Key Message:Today’s high-risk, global, fast, and very public business environment demands a more integrated approach to not be surprised by disruptive events.Executive Summary
Organizations, large or small, public or private, civilian or federal, continue to invest in a variety of independent system protection and sustainment activities including information security, business continuity, IT disaster recovery, crisis management, workforce continuity, and emergency management. However, given the extreme complexity of today's system of systems, and the global socio-economic challenges faced by organizations, a traditional disjointed stovepipe approach to protection planning is no longer viable; neither operationally nor financially. Successful protection of one's enterprise and its systems now requires a fully integrated approach that incorporates unification, standardization, automation, and training while balancing affordability and risk management. Operational resilience provides an integrated approach to protect and sustain systems and associated operations .
In this podcast, Nader Mehravari, a member of CERT's Cyber Resilience Center, discusses principles and practice of operational resilience as applied to today's increasingly high-risk, disruptive events. This podcast is the first in a three part series based on Nader’s tutorial at the IEEE Conference on Technologies for Homeland Security, presented in November 2012.
Recent Examples of Disruptive Events
Largest Atlantic hurricane on record: wind diameter of 1,100 miles
Disruptive events will continue to surprise us in ways that will disrupt business operations. We need more effective approaches for dealing with these unknowns.
Traditional approaches exist for the following disciplines:
New approaches are being added for the following disciplines:
Each of these disciplines requires comprehensive planning and the exercise and test of complex activities. Developing each of these in a silo creates duplication of effort. This approach is neither efficient nor affordable.
An operational resilience approach calls for coordination and integration across these related disciplines, including protection and sustainment activities.
In the presence of a disruptive event, how can organizations continue operating, continue developing products, continue operations under stress, and continue while preparedness plans are being executed to recover and restore capability?
An operational resilience perspective provides a more strategic approach for addressing these questions.
The Nature of Today's Disruptions
When a disruptive event occurs:
A Few 2012 Events
These types of events are causing business executives to pay more attention:
Ask the Right Questions
Some ask "Are more disruptive events occurring?" While useful, this may not be the best question to ask.
A better question may be “Even if the number of disruptive events is not increasing, is something else changing that is causing disruptions to be more important and more critical?” The answer is yes.
The Nature of Today's Risk Environment
Over the last 10-15 years:
A refinement of the better question is “How should we deal with this expanding and worsening global risk environment?”
Preview of Future Podcasts in this Series
 Mehravari, Nader. "Principles and Practice of Operational Resilience." IEEE Conference on Technologies for Homeland Security, November 2012.
CERT Resilience Management website
CERT Podcast, Part 2: Managing Disruptive Events: Demand for an Integrated Approach to Better Manage Risk
CERT Podcast, Part 3: Managing Disruptive Events - CERT-RMM Experience Reports