent or doesn't matter, who starts the collaboration at the end. Everybody should work for the resilience of the company at all. That should be the goal.
And coming back to to the zero RPO or something like that, this is technical, you always have find some way to do that but at some point in time you can again challenge risk appetite of losing data versus expenses and management usually says if expenses are here and risk appetite is here, no the other way around then accept maybe to lose in, in some cases data to save some money. It really depends. I mean sometimes you have such, such critical data, usually more in terms action based systems that you need zero.
Okay, so time for some exercise depends a little bit. We are many people here in the room. The idea is a little bit to all of you that we discuss besides the sap, maybe some processes from your organization or based on some experience within your organization if you want to, don't want to talk about too details three processes also with dependencies, if you have something maybe we stay with sap, it's fully up to you and just make yourself, how are we in time?
10 minutes also for the online attendees and think, think about such processes and then we pick out some of them and discuss them a little bit here in the group. Maybe it makes sense. That's what we did in the past. I don't know how open are you? You are in communication to talk at least to the one, to one person next to you left or right. It's fully up to you if you see that someone is more looking on his own shoes, just start to communicate. So 10 minutes time for thinking about that. So we will continue ten five past 10 German time zone if someone is not from from Germany joining.
And for the online attendees it's a little bit difficult but it, I think it makes sense for you. Just do it by yourself and think about three potential processes. Maybe they are related into each other.
And if you can type your results also in the chat from, from your, from from, for the online participants, that would be great just to have some, some examples to pick from and if you can really work together, that would be great. 10 minutes from now.
So now we, we are quiet, don't run away for coffee. This is later.
Coffee is in 20 minutes, 25 minutes or
So. It's looking forward to the dynamics of the room
And and if anything's unclear, I'm here. Matthias is here, Kai is here. Even if he's just surfing on Facebook.
No, he's replying in the chat
And I've seen that there are discussions going on. So I would really like to go quickly through the room and just collect some of your input and I will always start with one questions. Are you from the same company or have you identified each other? Just talking to each other. Maybe I can start with you. It's okay. Okay then what is your example when it comes to such process?
Speaker 20 00:56:07 Yeah, for us the, our reputation is the most important thing for us. So we have a known internet banking and for this the MTP D would be like maximum of one hour.
So for a user using internet, internet banking, you can think, oh it's offline, but you don't wait two or more hours to, for your banking to come back for your webpage, right?
Oh, okay. So your business process is payment accessing the online Porwal as an end customer.
Speaker 20 00:56:40 Yeah. Okay. Yeah.
Okay, sorry about
That. No, no, no, that's, that's translated if you go to the board and say online banking is down for one hour, this is a message that they will get.
Speaker 20 00:56:52 No they they will come to us and say what did you do wrong?
And
This is why business resilience is relevant because in the best case you can tell them, oh we have a problem, we are working on it.
Yeah,
Speaker 20 00:57:05 Yeah. But we can show them why and what happened. So that's also important and that it was not US
Price I being like, oh we have problem really?
Speaker 20 00:57:19 Yeah. And for sure we have problems with DDoS and but this is no for us no problem since we have a good solution for DDoS and but they always say we are only the IT security so we are not responsible for the rest of the internet banking. And we can also say no it was not DDoS. Here you have the screenshots of the system. So go to another department.
Okay, access to online banking one hour, MT tpd, sorry. Any volunteers who who work together who does not work together usually and have come to hand over to you.
Speaker 18 00:58:03 Absolutely different. You're working as a freelancer in security and I'm an external ciso. I used to be a siso so we had of course you just read it because I can't see a thing on that board. So it was active directory, which is opposite technical thing. But so business understands this because you tell them they have access to nothing.
If you're really unlucky, you don't even have physical access to anything. So this is a major problem and okay, so with my huge company where I worked first we obviously had a day because you cannot do it differently at that time with all the things other than that. And we had to be sure that there is enough business processes because to rate dependencies. So there were 6,000 applications having problems in the small company I work for now they had a problem not with active directory.
Speaker 18 00:58:57 That's another process for physical access where you have now these digital keys, I'm just calling it that way nobody could access their, they have to work at the job, they have to go to the work. So they couldn't get in. That's not supposed to take any time because they have to get in at nine o'clock. And the third one, because she asked for three, I have one on my own was production sites, big production sites like you had with the mobile, I'm talking what you were talking about, but the cars, Yeah. And then you again we did have outages on the production site.
The dependencies are huge. Yeah, because you're not delivering time. So it costs the company a lot of, but it's also very different, difficult because you have so many different technical So did we answer the question now?
Yeah, yeah.
Speaker 18 00:59:45 Okay.
Have you also prepared something that you can hand over the microphone or did you not? I don't want to force you.
Speaker 21 00:59:52 I, okay. Yeah. So also different companies. Well also we identified the, the subject of identity and access management. So when you have those tools and they fail, then you are gonna be blocked out quite fast. And then also it's like in the banking example, it's like maximum an hour and he's from a bank, I'm from management provider.
So for us it would be like both for him it would be as a, as receiving the service and his clients start to call and say I cannot access my services. And for us, of course our clients would be in a way locked out. So there it's like maximum and hour, best case, even shorter.
Speaker 22 01:00:28 We have the same case in the chat with 30 minutes. So you seem a little bit
Speaker 23 01:00:33 More horrible to
Speaker 22 01:00:34 To timings there.
Speaker 23 01:00:37 On my side, we are banks, so the banking system, internal banking system, we don't provide transactional e-banking. So we are private bank, so, So the internal banking system would be also an hour or so where the traders can use their own tool to to trade. But then you have to get back to to the, to the real transaction at the beginning. So an hour I would say
Also the trading platform or or because this is usually one, one partner,
Speaker 23 01:01:14 No trading platform would be less, I guess. And it depends on the context.
If it's hot on the market, yeah they're not very likely to accept an hour or so. But usually they have different tools so if one is done they can use another one. So they'll always work around I would say for traders.
Okay, great. Thank you. Anybody else here did some preparation? No.
Okay, then I have, I have seen you talking Any any examples from maybe choose just one.
Okay. Okay. Anything else prepared here? So really a business process and and the the TPD one example something else. I don't want to do this, why not?
Okay, then we go to the chat and I think there were some, some interesting ones as well. We have, we have seen active directory as the means of authenticating and authorizing people with 30 minutes, as Kai has mentioned already, network ID provisioning and deprovisioning TPD of one day. That also has quite strong requirements when it comes to creating everything that is required to achieve that one day sub concur expenses, tpd, seven to 14 days. I think that is realistic when it comes to being still still accepted in in in the business.
And finally internal communication, slack, email, zoom depending on the role. Two hours to two to three days. I think with, again, COVID being around two to three days, no teams, no zoom, no slack.
Finally time to work
Exactly. So that that, But I think that that's good examples of what you need to prepare for because then this is the point where Christopher can then jump in again and explain what that means in calculating forward and backward and what what to achieve here.
Perfect. Thank you. Thank you. So really valuable insights. Keep it in your mind.
We will use it later on or in in a few minutes. Before I go to the next slide, I want to share something again, which I shared at the beginning is an animation, which is a really interesting stuff. Just think about the processes you discussed about then have a look here.
