Bouncing Back After a Distruption
MORE THAN A DECADE AGO, then-President Bill Clinton issued a little-known directive establishing critical infrastructure protection (CIP) as a new concept and a sweeping new mission for the country. Clinton expressed his intent that the country would “take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks.” At the time, the nation’s attention was focused elsewhere.
But after 9-11, the need to protect critical infrastructure gained urgency and the definition of what constituted critical infrastructure was expanded by the Department of Homeland Security (DHS) from just physical structures like bridges to every system upon which the country relies, ranging from farms and trucking companies to healthcare networks and community banks. Then in its 2009 revision of the National Infrastructure Protection Plan (NIPP), DHS placed another concept alongside protection: resilience. Now the agency acknowledges that for some sectors, resilience may be as important as traditional protective measures—or even more important.
For a model of resilience, the federal government has looked to the financial sector, which has always understood the importance of resilience given its networked nature and the necessity of speed and uninterrupted service in the financial marketplace. Regardless of the sector, however, experts agree that resilience requires a holistic view of the risks an enterprise faces and how they all interrelate, with an eye toward recovery after a crisis.
What Is Resilience?
Reduced to its essence, resilience is the ability to quickly recover from an incident—whether natural or man-made. The rationale behind the importance of resilience is that security can never be perfect, so having the ability to recover from an attack is as important as trying to prevent one.
In the strictest sense of critical infrastructure, the most resilient systems are so by nature: networks. The obvious example is the Internet, which was designed to tolerate disruptions and obstructions by automatically and instantaneously rerouting traffic around them. The same processes are regularly applied to systems like electrical or telecommunications grids and commercial supply chains.
Last year DHS refined the definition of resilience in the updated NIPP, changing it from “the capability of an asset, system, or network to maintain its function during or to recover from a terrorist attack or other incident” to “[t]he ability to resist, absorb, recover from, or successfully adapt to adversity or a change in conditions.”
In The Resilient Economy: Integrating Competitiveness and Security, the nonprofit Council on Competitiveness, a coalition of U.S. business, labor, and academic leaders, writes that resilience “is the capacity for complex systems to survive, adapt, evolve, and grow in the face of turbulent change.” The resilient enterprise, the Council writes, is “risk intelligent, flexible, and agile.”
Businesses in the U.S. financial system must operate smoothly and efficiently with an ability to handle both capacity surges and outright disruption. The 9-11 attacks and their aftermath bore both great success stories and major lessons learned for this critical sector. In the broadest sense, the system demonstrated its inherent resilience by continuing to function despite the weeklong complete disruption of operations at its most critical node in lower Manhattan. Actions taken since have addressed the problems exposed by 9-11, making it less likely in the future that there would be a disruption of that magnitude again.
Redefining scope. Prior to 9-11, business continuity planners in most sectors, including finance, considered disruptions—like fires—in the context of how they might affect single buildings. After an evacuation, for example, a company provided for transfer of operations to a predetermined backup site during recovery. Multiple companies did not coordinate their plans.
During the 2001 attacks, the flaws in this approach became evident. An entire Verizon communication hub beneath those buildings was destroyed. Companies that had arranged contingency communications services through two or even three vendors found out that all of them used the same cable infrastructure, with a shared point of failure. Other companies contacted backup office space vendors to learn that those vendors had committed the same space to multiple clients, all of whom simultaneously needed to relocate to what they thought was a reliable emergency backup facility. No one had counted on a large disaster that would affect so many businesses at once.
Federal mandate. A clear lesson from 9-11 was the need to look more holistically at risk and recovery among companies. Within two years, the U.S. Securities and Exchange Commission (SEC)—which enforces federal laws governing stock and options trading, the core of the U.S. financial system—issued policy intended to boost operational continuity among trading and related operations in major catastrophes. The SEC dictated that institutions assess their operational dependence on other sectors, in particular communications, power, and transportation, and mitigate risk. The policy further recommended that institutions consider the obvious issue of geographical distancing when setting up redundant or backup operations.
The SEC’s policies for the trading industry set specific time-based continuity metrics. For example, settlement and clearing, the actual processes by which agreed-upon trades are transacted and the parties’ records updated, are concentrated at a very small number of firms. Continuity of operations at those firms is key to the flow of money throughout the system. Per SEC policy, those companies must have the ability to resume operation within two hours of a disruption. Trading operations, which are more dispersed, have four hours.
