It’s January. Do You Trust Your Threat Analysis?
Think the idea of threat analysis is hyperbole? If so, consider this brainteaser: What do Freedom Industries, Target, Neiman Marcus and Chris Christie have in common?
No, this isn’t one of those “A coal business exec, a couple of retail moguls and a New Jersey Governor walk into a bar” jokes. We’re as serious as we can be under the circumstances, because we think there might be something to be learned here.
So what are the similarities? Well, on the surface, the spill, the hacks and the gridlock story all hit the media at just about the same time. They each badly inconvenienced thousands of people – even made some of them seriously ill. Each crisis was long in the making, eminently avoidable and, with 20-20 hindsight, each should have been foreseeable.
The problem with 20-20 hindsight after a crisis is that it never seems to happen soon enough. Almost anyone with knowledge of the physical properties of an aging tank farm situated next to a river upstream from a major city’s water supply could have sensed a problem in the making. As for cyber intrusions, they are almost commonplace these days and the customers of retailers – especially the upscale – are tasty targets for identity theft.
But perhaps Gov. Christie himself has identified a major contributing factor to many such crises: that of misplaced trust. If there is one thing the governor could have done better, it may have been to have a more inquisitive attitude about those responsible for the September gridlock on the George Washington Bridge. He may have been able to discover that his subordinates had screwed up and sacked them with dispatch, thus avoiding a major crisis of confidence. In his defense, he was in the heat of a major political campaign, and his attentions were understandably elsewhere at the time.
Further investigations will undoubtedly reveal even more contributing factors in each of these crises (see our article on Aristotelian Causation for philosophical background). For instance, did the residents of Charleston, WV, misplace their trust in government regulation or a key industry’s moral conscience? Are major retailers placing too much trust in cybersecurity technologies that appear to be a step behind the hackers? Or are they misplacing their trust in the people responsible for maintaining those technologies?
As emergency preparedness veterans who are paid for our inquisitive minds and 20-20 foresight, these events have us wondering about the adequacy of the Threat Analysis that is at the heart of any good preparedness plan. So we have to ask:
- How old is your plan’s Threat Analysis (TA)?
- Does your Plan include all known and conceivable hazards?
- Do you re-examine your TA and Plan after incidents at similar facilities and industries?
- How frequently do you inspect hazardous-impact facilities?
- How frequently do you Red-Team your physical and cyber assets?
- Do you plan and drill for the worst case based on known historical and international disasters?
- Do you investigate, debrief and update your Plan based on even minor incidents?
- Is your emergency communications plan driven by full, fast and candid disclosure?
If you are responsible for any part of your company’s incident preparedness or response teams, you owe it to yourself and your organization to be inquisitive, and a bit of a nag. That means you can never trust implicitly. As Ronald Reagan advised, you must “Trust But Verify.”
And maybe change your passwords.