We all, we have no single non IT related topic process and this is something which is really important. If you do something like a business impact analysis for sure, probably all of you are related to it, I'm as well. But don't forget the others, don't forget the other processes involve also the other department like hr, like finance for sure, sap, one of the board members, whatever. These people have other knowledge, understanding and view on the company. And this is relevant for such an business impact analysis. It's not only it, it's also, it's it for sure it's an important part.
It's technically what you can cover at the end, but it can also have problems because of other topics.
Some delay, we have another process human error can account for for up to 80% business failure.
Yeah, exactly. Okay, next topic I wanted to discuss. We have two hours, two, three days, seven to 14 day, one day we had one hour mainly something less i I don't remember and 30 minutes. This is something that you have to configure or or think about yourself before you start business impact analysis on your company. So the timeframe, so in that case, because I already mentioned some, some of these values, but you should think about some kind of standardization here.
The business impact analysis is usually you can do this by Excel, there are tools for that, but usually you have something like four to eight defined timeframes that you use for, for identifying how long can you live without it. Otherwise it's really getting complicated to compare them here. Just as an example, two hours, eight hours, 24 hours, four days and 10 days. This is a potential one you can use. I currently have two customers working on that where we also have 10 minutes because it's a really critical application.
Also one hour and instead of four days we have seven days and then we have 10 days. And this configuration also depends a little bit on what level of business impact analysis do you do when you do it. The first time I mentioned don't start too detailed. You might think about smaller time frames bigger in some cases because this attributes modify at the end how many critical things you have.
And this is something you should have in your mind before preparing. And if you do it for instance with that way, like you say, I would accept for my process, active directory is not working for two hours.
The or the potential of damage for me is medium, not good, not bad, but I can live with it. If we are going to eight hours, this is high. The impact to my business is really high. And this is a critical thing here and this is something you have to have in your mind. We talked about five different scenarios. So one of them was financial impact and you need to translate what means potential damage here. So what is the damage to my company if I focus on now we start to share means that's great.
What is the potential damage of not being able to work with active directory for one hour on a financial perspective?
How do I calculate that?
That's, if you have the answer, please tell me because this is really a challenging thing. You just can calculate, you can make a lot of assumptions of people not being able to work, people are not able to produce excess data, whatever. But this is the critical thing I mentioned at the beginning, financial data or money is the thing where you can argument against your board members. I need budget for doing that. But really the challenge is to translate it here into concrete numbers. And that's not really an easy part.
The BSI 200 minus four has at least on a quantitative level a good explanation for that. So again here in this table we have here the potential of damage, low, medium, high, very high. And we have the different scenarios like the financial impact or the impairment of personal integrity because we worked on the financial impact.
I graded a little bit or highlighted a little bit. For instance, medium impact on the scenario financial. So active directory is not working, means the financial damage is tolerable for the institution. And number three, which is the level we would not accept anymore.
Going back to that example here. So the number three here means the financial damage to the institution is substantial and has a lasting impact. And this is based how you defined also your risk appetite. Usually companies have, or many companies have defined their risk appetite in one of their policies as for instance, 30% or 20% or 60% of the ABT, annual abbot, something like that. So you have a quant quantitative measure.
And if you can say to your board, if active directory is not working for two hours, the financial impact is 40% of the annual abbot, then you have by the way complex business model, just assume that it is that way.
Then you have a really good argument for getting budget to improve Active directory example, you maybe need Azure as in fallback solution. Maybe you need more service, whatever really depends to stay on this Azure example, but maybe also you have to build up a second data center with the replication, all that stuff. So really depends on the processes.
And this is really and very important part which I wanted to focus again. So think about your processes. So the online, the accessibility of the online Porwal for end users. And you said one hour, right? It was one hour. So maybe your company, because you said it's a banking institute, one hour the lowest number would be then maybe 10 minutes or five minutes. Second number would be then one hour, then we have two hours, whatever, and maybe five days as number 3, 4, 5, whatever.
And if you have something like in categorization here with that, using this scheme to put your processes within, within that, then you get usually a really good list of potential critical processes. But processes are just one part. Active directory is something like a mixture, but I think no first the task. We also have resources that are used within these processes. So your business process was accessing online Porwal for end users. And in the back end there is probably fail over cluster. Some kind of server banking, software databases, access management, some security operation, whatever.
Running this, these resources are part of your process.
And business impact analysis should then say more concrete to coming back to use scenario. What is the critical resource here? So for instance, is it if the fail over cluster or the the load balance, whatever the, the automated analysis, whether there's an DDoS tech or not. Is this the problem? Is it the access to the database or something else? This is at the end what we need to dose, need to know. So we need to break down the business process to the resources that are used. And this is the next task for five minutes, please.
Take the business processes and think about the used resources. If you have active directory, just think more about Active Directory is for sure one resource. And then more think about the business process, like people want to access their computers, maybe the business process using active directory. Active directory is one resource. Maybe you'll have an additional idp, whatever. So five minutes. We will continue at 27 10, 27 German time zone again. And also again for the attendees, just paste your resources in the chat. Thank you.
Speaker 24 01:13:36 If you,
Okay, before we come to the, to the coffee break, Coffee break. A quick question in the round, what, what other resources, just a few examples, you've discussed your scenarios, if you discussed your processes and the MTP d and what are the resources that are involved that need to be considered? Maybe again, May, may I start it with you again?
Yeah,
Speaker 24 01:14:07 Yeah.
Speaker 20 01:14:08 We have many very special resources for, for the internet making in this example for sure.
Databases, the DDoS applications, many network connections, internet connections, and some very special resources that we need to provide data and this stuff.
So it's quite, it's quite a zoo of things to take care of to, to
Speaker 20 01:14:36 Maintain many things there.
Yeah. Okay. Anybody else? Blah blah.
Speaker 25 01:14:42 I don't,
Speaker 18 01:14:47 So his idea was, and I thought that was really good for the active directory part, when it is, when there is a crisis. So you're thinking of the mitigation beforehand.
Obviously in a small company, which nowadays I'm more or less advising, I need to have these resources on the site. So I need a contract with some company who would help us if something like that happens, right? So because you don't have these amount of resource. So he was looking for do I have enough skilled resources in such a situation? Because you will not ever get a big active directory up again within an hour. Forget about it.
Yeah, that's, that's just not true. And so we, and then we were thinking about the business processes and I would like to remark on that because if you go top down, you start doing the business processes. And so you need to know from the business side what are your critical processes. So you need to know that from the business, what do they see there? And his case with the online banking I think is wonderful because they're, even in the applications I've had things like authorization problems, The application didn't do that correctly. We really had to search.
So you need to know all these little steps. So lot of work in this Well, but this was active directory.
I, we had skills with it.
Okay, great. Thank you. Anybody else? Some input? What do we have in the chat? So I have to check, it's here already. So time billing, software, HR tool, cloud, sss, sso, service, SIS and DevOps and yeah, resources keep people to drive the business process and IT supporting processes. It's people again and again, human resources.
Okay, great. Thank you for contribution. Any anybody else? I don't want to.
Okay, so then back to Christopher.
Back to Christopher. Great. So resources.
Let's take, sorry for picking your example again. The failover solution for the d d or as a tech, you mentioned the overall business process has an MTP D one hour. This means all the resources you mentioned must be available or restarted. So we need an RTO less than one hour. That's the, that's what exactly this kind of business impact analysis says to us. And if you translate this active directory was a good example, restarting a whole active directory, maybe putting in some backup, whatever within in one hour.
