It is pretty well accepted that, while devastating, some types of natural disasters, such as forest fires, have the effect of allowing new life to take root and flourish.
I’ve often lamented how difficult it can be, particularly in larger organizations, to make significant security enhancements because of the costs involved and requisite interruption of business operations. We’ve now witness a number of pretty high profile cases where the IT environments of organizations were all but destroyed and had to be rebuilt, such as with Saudi Aramco and Sony, and most recently with NotPetya’s effect on companies around the world. I am not intending to minimize the devastation to these companies, however these types of events seem similar to the forest fire analogy, providing an opportunity in the midst of disaster to make strategic improvements.
I wonder, though, can an organization take meaningful advantage of this bad situation? In the aftermath of such an event, the priority is almost certainly on restoring functionality as quickly as possible, and the straightest line to get there is likely to implement things as they previously work, likely with some slight adjustments to account for the perceived cause of the problems. Many organizations have disaster recovery and business continuity plans, and some of those plans are starting to incorporate the concept recovering from a “cyber disaster”, however those plans all deal with getting back to operations quickly through recreating the existing functionality. I am thinking that such plans may benefit from keeping a punch list of “things we would do differently if we could start over”. We all have those lists, if only in our heads, and the utility documenting such a list isn’t limited to just these mega-bad recovery scenarios – they are also useful in normal planning cycles, technology refreshes, and so on.
What do you think?