Wednesday, April 29, 2009

As WHO Escalates to Alert Level 5, Crisis Management Planning for Pandemics Offers Cyber Challenge

Electron microscope image of the reassorted N1H1 virus. The viruses are 80–120 nanometres in diameter

The WHO has raised the pandemic alert level for the swine flu to five out of six.
Dr. Margaret Chan, the director-general of the WHO, told a Geneva based press conference the world must be prepared.
"All countries should immediately activate their pandemic preparedness plan," she told an international teleconference.
Toronto Star, 4-29-09

As WHO Escalates to Alert Level 5, Crisis Management Planning for Pandemics Offers Cyber Challenges

Those of us responsible for cyber security in corporations and government agencies are also integrally involved in their organizations' business continuity and crisis management planning (and those that are not should be). This evening many such plans are being dusted off and reviewed (and in many instances, it has been far too long since they were last looked at). But there are broader, bigger issues in the fire, and hopefully, no matter what happens in regard to this immediate crisis, these issues will come into sharper focus for many.

Here are three vital areas that offer challenges which can be transformed into opportunities --

Business Continuity and Crisis Management: Most organizations have plans; and many organizations even take such plans seriously. But I argue that the plans of almost all of these organizations are based on the wrong model; i.e., a 20th Century model that says “something bad might happen someday and if it does this it what we will do.” The right model, the new model, the 21st Century model says, “Bad things will happen, and two or more bad things could well happen simultaneously, and when it/they do occur, this is how we will respond and adapt.” This is not just an age of crisis, this is an age in which multiple crises threaten, e.g., climate change, economic and financial crisis, infrastructure collapses, food and water shortages, failed states, terrorism, nuclear proliferation, and yes, pandemics. Such circumstances demand a new model for business continuity and crisis management. (To read an explorations of this and related notions, click here for my CSO Magazine feature A Corporate Security Strategy for Coping with the Climate Crisis.)

Mobility: This is one of Carnegie Mellon CyLab’s seven research thrusts. Indeed, CyLab has its own Mobility Research Center (MRC) dedicated to the exploration of the powerful wave of technological innovation that the term “Mobility” embodies. Once upon a time, organizations were striving to integrate the notions of “Telecommuting” and the “Road Warrior” into their technology/workforce mix. The model for “Telecommuting” was of a certain percent of employees sitting at desktop computer at home instead of at the office; the “Road Warrior” model projected a sales force with laptops slung over their shoulders and cell phones held to their ears. But both models have been subsumed by a broader, more transformative notion of “Mobility.” This broader, more transformative notion has been articulated by Martin Griss, Co-Director of the CyLab MRC as “anywhere, anytime computing.” Such a model has sweeping implications not only for business continuity and crisis management; it means moving beyond planning that is centered on just flipping the switch at a hot site to planning that also includes re-establishing a virtual workplace via diverse mobile platforms, devices and applications. It also has sweeping implications for healthcare, and yes, emergency healthcare in particular both in the workplace and in the home. (For more on Mobile Healthcare, click here for a summary of CyBlog posts on CyLab MRC’s Mobile Healthcare Workshop in February 2009.)

Awareness and Education: Most organizations have some security awareness and education program in place; although many of these programs are uninspired and under-funded (which is very short-sighted, because money spent on awareness and education can go along way, and have a great impact on the workforce and the workplace, if it is spent wisely.) But to whatever extent your organization has a security awareness and education program, you have a delivery system with which you can reach your workforce and by extension their families, friends and neighbors. That means that you have the opportunity to disseminate information related to public health, environmental protection, emergency preparedness, etc. to your workforce and by extension to their families, friends and neighbors. Doing so not only constitutes an excellent form of public service, it also reinforces your organization’s messaging on security awareness and education by placing that messaging and the delivery system which communicates it into a positive, life-affirming framework of common good.

Hopefully, the threat of a Swine Flu pandemic will come and go without great loss of life or significant economic hardship. But let us also hope that whatever happens this time, the challenges it reminds us of will be turned into advantages by those cyber security professionals responsible for developing 21st Century programs for corporations and governments, and those cyber security technologists responsible for designing 21st Century products for the IT industry.

-- Richard Power