Tell me how would be interested in doing that. And in some cases like active directory, then you end up in having something like an risk entry, like it would not be possible. Or in your case, having an failover scenario, failover, cluster server, C os, protecting whatever you need to take your tool, the product you are using, check this, whether it is possible that you have in recovery time less than one hour.
And if not, how to achieve that and how to achieve that.
If this is technically not possible, then you cannot fulfill this T or in the other hand, if you need other solutions, extensions, whatever you need based on your business process, you might end up in investing something. And investing is again financial where you discuss, okay, then maybe we live, if the website for online banking for end users is two hours, not available, this computer solution, but this is at the end of the decision then of risk responsible person, cfo, CSS or whatever, who is in charge in the organization for doing that. And this is basically the stuff that is relevant.
What I wanted to achieve was talking about the resources with the view is again, we ended up in technical resources. So information technology, but also services like business services.
So not, not software as a service. This is usually information technology. Also information infrastructure like the building, like in production, something on the factory floor, any kind of machinery, equipment, whatever, operating resources and wrong direction.
Ah, that's all on the slide. Perfect. And any operating resources, these are typical categories you use within your business impact analysis as well.
And again, we just talked about information, information security for sure we are information security experts. But keep that in your mind. Okay. To summarize a business impact analysis is usually you assess and identify critical business processes. You identify dependencies, you identify resource dependencies.
This is, this is what we did in the last five minutes. And based on these resources you identify, you can usually, if you have a big tool, Excel, whatever you use for the business impact analysis, you can see what are my most critical resources and usually active directory is a part of that or Azure, whatever. So surprise, if you are based on that and for these resources, they are called usually single point of failure. They harm your organization in that way that you really need a plan B for them.
This, this not must only be active directory could also be the building where your management is located, whatever or your research department, all that stuff. And this is something you need to be aware of. Yep.
Speaker 26 01:20:51 When does likelihood comes into
Play in Matthias? Part likelihood is, or the traditional risk management that I share the slide.
Speaker 13 01:21:07 Okay. And for
I noun, what you know the business impact analysis is really looking on the process.
It, it ignores existing measures and it focuses on the how long can I live all that process. What you are talking about, the likelihood and all that stuff is the part of the risk assessment if you do it in business continuity management. So you take the probability and the impact and so on that we will have later on. Also an exercise, maybe a short one, but this is something you cover there. The business impact analysis is really not focusing on this stuff. That's some forecast for a later slide. Okay. Yeah. Single point of failure.
So what is, yeah,
Speaker 26 01:22:13 One question so far, I would've differentiated between business process and a technical process or, and the dependencies to different technical processes behind all the things we discuss is about technical processes. From my understanding, when we speak about SAP or AD or whatever it is, network, somehow I didn't get it because, so because I think when we, when we speak about business impact analysis, we actually should need to define the, or identify the business process first.
And and, and don't get the connection here.
Sorry, I was not following 100%. You are asking where the relationship to the resources here, right?
No, no. The business process and the technical process, How do they correlate when,
Speaker 26 01:23:06 Okay.
Again, again, all the things we need, all the things we discuss here is about technical processes. And I don't see the mapping to the business process actually
That, that's exactly what I meant at the beginning because here are more or less technical people and we talk technical stuff. When you remember after collecting the, the, the business processes in the first phase I mentioned don't forget the other people and switch back to the overall view. So usually, and we are technical people, people here, but usually when you do a business impact analysis, you would start not with sap.
You would think about, I I need to pay, be able to pay bills or invoices, whatever.
Speaker 26 01:23:49 What is the actual business
Going?
Yeah, exactly. That's, that's, yeah. And then you break it down.
But here, for, for the audience it was, it is more easy to look on a deeper level. That was the end. Maybe
Speaker 26 01:24:01 I didn't get it in the beginning.
Okay. Sorry for it. Okay. Anything else?
Speaker 18 01:24:09 Sorry to answer your question. There were two examples.
I mean, his online banking is a business process, is a real business process. So he was actually right. He was just then breaking it down in his area. I said production areas. Can you imagine what happens when a big car manufacturer, if the production is failing?
That's a, that's a business process. That is a real business process.
So I, I heard what you're saying. I agree with you that we broke 'em down too quickly maybe in techno stuff, but this is what the audience is here. But there were two main examples which were business processes.
Exactly. That's why I used his, his example.
And this, this is also something you should take home with you, that you focus on the business processes and not only on the technical stuff, because you usually start on a certain level, if you want to do it properly, you really start very high level because otherwise you will end up in thousands of processes, business processes, and some end technical processes. And this is nothing you can handle at the beginning. And you can handle this with 20 consultants from external organizations. But what's the, well you one more feedback.
Speaker 27 01:25:32 I had the pleasure to, to map those or to create those business processes once for a big company. And it's a real challenge to break that down into the systems, into the system processes because usually business processes are running over several platforms, which causes a lot of trouble finding the right people, understanding where the borders from the business processes down to the technical stuff. And so what, what we found most of the times is that a business process runs over several technical processes and we have to break that down.
And that is a real task to do.
Did I notice some irony when you said pleasure?
Speaker 28 01:26:21 There is
Absolutely,
Speaker 28 01:26:24 It's
Speaker 27 01:26:28 Right.
Speaker 28 01:26:32 I'm sorry.
Speaker 18 01:26:32 This is a very difficult thing and that's why 15 years ago there was this tool called Alphabet. Do you know that or did you find a tool because that you put the business processes on top. I was working for the government at that.
You put the business and then it goes down all the layer down until your last bit of infrastructure is firewall. Yeah. And that's, you could get that picture. It took me six months for, or not such a large thing, manual actually. That's all, It's very difficult
Speaker 28 01:27:04 Business
Speaker 18 01:27:06 Who understands these processes. Well break down
Speaker 28 01:27:09 Technical stuff and then uses two,
Sorry,
Speaker 27 01:27:23 Sorry.
And so you end up with a, a huge amount of systems, different people, and you always have the question, okay, where are the boundaries from one system to the, to the other? And yeah, that, that is a real challenge for people, especially if they're not so technical. Right.
Great. Thank you for the, for the practical insight of, of this aspect. But I fully agree also with MS that that there needs to be this mapping done, but also the borders are blurry between technical and, and, and business processes.
And, and we have in, in two minutes there's a break and, and this is one of the biggest challenge we discussed here. So to to know your business processes, you need to know your business model, your goal. You need to have a proper level of baseline defined, what processes are there. You need to know all your resources, you need to have responsible persons and all the stuff. So have you, you have a lot of prerequisites here. Yeah.
And for all organizations where I did and business impact analysis, they had had after that first process, a lot of homework because they need to improve their asset management, their asset inventory, their process framework, so how they define processes, different levels and all that stuff. And this is something that always comes up here and that, that's why I mentioned at the beginning, don't start with the detailed stuff.
Start with with really with the high level processes because this helps you in a first phase a lot.
And you can then start the other related projects to really dive, dive deeper here and focusing on the business process, breaking it down to the IT processes improves your business, your business model and makes you at the end resilient. That that's the goal. Why we are here, We want to improve the business resilience, we want to identify the critical processes, business processes, and therefore we need to know them. And that's, that's homework. That's a lot of homework. Yes.