The necessity of resilience to survival in the marketplace provides incentive enough for financial sector businesses to assess risk and prepare for the worst. The financial sector self-regulates under the independent Financial Industry Regulatory Authority, (FINRA), which recently issued a rule requiring that members establish a business continuity plan and designate emergency points of contact within their companies.
A Working Model
A broader recommendation that followed 9-11, and one echoed throughout government and the financial sector, was the need for regional emergency management and continuity planning. Such efforts would address shared interests among businesses within a sector and a metropolitan area, and help avoid the unforeseen conflicts that complicated resumption in New York after 9-11.
The exemplar of that effort is Chicago Fostering Industry Resilience and Security through Teamwork (ChicagoFIRST), a member-funded organization, founded in 2003. This model has since been duplicated by 23 regions around the country.
Among ChicagoFIRST’s members are nearly 30 of the major financial firms in the city, including the Chicago Board Options Exchange and the CME Group, which includes the Chicago Mercantile Exchange and the Chicago Board of Trade.
“The point is to get financial institutions to realize that protecting the financial sector is not about competition, it’s for the good of your country, it’s for the good of your region, and it’s for the good of your sector,” says Brian Tishuk, executive director of ChicagoFIRST and former deputy director of the Treasury Department’s Office of Infrastructure Protection.
Barry Cardoza, vice president and manager of business continuity for UnionBank in California and chair of the Bay Area Response Coalition (BARCfirst), a similar organization in the San Francisco region, has called the concept “a successful financial sector model that can be applied in any sector.”
ChicagoFIRST serves primarily as an information-sharing nexus among member companies and their government partners, which include the city’s first-response agencies and federal agencies concerned with homeland security. It also helps to ensure sector-wide continuity.
A primary goal of ChicagoFIRST was to obtain a seat for the group in the city government’s emergency operations center, which it received shortly after its establishment. Soon, two more of the group’s goals were realized: establishment of a credentialing system providing critical personnel access to facilities during and after incidents and a means of coordinating evacuation plans across the city’s financial sector.
In addition to those goals, ChicagoFIRST has emerged as a single hub for information-sharing among regional and national stakeholders, such as the Financial Sector Information Sharing and Analysis Center, and the Financial Services Sector Coordinating Council, which coordinates sector-wide infrastructure protection efforts between sector partners and the federally designated sector-specific agency, the Department of Treasury.
The planning councils coordinate with regional stakeholders, which in the case of BARCfirst and the Bay Area include groups like the Building Owners and Managers Association, and government agencies like the California Emergency Management Agency, Cardoza tells Security Management.
Those relationships—and the assistance and information they provide—are key to coordinating the continuity and recovery that form the basis of resilience.
“The lesson is not to say, ‘We ran a fire drill, and I have a buddy at the police department, so we’re covered,’” says Tishuk. “It takes more than just drills, it takes working with your jurisdiction, your region, and your state to ensure that you are resilient. And for the financial sector that means the federal level—DHS and the Department of Treasury.”
Proof of concept. While it was just a year old, Chicago FIRST had a chance to show how it could make a difference after an incident. The incident was a fire in the 44-story LaSalle Bank Building, which was the largest skyscraper blaze in Chicago history. It caused $50 million in damage and required that six floors of building be completely rebuilt.
The fire, later blamed on faulty wiring, started on the building’s 29th floor around 6:30 p.m. on Monday, December 6. Fortunately, at the time, only 450 of the building’s usual daytime high of 5,000 occupants were inside. They evacuated quickly without serious injuries, but the company couldn’t know that at first.
Although ChicagoFIRST’s credentialing effort had not yet borne fruit, the senior fire department official at the scene recognized LaSalle Bank’s chief continuity officer from ChicagoFIRST meetings and allowed him through the scene perimeter. Based on that relationship, LaSalle’s human resources department was also able to learn from city fire officials which employees had been transported to what hospitals, according to Jack Smith, head of business continuity at LaSalle parent ABN AMRO Bank, NV, at the time of the fire, who wrote about the case in the Journal of Business Continuity and Emergency Planning.
The bank, meanwhile, initiated its own continuity of operations plans, with a response team conference call underway by 8 p.m. During the call, critical bank personnel who had liaised with fire and building officials updated the company’s crisis management team on the situation and initiated plans to move operations to prearranged backup sites around the region—most of them in other LaSalle Bank facilities. In the hours that followed, automated outgoing phone messages updated employees on the situation, and critical workers were instructed to report to assigned backup locations for work.
