Many organizations have successfully built rock-solid plans to mobilize and respond to common cyber scourges like ransomware attacks, data breaches, and phishing scams.
But what happens when a business is hit with an event so disastrous that it never even thought to plan for it?
Take, for example, cyber war, a shutdown of the global banking system, or a novel virus with no cure. Enterprise concern for such black swan events—aka “unknown unknowns”—grew after former Wall Street options trader Nassim Nicholas Taleb published his 2007 bestseller, The Black Swan. In it, he argues that worst-case scenarios are predictably unpredictable and can spell corporate catastrophe.
Erin Bajema has seen this up close.
“These are events that have a really high impact and a really low probability of occurring,” says Bajema, managing associate and cyber sector lead at Hagerty Consulting, an emergency management firm.
“They’re nearly impossible to predict,” she says, “and will mean something different depending on the organization, its scope of services, and what pieces of its infrastructure are involved.”
Few organizations try to imagine such events, and for a variety of reasons. Sometimes executives overconfidently assume something of this magnitude could never happen. Other times they don’t have the resources to dedicate to worst-case-scenario planning.
Also, imagining an unknown unknown is overwhelming. So, many organizations direct their efforts toward identifying and planning for only the most frequent and most likely risks they will face.
These are events that have a really high impact and a really low probability of occurring.
“When you face the same low-level risks on a daily basis, it becomes easy to center your whole crisis-management approach around those things,” says Bajema. That’s changing: “Organizations are realizing that they need to start preparing for really catastrophic events. If they don’t, the consequences can be disastrous.”
Imagining the unknown unknowns—although difficult and uncomfortable—is an essential exercise for boards and executives to perform before it’s too late. Here’s where to start.
1. Assemble your team
Planning stakeholder engagement is a critical first step in imagining unknown unknowns, Bajema says. “You need to bring together a team of people with the right level of expertise, knowledge, and skills in order to inform the plan so it can actually be used in the real world,” she says.
The stakeholders involved should be representative of the entire organization. Diversity helps to ensure a thorough consideration of all the possibilities and a comprehensive response, says F. Charlene Watson, senior cybersecurity consultant at multinational engineering firm AECOM. Stakeholders may include members of the communications and media relations teams, human resources, payroll, cybersecurity, and legal, as well as members of the board and the C-suite.
2. Start small
For smaller organizations, or those with limited resources, imagining unknown unknowns can be particularly daunting. “Some might barely be keeping their head above water and barely managing their day-to-day risks,” says Bajema. “If you try to go straight to a catastrophic event without having your basic [incident response] concepts in line, you’re setting yourself up for failure.”
Nobody wants to believe they’re vulnerable, and talking about events that could literally destroy their company isn’t comfortable.
For these organizations, she recommends starting small with basic scenario planning or scenario-based tabletop exercises. Teams can use a past event or case study to model a response, which helps to test assumptions, such as how an organization’s business processes currently work, and can reveal single points of failure for each of its critical services.
Scenario planning pioneer Peter Schwartz, now chief futurist of Salesforce, conceived of scenarios as rich, data-driven stories about tomorrow that can drive better decisions today. The goal is not to find certainty, but rather to create a “map of uncertainty”; it is not to reinforce what you already know, but instead “to make visible what you are not seeing.”
AECOM’s Watson suggests that companies conduct tabletop exercises every six months. “Many companies don’t do it because they don’t see it as increasing their profit margin,” she says. “They don’t see the value of it until it’s too late and they’re facing a
3. Get comfortable with the uncomfortable
Imagining the unknown unknowns isn’t easy for many board members and executives, Watson concedes. “Nobody wants to believe they’re vulnerable, and talking about events that could literally destroy their company isn’t comfortable,” she says.
Pushing past feelings of discomfort is crucial, however. Bajema, who runs tabletop exercises with senior leaders, says there always comes a point at which the scenario breaks the system—often intentionally.
“When stakeholders get to that point, they say, ‘Well, it’s broken now and that’s it.’ To encourage them to get past that point, we say, ‘OK, now that your power grid is down, what are you going to do?’ Boards must be willing to put themselves in this worst-case-scenario situation.”
4. Formalize processes and fill in gaps
As organizations perform worst-case-scenario exercises, a clearer picture will emerge about how well teams work together and the clarity of their roles and responsibilities. Processes and procedures should be documented, and any gaps or overlapping efforts should be addressed, Bajema says.
Boards must be willing to put themselves in this worst-case-scenario situation.
For example, organizations may discover that both HR and the communications team are responsible for outreach in the aftermath of an emergency event and need to coordinate, or that an incident response duty was not assigned to a particular individual or team. Formalizing processes helps to identify whether roles and responsibilities have been correctly assigned.
“This allows you to have a unified plan and process, so when an event hits, you don’t have conflicting paths of action between departments,” Bajema adds.
5. Consider scalability and adaptability
Many organizations have response plans in place to address day-to-day cybersecurity threats and business disruptions. In these cases, adapting plans to apply to worst-case scenarios can be another way to approach unknown unknowns. Bajema calls this an “escalation matrix,” which takes the procedures already in place and expands them to catastrophic events.
“If you’re able to revise one of these plans, or update or strengthen it to scale and adapt to a bigger disaster, that’s one way to take what you already have and make it more usable for a black swan event,” she says.
6. Invest in training
Organizations should consider training their board members, senior executives, and other responsible groups to imagine and prepare for the unknown, Bajema says. This might be something as simple as basic awareness training, depending on the board’s level of cybersecurity education, or more advanced initiatives, such as
Imagining unknown unknowns is a vital piece of every organization’s cybersecurity program, Watson says. She says the process is a lot like paying your power bill. You pay your bill every month, and without fail, your power comes on when you need it. But there may come a day when you neglect to pay a bill and your power gets shut off.
“In other words, you’re investing in your organization through cybersecurity measures to keep your company safe,” she says. “If you don’t prioritize planning for a black swan event and your organization experiences a worst-case scenario, you’re unprepared, because you didn’t do what you should have done. What happens next?”