I needed for 27,001 whatsoever, 22 years ago I was writing the organisms and zoom at PORs for business process modeling. And I can tell you, okay, I started, learned my ropes as a process engineer. That is an uphill battle. So I totally relate to what you're saying, but these days, so alphabet, I have new alphabet, but there's a tool called leans. So chances are if you are within a VW group, if you're a large organization or is it e on energy, whatever.
So that that's, and, and it's easier, I found it easier to engage with the executives of large organizations looking at business capabilities. So they don't need to kind of, we need to think for in, in, in terms of processes, how are things related? But there are tools to say what's business capability, what's it service, and how do you kind of, how do you make it a domain as opposed to the process map.
So
Okay, great.
Leans,
I think we discussed this with a cup of coffee.
Yeah, outside and when, when do we need to be back?
Depends a bit. You would be surprised. Be a little bit over the time. But that's, yeah, that's how workshops work. This is very valuable. These discussions. I would say give us 15 minutes and we continue at 11. So one hour left. Perfect.
Outside, perfect timing. Outside, you can grab a cup of coffee and have some snacks. Okay. So welcome back. At least online. Maybe you had have had a cup of coffee here onsite.
Steve, the people are still collecting their cup of coffee, but I'm pretty sure they will join within the next few minutes, otherwise Kai will go out and find them. Just
A quick comment or catch them. I've seen in the, in the, in the chat that Daniel introduced himself. I think this is a nice thing to do also for the online participants because we are here, we who are here in person, we talk to each other already. We see the names and we see the badges and where we come from. This is much more difficult in the online work.
So if you use this to, to hint to your, to your role and what you're doing here, I think that's, that would be a nice idea just to to, to interrupt you. But, but I think we are a great group of people and working together. So getting to know each other might be, might be a good idea.
Absolutely. Right.
And if you want to discuss in parallel in know it's a little bit difficult, just use the chat function and then just one hint, if you have a question to me, then just tag me, then I can see this much better because when I'm talking, I'm not 100% able to check all messages and identify whether I'm the one who is the recipient or not. Okay, so one hour left, no, 58 minutes.
Oh, next topic will be crisis management. So pillar two. So what is relevant if you want to prepare your organization for a crisis, I think that's, it should be obvious but better. We discuss it firsthand. You need some kind of team. So who is involved? And maybe one of you is familiar with incident management, preparation is key and you need to have some kind of team prepared. Someone who is in charge of identifying whether there is a crisis, evaluate the, the impact of the crisis or the real impact.
Start all your prepared plans. Start what is there, what you need to do.
And therefore you need team and every team need some kind of organization, especially if you are under a tech. If you haven't ransomware tech or your website, your online website for, for, for financial stuff is not working within one hour. Who's the lead? Who decides, okay, we need a plan B.
Okay, we need to purchase an additional firewall service, whatever from company abc. This is something you need to have. You need to know who is, who is responsible, who can decide and that that's really a fundamental thing. And the the third pillar we go, we will go a little bit deeper into the organizational or responsibility topic in this chapter. But also communication is relevant. Just think about different potential scenarios. On the one hand, your IT system could not be accessible.
Your Skype, your mobile dev, your, your telephone providers not accessible, whatever, you cannot use your phone. This is something you have to have in your mind. Maybe exchange is not accessible, You cannot send emails. Maybe your gyra is not accessible, you cannot raise tickets. What else? Meeting people in the office is also common thing. Maybe you work from home, you don't have the number or the mobile number of your colleagues of your boss, whatever. So you need to have some kind of preparation of different paths for communication.
So in case of for instance, you identified teams or Skype or your mobile provider as single point of failure and you have a plan B, This plan B must then include, okay, we communicate all this your private mobile device, which is GDPR relevant, another topic. But for that you need to share the numbers. People must be aware of that and all that stuff.
And this is something I mentioned at the beginning. You need to be aware before you need to explain it to the people before, not when you are in the crisis.
If it's, if you are currently under attack, if your building is burning, it's a little bit too late to decide which is the emergency exit, which service need to be carried out first. Something like that, that's too late for them. So the preparation here is really essential. Maybe for different departments, for multinational organizations, for every building, infrastructure, device, whatever. This is something you need to prepare and this is pretty relevant and usually there are many people involved.
This is just an example, but also the chief executive officer, the C, the chief information officer, team leader, line of business, external partners, IT operations, risk owner, whatever. All these people could be involved or should be involved on a certain level.
If you really have an incident that is, you remember we identified what was the concrete financial impact is really high to your organization, probably chief executive officer, at least the chief finance officer or chief operation wants to know about that.
And maybe in the chain of comment, he is the one who decides what to do on a certain level. This really depends on the business process.
Again, coming back to the different layers of the business processes, what is relevant. So if we go back, people want to access their device using active directory. It's maybe the IT manager or the responsible person for the internal it, who is in charge of doing that. But if it's production down time two days, then maybe it's the chief executive officer and not only the head of production or however you call him. And this is something which is really relevant usually, I'm pretty sure you know about it if not the, however you call it.
Metrics is a good tool set here.
So you need to define who's responsible, who is accountable, who's consulted and informed and just wrote down a really high level example here of a potential impact or potential accident, usually not accident incident. Usually you write down something like a table. Maybe this is part of your policy, you remember we have some kind of policies or your scenario or your resource emergency plan that you write down who is responsible, who is the overall risk owner? Who's the one who's in charge? Who do I need to support?
Me and myself, we had a discussion about active directory and that you are not able to bring it back into production within one hour if it's a real incident. And maybe you also need external resources and this is something you might know from incident management. You also need some kind of network or providers, externals, whatever or service level agreements with people and organizations that can help you in such an case in such an incident in something like an incident that harms your business.
Again there that's too late if you, if your building is burning down and you want to Google for firefighters, something like that as an example, same for people who can bring you to technical equipment for rebuilding it and finding something like that. So this is really irrelevant topic.
Yeah, and I have discussion point here in this chapter. I think also for the online attendees I mentioned a lot, teams chat, whatever. What would you say here is the best way to communicate within a crisis, but here's this walking around or maybe Kai to collect your insights or feedback. What would you say? Maybe also depending on the business processes we wrote down
Speaker 20 01:39:48 Open and clearly Sure, no contradiction here.
This wasn't open and clear statement as well.
Yeah,
Speaker 20 01:39:57 That's i's what
Is required and and open and clear is also a good point. Again, knowing or you can reuse your knowledge. Maybe let's take incident management again as an example. Usually you also have some kind of classification here, some kind of template, who needs which information at which, which point in time, who needs to decide what you can prepare, something like that. And this is really clear,
Speaker 20 01:40:22 Oh sorry, we have a manager on duty for this.
So we have always an mod and if anyone sees anything we open the ticket and the you can make the mistake and say, Oh my, my topic is very important. Then you say put it on the wrong level and everyone is alerted in the company and the manager on duty will call you and say okay, what's up? How can I help?
So what would happen if your ticket system is done?
Speaker 20 01:40:58 I don't know. I didn't have this case, but we have mod for for all this topics. So the mod will always be reachable I think.
Okay,
Speaker 11 01:41:10 I was just gonna point out for, for me it's the best way to communicate during a crisis. Make sure you've been communicating before the crisis. So we have very, one thing we implemented several years back, the whole concept of the fusion center where that's virtual or in person, but we have people from each be from each line of business, the legal, pr, hr, technical people all assigned to that team.