The bank was able to resume normal operations at 7:30 a.m. the next day with 750 LaSalle employees working from back up locations and roughly 400 working from home. Critical documents were recovered through a variety of means. Official copies of some documents lost in the fire were provided by financial partners and supporting firms, while others could be recovered remotely from desktop computers left on before the fire. LaSalle’s insurer allowed some bank employees to return and recover salvageable documents after the fire, while fax-machine phone lines, like voice lines, were rerouted immediately after the fire.
The message of preparedness and resiliency was also conveyed more widely through public media. Bank employees interviewed by local media stated not only that LaSalle had a continuity plan but also that the downtown facility had held a fire evacuation drill just the week before.
While LaSalle’s business resumed seamlessly after the fire, the experience was not without critical lessons. Among them, Smith writes: Do not relegate old, “retired” office equipment to prearranged backup locations. LaSalle had done so, but workers quickly found that it could not support current functions and applications, and they were forced to independently purchase new equipment on company accounts. Howard Sprow, vice president of technology and business continuity for the Securities Industry and Financial Markets Association, recommends that companies routinely assign critical staff to work temporarily at “hot” backup locations during periods of normal business operations to ensure that they can function as intended when needed.
Another lesson is that workers get frustrated by being given a false expectation of how long they will be at alternative locations. Smith recommended padding estimates for a scheduled return to normal in-house operations. That way, if the return occurs more quickly, that’s good news you can share with staff; by contrast, if it takes longer than anticipated, you won’t have to keep revising your information, because that possible delay was built into the earlier estimate.
Because the company’s response and recovery plan worked, it never had an interruption of operations. More important, at least three major commercial business clients, whose business LaSalle was bidding for at the time of the fire, hired LaSalle because of its handling of the crisis, Tishuk and Smith tell Security Management. The case shows the bottom line value of resiliency planning: prepared organizations not only survive crises but actually emerge better off.
One approach to risk is increasingly placed under the rubric of enterprise risk management (ERM), which would include enterprise security risk management (ESRM). To many in the financial world, ERM often implies financial risks to the exclusion of all others, but the broader definition goes beyond them to encompass all conceivable risks: natural, criminal, political, legal, operational, or social, just to name a few. Similarly, for those approaching the issue from a security perspective, ESRM goes beyond concepts like the convergence of physical and IT security to entail understanding, awareness, and mitigation of all risks.
Absent ESRM, a corporate financial official may seldom consider the risk a weather-related catastrophe would pose to an organization’s operations. An organization’s top IT official might not have considered the prospect of a forthcoming financial regulatory regime on his department. And a marketing and communications official might not have considered the consequences of a labor dispute disrupting supply chains.
An established method for facilitating ESRM is formation of cross-disciplinary committees charged with collectively examining the risks borne by all of the critical elements of the business, such as supply chains and brand management. The process brings together people from different units of an organization—such as a CSO and a marketing manager—so that they can examine different risks collectively and share perspectives to determine how those risks should be prioritized and mitigated in a crisis.
“Suddenly someone makes the leap, and they’re all talking to one another, working to address interdependencies. And that’s cultural progress,” says Leigh Williams, president of BITS, the Financial Roundtable’s technological arm.
“If you have a good enterprise risk management program, you’ve gone a long way toward having a more resilient organization,” says Bill Phillips, vice president and chief security and safety officer for CAN Financial Corp. and a member of ASIS International’s CSO Roundtable.
“You have to think about what you are reliant on in terms of continued operation,” says Sue Armstrong, acting deputy assistant secretary of homeland security for infrastructure protection. “Power, clean water, ability to move information and conduct transactions, anything system-based,” she says. Among issues to be addressed are redundancies, how delivery of resources could be rerouted, or what could serve as a substitution.
In taking this broader view of risk, security professionals must develop proficiency in specialties outside their traditional purview. In the recent CSO Round table report Enterprise Security Risk Management: How Great Risks Lead to Great Deeds, Timothy L. Williams, CPP, director of global security for Caterpillar, noted that “with ESRM’s holistic approach to security came the understanding that a whole host of business issues that were not traditionally associated with ‘security’—think, for example, of Sarbanes-Oxley or HIPAA—were now firmly part of security’s bailiwick, underscoring again how important it is for security professionals to be business professionals first.” (HIPAA is the Health Insurance Portability and Accountability Act.)
Purely protective security can never mitigate 100 percent of the threats. That’s why consideration of all risks and the capability to continue or quickly resume operations amid a disruption is among the most important aspects of critical infrastructure protection.
Joseph Straw is an assistant editor at Security Management.