Sometimes it pays to be bored. This little gem of inspiration comes from a talk I went to at ISACA‘s recent IT security conference in Munich.
Tom Madsen, an IT specialist who worked for the United Nations Development Programme for 12 years, was running us through Sun Tzu’s classic ancient warfare text The Art of War. Normally, that’s something I would avoid – too 1980s Wall Street for my taste.
“To secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy himself,” said Tzu.
Cryptic, perhaps, but in Masden’s hands it was insightful. How do risk managers defeat themselves? By not doing the boring stuff.
Take policies, for example. “They are the most boring part of the work,” Masden said, “and the most important. Nobody wants to do a policy document and get everyone to sign off. It’s the paperwork that is the basis for practice.”
This Zen-like nugget went on.
“Practice, practice, practice,” he said. Go through your procedures. Drill your staff in what to do during an exercise. Do it until they are bored and can perform their roles sleeping.
“It can just be a desk exercise, flicking through documents,” he said. Can you imagine?
“The value is, the people in that exercise will know what their responsibilities are. People are as important as the hardware.”
When did you last run through your disaster recovery exercises? Your cyber breach response plan? Too boring? Think again.