So we're communicating regularly as well as our side business so that when a crisis occurs, we've already been through when a crisis occurs, the idea is that everybody responds with we know what to do. We've done this because we've had exercises involving all those teams and they've communicated before.
So yeah, years ago it would've been in person. Now it's, we we have multiple lines of, of communication. But it's the idea that everybody on that team has been communicating beforehand so they can respond during a crisis in a non-crisis manner.
Exactly.
Just a, just a question maybe who, who, which organization or in this room has such, such an institution in place? Like, like Danny, just just Donnie.
Donnie, sorry, just mentioned before. Who is involved in such a thing? Just just to show your hands. Not yet.
Okay, so that would be, yeah, something maybe to prepare for to to have something in place if you are in a position that should be involved here.
Speaker 18 01:42:47 So I fully agree with the gentleman just said the crisis management center which we have to have in place and who are trained. I don't fully understand the question though because so in a big company you have your crisis management.
Yeah and, and you call, but very important is which channel do you use? Because like you just said, if so we, we broke our heads to say okay, we need several channels. So they're like 10 people on this crisis management but you have to reach them. So that's the moment where you have to have private phone numbers where you need to know how to reach these people. So you have to have other reasons. In a small company it's also a group of people. I always make that for sure that there's six people from the different areas and they're together.
But again, it's important with which method do you communicate? So you're on the team, you're on the team, he's on the team. Now every communication channel is broken so I have to be able to reach you and that's something which is sometimes forgotten.
WhatsApp, any other comments? Oh
Sorry,
Speaker 11 01:43:51 Just go point out one thing that I think lot, lot of 'em don't consider when you talk about mobile communication.
Yeah you need to have their personal numbers, but if their personal communications is under the same carrier as you're using for your business communications, that may not work too well, right? So yeah, look, look at look for those multiple methods and then we, we actually go to the point of for very key, key personnel that are so designated have satellite phones as well in, in certain areas, right? Because what we have to have some people that are always reachable
And this is something you have to have in your mind how far you drive this here in the chat is an example.
Sorry it's a little bit difficult here. We use parallel closed signal chat in case of your email teams are down, okay, but what if you have a black, I mean this, this might work for maybe 98% of all critical incidents but not for the worst one. I mean blackout, we have other problems but this is something you, you need to have in your mind. Blackout on your mobile phone is not the topic but maybe in the data center as well. So I'm talking about a big blackout, your data center, the mobile, the communication infrastructure around you and all that stuff. And then you have no access.
That's what I mean
Speaker 11 01:45:17 In a large, in a large natural disaster, mobile telecommunications often get overloaded and aren't working. So we, we've gone through that in like hurricanes and that where your mobile carriers can't communicate.
Speaker 10 01:45:31 I think playout is a difficult thing because when you have a playout, you have no mobile provider anywhere. Doesn't matter if you have mobile provider one, mobile provider two with no electricity, there's nothing.
Speaker 18 01:45:43 Yeah. So these are the methods you have to evaluate.
But the other thing is you need to know, it's also in my humble opinion that they're forgetting that it's very nice that he is a very important person but if he's sick I need his representative. And that's also something which is not done very well because the representatives have to be in place as well and have had the courses. So there there's a lot we had now the communication channels depending on how, how high the crisis is, it's important to think about. The other thing is you need someone who represents you because you might be sick. Think of pandemic. Oh that's a fun one.
No
Speaker 22 01:46:27 Redundancy in in communications channels also in in personal, right?
Yeah.
And Marco, you, you wrote a lot. It's not personal blaming your approach here, it's just theoretical idea that this could happen.
So I'm, I'm fully aware that this, the probability or the likelihood is really low. No, I'm not simply wrong. Maybe it's a little bit difficult, just write me later on and we can discuss this afterwards. It's a little bit difficult to discuss this here remotely in front. Okay then it is like it is
Speaker 20 01:47:02 Just the one final word maybe about you said, oh what about this case?
What about this case and did you ever think about this case talk a lot of about BSI and they have the G zero, you know and so this gives you large list of re happenings that may occur and so you take your main assets, compare them with the from BSI and then you are really good or well prepared for any reason Cause you have really everything in this. Exactly. That's our way to solve this.
Exactly. So this is basically a little bit shorter than than initial plan. What I wanted to share with you about the crisis organization. So preparation is the, the most essential part here.
Prepare different communication path plans even if your mobile is working or not, even if this is a realistic scenario or not, this is something you can have in your mind if your risk appetite is not covering that. So this is a topic you need to be aware. And with that I think it's time after two hours and 15 minutes to hand over to Kai,
Speaker 22 01:48:29 Well since we made quite some progress on this, discuss how the best way is to communicate. We covered pretty much the next chapter already how we want to respond in a crisis, right? So a lot of what we need to do is the planning.
It doesn't have, as Christopher mentioned already asking for firefighters or Googling what to do when a fire is already set and burning high. It doesn't make any sense. So you need to have some preparation and be prepared for how to respond and as we already mentioned and find out that redundancy is seems to like be key in preparation for crisis. So on the left side, what could happen, we covered in the early beginning of the workshop, the different scenarios, what could happen and which effects will they have on our business. And we also covered the critical processes for our business.
Speaker 22 01:49:40 So we know what we need to focus on in a crisis. And as we know now, a rayme is key to have the right people on hand. If somebody, something happens, it doesn't help if we need to find or look for the people if the crisis already occurred and then we have to run and search and we maybe don't even find the right person because she or he's on holiday.
So it is really key to have all those things prepared and available at all times since we already figured out okay a crisis kind of already develops in the same thing an event is is reported so somebody sees something and says, hmm, it doesn't seem very standard to me so I might report it. We really have to have information on a basic and continuous or in always the same fashion so we can really use it.
Speaker 22 01:50:45 Everybody knows what it is. As the gentleman said, short and clear communication I would've added brief to it.
So it doesn't help if you explain to me two hours what is happening if it's just burning down the fabric, right? So just say the fabric is burning and so we might figure out to call the firefighters after event is reported and you prepare those information to everybody. Somebody has to decide if it's a crisis or maybe it's just an emergency or malfunction, but who can we do this? Should we like use our belly and say maybe it's an emergency, maybe it's just a malfunction or yeah, it seems like a crisis could be no we want to have defined thresholds for it.
We have defined thresholds where we really easily can say and we want to write them down, okay, this and that happened, those effects occur.
Speaker 22 01:51:52 We, we observe them and then we can just go on it and say okay well that's clearly an emergency or that's clearly a crisis since those effects are reported. As always malfunctions can be overcome as well as emergencies and crisis. But we should firstly try to handle them. If we can't, they will will be escalated and a malfunction might become an emergency or a crisis.
So nevertheless, at first save yourself in any circumstance, but it doesn't help to to be the hero and try to ex extinguish the fire in in in the server room if people are harmed in the afterwards. So there are immediate measures which should always be taken first before even reporting, save yourself, save colleagues and then you might see okay well there's a bin which is burning besides a fire extinguisher so I might can use it and just extinguish the fire and nothing really more will happen.
Speaker 22 01:53:11 But if we cannot extinguish the fire in the first place and we really have to to check what is happening and then we report it, we can use those different thresholds and have a color code for it. For example, we have green of course for normal operations. So I guess no explanation is not there but can have also like yellow for fault alarm or orange for an early warning if it really goes in in the direction of an emergency. And then for example in red we have the emergency crisis and disaster, which we can really figure out what event will go into which direction.
And really as we already said in the discussion before, we really need to know who was or has been alarmed, who issued the alarm? When was alarm triggered? Who was reached? Who was reached, what is the result? And as we mentioned before, which communication channel was used, right?
Speaker 22 01:54:16 So we really want to have this not only for audit and maybe insurance if they ask for it, did you really proceed those procedures which are necessary but also if we want to recover and after recovering want to check those procedures, which we took, were they really the best way possible to, to mitigate our problem? Or was it more like, well we didn't know what to do, nobody defined it before and so we just did anything.
But if you don't check it and then after it really come back to it and check was it really the right way to, to mitigate a problem, then we have like every time a crisis on emergency occurs the same problem that we don't know what to do. And in the end it is really, it comes to the point that we want to have a blueprint, a playbook where we can say, okay, well actually I don't really need to think I I know what to do if if if the fire is breaking out I know what to do if the server room is breaking down cause of an earthquake, I know what to do.
Speaker 22 01:55:29 It's all about the preparation, which we basically used the workshop the previous time to, to find those baselines. What we need to cover and we need to put our focus on to have this playbook prepared and not only prepared for some instance more like to have it prepared for each or the most probable issues which might occur for this, we want to have in crisis team or crisis organization, which we already covered in the discussion beforehand. And actually the crisis organization doesn't do much more than observe the situation.
So get all the information, what is happening, prepare plans for it, analyze the situation, what could happen, develop a strategy for it and then implement the measures. And it is in circle, which is always like coming back to the, to to the determination of the situation where you want to check, okay, if there is some measures took place, which we already defined, do they really provide the solution we were, we were aiming at?
Or maybe we try to to aim in a specific direction but we are like handling some other issue which is learning which we can like have and we should use afterwards to analysis often crisis to see if the measures really helped or maybe didn't and then we can continuously improve.
Speaker 22 01:57:21 Just interrupt me feel free.
Speaker 27 01:57:23 No, no, I was just wondering and I I don't know what your next slide is basically, but I once had the experience to be part of a recovery test and the testing Yeah, everything was done according to your scenario here, but when the testing came it was a pure nightmare and it failed totally and it failed due to absolutely minimal reasons that nobody ever thought of. So Right, Of course setting up everything, writing it down, knowing about it is is one thing, but if you've never tested it, it's, I would even say it's worthless. Absolutely.
Speaker 22 01:58:08 And and, and it's, it's always like hard starting from scratch, right? Then you have to define something and say like, okay, if somebody, something happens, how, how can I resolve it? And then does it really help? Well I don't know but I, I mean I can do better then just say okay well if the bin is burning I try to extinguish the fire. Does it help? Maybe it's like an oil, a burning oil if I put water in it might not help too much if I put an scent on it.
Yeah, well that was the right solution for it. So yeah, absolutely. It is not my next slide, but it's like the fifth pillar of our five pillars like training and then testing all those defined scenarios where we really have to like dig in and then do the lessons for it.
Yeah, thank you. Very, very good question.
So yeah, as we, as we already spoke, the next slide is more like, sorry, more like about communication, which we already covered. So feel free to ask.
Speaker 18 01:59:20 Sorry, I'm going back in.
Yeah, sure. I was listening. I think your name is Don Rod. Don Don. So the question is, which maybe became not so clear for people who are not on crisis management. Yeah. The question is when is it a crisis? Because you go through your incident management, which you did last year and then at a certain time somebody defines exactly whether it's a crisis. So question to you Don. So I was on this crisis management board for eight years, big company, we never had a crisis interestingly enough. Did how many crisis did you, are you on your board of the crisis management?
How often do they, except for preparation and and training and all that stuff, but a real crisis we did not have least as long as I was there for eight years, all the others were just not just, they were incidents, it was like his website would be down.
Speaker 18 02:00:14 That's not necessarily a crisis. So what I'm missing at this moment is the crisis is really, I don't know how to word it, but it's, it's really, which is, so now I work for small companies and we've had two crises.
So more than this huge company, but this small company, we did have them and then this, this, this group gets, gets together and we decide what to do, how to communicate, blah blah blah blah blah. And we go through all this things. So my question again to you, how many crises did you crises did you ever have? Which were really crisis and not, not just a bad incident.
Speaker 11 02:00:51 Now and and that goes to how they define the crisis in there. But we actually have, so from ours we have incident managers and we also have a crisis management team and we, we have had quite a few.
Now I can't get into all the details of those but you know there's been a few recent examples like the US government sanctioning Russia and saying you have to stop doing business there. That is a crisis, right? Or or hurricanes coming through in some areas where we have people, so our our our security is also our physical security and our corporate security are under the same company, our same person. So it's also dealing with a lot of the natural disaster crisis when we have people working in that area from a cyber crisis that's rare.
Those are almost always incidents handled by our security operations center, right? Because, because they are prepared to respond to those.
Speaker 18 02:01:56 I think it's very interesting what you point out with this hurricane for instance. It depends of course if your company is all just in that hurricane area, I would say it's a crisis. If you're a multinational company, this one location might not be a crisis. It is a crisis for that location, but it wouldn't come up to the whole crisis management. That's why I was just, for me the word crisis is difficult.
You really have to define it. So if you're in a multinational company, a natural thing is mostly in one area apart from what might be going on and worse, let's not talk about that, then it would be a crisis. So I'm just saying what system become clear is what is the level in cybersecurity. I didn't have any crisis.
Yes, we had a crisis last year, you could call it that way you have to handle, but I didn't point the flag crisis. So I find that a difficult discussion. Would you
Speaker 22 02:02:50 Maybe something
Speaker 18 02:02:52 For the lunch break then?
Speaker 22 02:02:54 No, but you perfectly mentioned it like an emergency is like okay, as you said in the, in hurricane alley for example, if your whole company is there and there's a hurricane, well it is not just like some, some pieces of your business, it's, it's like the whole company who is, who is like endangered and in a crisis kind of defines okay if it's the whole company and an emergency is more like some part of the company. But yeah, that's absolutely right as as I said the the communication part we already covered pretty well.
I think it's key to, to communicate as we said, not only like when the crisis occurred and then well we we hide in our sellers and be like okay, maybe nobody knows it that we had a crisis or an emergency and then like the news usually find out, right?
And then they spread the word and you don't really know and can't control since they are expecting and then they just say something because you didn't like communicate, they just say anything and then you have your crisis, then you have a media crisis as well, which you kind of could have prevented if you communicate clearly short and brief and very upfront and planned.
Speaker 22 02:04:17 So I think we covered this one pretty well already to cover this up. I mean there's nothing really new on the slide which we didn't already speak of.
Plan, prepare and practice as you stated. Avoid avoiding fake news. So reducing our workload because why shouldn't we reduce it where we can ask for help. Maybe there are other business who had like the same issues, the same situation and they overcome it already. Also maybe don't have the staff for it to staff to, to prepare your business for it. So don't be hesitant to to ask for help as we figured out. Crisis usually a business problem as you stated, cyber crisis are not that calmly or more seldom to put it that way.
But it's more like a business issue, a business problem, a crisis because maybe there's a bigger impact on it and we don't have too many other roads to go as a business instead of as in it. We want to follow our defined practices as we said, define, plan, prepare, write it down as the lovely German says.
Speaker 22 02:05:47 So really put the words down. Everybody knows what to do and has to follow it and can follow it if it's written down and else maybe people will leave the company and the knowledge will leave with them.
And as always crisis might take longer than you want them to have in your company. So just because one part of your business broke away and then you recover it in this specific area doesn't mean it is already in in your organization. Back added was beforehand. So you really need to take care of this that it will be included in the whole business again.
And yeah, there might be SLAs to be to to pay attention to and so suppliers are or might be involved in there as well.
Nope.
Speaker 22 02:06:45 Okay, so this would be the discussion round, but since we are already very, very short on time and we kind of covered this one more or less likely already, feel free to continue maybe this discussion in the lunch break and else I give to Mattia for the next pillar.
Okay,
The good or the great thing about such a workshop is if you don't make it through the agenda and that is what we're currently facing, but we're trying to speed up things. First of all, you will receive the slide deck afterwards so you can use it as a hint, especially the sources that we, that we use to have been asked for in the chat already. So the sources are named there as well to to follow up on that.
Of course we are happy to follow this up with you as well, especially the discussion that is going on right here, which is great and there's some great feedback regarding the definition of crisis for example. So there has been great feedback in the chat. I hope you follow that as well. When it comes to my pillar, sounds a bit like my pillar, no IT service continuity, I just walked you quickly through it and I will skip the tasks.
But I highly recommend if you haven't done that, just do it for yourself.
Do it in your team if you have done it revisited because this is something that needs to be versioned, updated, reassessed as well. So IT service continuity. This is the fourth pillar and that is if we look at the bigger picture, that has been the question why? Why is business resilience management different or bigger or other than business continuity management?
It is and part of that this, this is service continuity, but we are talking about what we consider to be digital resilience and this covers all the aspects that are in here and I will only highlight a few of these aspects because this is a topic that we could do a complete workshop on of course. But nevertheless have a quick look at the different aspects of digital resilience to make sure that IT service can continue in case of an emergency if possible.
That might be cases hurricane passing through might be difficult to have cloud services available at that moment.
But nevertheless continuing business might be a challenge as well. And that could be operated from somewhere else. So that is what we're talking about here. And we had the question before, when does risk assessment come into play? And that is the point where we are here right now. So the BIA and the bcm, the business continuity management risk assessment, these are different angles to look at the same topic. So the BIA that we have done before quite extensively and I think that was a a worthwhile exercise that needs to be complemented augmented with a bcm.
And while we have been talking about the processes and the effects of adverse events, we were trying to find out what the impact then means when you look at what do we need to protect against, these are the the events that then can be associated with a, with a probability and then of course again with an impact.
So that is resource based and more importantly for that question cause oriented and it also takes into account already existing risk producing measures and that will result in a risk value.
So we have a time value that is the, the maximum time tpd, you have me all the time, maximum tolerable period of disruption. Good to have such a, such a hint. And that is really something that you want to achieve and that is the probability, the risk that that this might occur. And if you combine both of that, you have two different aspects of the same, of the same scenario. And that should be yeah, mapped. There should be a van diagram as it is right here.
Oops, you interrupt me with any questions but, but I just want to walk quickly through that so that we finally make it to the end and that you can have the full picture and use the slide deck and revisit or rebuild or build your own business resilience for your own organization.
The task would have been something like that and that it's something that we walk quickly through but we don't execute it cause of lack of time. But it's a very simple table. You just take the the risk and these are vanilla ones, I know these are not the ones that you would like to look at.
So you ne need to get to a risk list that includes these but might extend these and you rate them with three dimensions. The first is the likelihood, and I did that for landslide.
Yeah, if you're on a boat, no. So landslide likelihood from zero is never, never really to three happens frequently. So should be done something done against it. I think landslide is fair to say it's it's one maybe impact on staff or property if it happens. Major three an impact on business.
Yeah, okay, then three as well.
So, and if you work through this, you will get two individual courses that will be in the position to produce or to interrupt the processes that we defined on the left side of the van diagram before. So this is something that you need to map towards each other. So long time, long term failure of outsourced IT likelihood depends. We've seen Google, Microsoft Azure AD failing before. So this is something that can happen. What happens in that situation? How is the impact on the staff on the property? How is it on the business might be difficult.
So that would be such an exercise. And the second exercise of course would be if you compare your BIA with this BCM assessment, what do you learn from that and what are your consequences to draw from these from this comparison? And does this match or are you tackling the wrong problems to solve or are you looking at the right problems to solve? So that would be the second task. And this would be just, yeah, creating this band diagram.
A quick look, if you look at supply chain management and we then quickly of course we'll walk over to cyber supply chain management, which is not only a buzzword but an important thing to look at. That's the reason why it is a password. Nevertheless, what are the results of interruptions problems in the classic supply chain and logistics? It would be, I don't walk, I don't go into detail production down times because you don't have the material available. There would be shortages in the supermarket because the supply chain delivering goods to the supermarket as an example would be missing.
And that would be, for example, lack of medical supplies in the hospital. So this is really something that is tangible that you really can measure here as well. So the business impact of suppliers being unable to deliver the goods you have ordered leads to concrete disruptions in the field.
And if we move to cyber security, supply chain or cyber, cyber supply chain risk management, that involves different types of topics.
And again, can't go into all detail, but we need to distinguish between the delivery of IT services that are delivered to you as an organization. So this is outside in and IT supported delivery inside out when it comes to providing services to third parties.
And if you are relying on cyber services that are provided by somebody, software as a service, platform as a service, any type of cloud, any type of managed service, providing managed service providers, providing services to you as part of your portfolio because you did this on purpose and you wanted to save money, skills, gap, all the, all the topics that you usually have, then you need to look at that as well because it's no longer on premises.
We need to make sure that we take care of that as well and look at the cyber supply chain risks and manage them as part of the continuous IT service delivery.
So it could be infrastructure, it could be external, it could be self managed software as a service. We talked about Office 365 not being, being available, Salesforce, ServiceNow, whatever you're using. I'm not talking about these companies and I say ooh, they can go down, but what happens if they go down?
Are you prepared for that if somebody is doing customization for you and they will, they have access to your systems, iot, OT devices that are components in my products that are components for my products. And the same is on the way outside. So if what, what happens if the services that we provide to third parties and to our customers, to our partners are interrupted, how do we deal with that And that then we are part of the cyber supply chain and we provide services to them and that means software outed cyber attack.
Of course if our services are interrupted, disrupted, we cannot provide the services. What do we need to do to prevent this from having a severe impact on our customers, on our partners, on our ecosystem. Data breach, theft of construction plans. These are our examples. But you need to look, look at both aspects of this, of this cyber secure cyber supply chain risk management aspect outside in, inside out. So make sure that this is part of, of the equation. That is mainly the point that I wanted to look at here as well. Quick look at the watch.
Yeah, 50 minutes. So this is something to read later. This is something that is of importance and quickly to be noted, this cyber supply chain risk management is something that needs to be done properly. I've just walked through this quickly, but you need to have a full approach towards that.
And these six items that we have on the list try to help you in identifying what are the important points to look at. So it's really having it, having a cross organization view of this supply chain and to understand that, implement it as part of an overall program and a formal program for it itself.
And to identify and manage critical suppliers. There might be suppliers that can be done without, and there might be some that you just cannot do without.
So these, this is of importance here as well. So really make sure that you understand this as a, as an, yeah, important topic of your overall mix when it comes to providing, yeah, continuous service provision.
Okay, final slide from me when it comes to here with this point here. And you need to speed up even more than I do. Measuring and improving resilience.
So learn from the best that they have done this before. Logistics has been in this business before. And if we translate that into cyber supply chain risk management, there's lots to learn from. Use standards and blueprints. Don't reinvent the wheel. These are examples. Maybe there are others that are, that may prove successful for you use existing scorings, they are published, they are available.
And they might be also by, by service providers that can help you in creating such a system. Help your suppliers, support your suppliers, help them in achieving the resilience that you need because you might be also a part of the equation for them. Office 365, but maybe for others. And in the end it is all about risk management, understanding who is key, who is critical and who's not. So this resilience when it comes to it, service continuity is a larger topic than I was able to convey right now. But I hope I showed the scope of what you need to look at and at least a a part of that.
And I think that's it from me. Yes.
Speaker 22 02:18:54 Okay, well, I mean I can cover it very fastly. I think we already spoke about it, about the testing of our planning.
What, what helps a good plan if it doesn't fix the solu the problem and if we plan in the wrong direction, right? So we want to use all the things which we already discovered in the first four pillars and we really want to prepare a plan for it. And if we start from scratch, as we said, we have really a hard time to really know if it really helps us if we follow this procedure. But nevertheless we need to test it and hopefully enough we don't need to test it in a crisis
Speaker 22 02:19:42 Else. We can test it in kind often plot or example, we just test it.
So we do use simulations and education for our staff. We try to educate them how to proceed and as well we do simulations. Either we announce them or maybe we don't announce them to really get it into this feeling of, of a crisis scenario. And then they really maybe feel more like the tension of a crisis and they really get like a little bit on their nerves and then don't really follow the procedure. Or maybe they do because they were trained like this and they follow the procedures.
And then you really can see if it, if everything is documented as we said, that if it really helps what we defined. And that's the whole thing about this last and fifth pillar to really utilize what we've learned about the scenarios and the damage which can occur.
Speaker 22 02:20:45 What our critical business processes are, what are our stakeholders and who do I need to contact, how, when, and then have the plans, how to do it, when to do it.
And therefore we can do really this simulation which really came to, to a task which we wanted to do with you to, to manufacture kind of such a crisis. But I think it's more important to see the whole picture again what, what this workshop was all about. But in the end you really can't do this by yourself or maybe you already done it multiple times to write down a playbook.
You have an entry point for a crisis, you define it and then you just, like in director, you, you do your own movie or few crisis and go through it and lead through it and then you can check if your measures really are positive or maybe even negative impact on the crisis. Back to you.
Thank you.
Okay, we have eight minutes left and maybe we do two minutes more, but first of all I don't ask her questions because we don't have the time. One poll the same question as before, the same question as in the beginning. Now that we've went through all of this, has somebody changed his mind, her mind here as well? So there should be a poll. I hope that works. And I'm asking here just for raising your hand, how well are you prepared for major incidents with your own business? So this times only makes sense if you raise your hand only once. We are very well prepared.
One, we are well prepared. 1, 2, 3, 4, 5, 6, 7, 8, 9. We are not well prepared. And I know this is a tough thing to ask in, in such an auditorium. I know that and I don't ask, we are not prepared at all. Okay. The online team, well I have, I have figures here. So some moved, it moved actually up. So we are well prepared.
It's 90%, no, 90.
Okay. Maybe we start with the initial ones. Maybe we start with the initial ones.
Ah, we are well prepared. Was 62% online and 38 for we are not well prepared.
Okay, so now, now you lost me. This is, this is the, this is the other that is already still running. Right? So this is the old one? Yep. Okay. Got the point. Okay. That would have surprised me. So is it still open
That maybe it's because I'm the admin, just talk and explain something.
No, this is difficult because I want to share something.
Okay. And the new results are 90% mentioned. We are well prepared and 10% said we are not well prepared. That means we have 27% more for we are well prepared and on minus and we are not well prepared.
No one, one says we are very well prepared and the good news is no one mentioned we are not prepared at all.
Okay. And back to, okay, so
It's the first time we use this poll feature. It's release. Few days again go. So sorry for
That. But how do I get to the presentation? Shouldn't just move here.
Oh, this one. It's
A me.
It's a me. Okay. Final slide for me today is, this has been a great workshop. You have been contributing very, very great. This was awesome. We had a great discussion in the, in the chat. But it seems to me at the end of such a workshop, this is all theory, this is just how we move.
Okay, let's prepare for something it doesn't happen. But this is just not true.
This, sorry, maybe short interruption because we got a good feedback from Benjamin online in the initial one we had 21 responses online and now we have only 10. So probably it's not, not changed that significantly that we can see here.
Honestly, it would have wondered by myself. I would have expected honestly that more people say we are not well prepared or not sufficiently prepared. That's what I would have expected. And thank you Benjamin for your feedback here as an addition.
Prepared. We scared them, what
They gave, they gave up during the workshop or maybe they're preparing right now, right? They're running in crisis right now.
But a good thing that's, that's the reason why we are it people in not statisticians.
So, okay, but when preparing these slides, I just, I just Googled. Yeah. So I put a tech damage and this is from last week, 3rd of November, Danish train standstill on Saturday caused by a cyber attack. The important part is down here, the, the last, the last segment here, while not a direct attack on theb, the attack prompted subcontractor superior to shut down its servers, which in turn affected locomotive driver's ability to operate the trains. For example, ours.
These are the items to think of. How could this have been addressed with brm for them?
Where would be the measures where it would be the, the handle, the leverage to the lever to to to, to keep that from happening. Which steps and measures could have helped to mitigate this event? Of course these are open questions. I don't answer them.
I that's, that's up to them. But I don't think that this should be the reason for a train not operating. This is just ridiculous. More important. Can you think of a similar scenario for your own organization?
A again, I don't want an answer, so just keep that in mind. Is there a situation where this could happen because you are relying on dependencies and that is what, what good Christopher pointed out. What are dependencies for processes? How likely would that then be? What would be affected? And can you think of PRM measures for you to anticipate and mitigate that? And if you answer these questions and take those home, I think we have achieved something for today. And that's my final slide for today.
So just make sure this is not theory, these things are happening all the time and that could be prevented at least mitigated. So that would be the message for today. And back to you castoff or
Nope.
Okay then that's it for today. Any final comments from your side? Any final questions? I hope you pick up the discussion at lunch and this afternoon and during this whole event. I'm looking forward to seeing you all in the next two days when the real conference starts and for the workshops this afternoon and for the time being, thank you very much for participating. This was great. Thank
You.
Thank you, thank you. And just for your information, we will now have lunch outside. Maybe you have realized there's some positive smell, at least in my notes. And thank you very much for the contribution from the online attendees as suggested is there, if there are any open topics, other ideas, understanding of something, just feel free to add us on LinkedIn, write us an email. We have really all reaches out here during lunch. We are really happy to discuss. Thank you.
Speaker 22 02:29:14 Thank you very much.
