TORONTO (06/27/2000) - Good news stories about the next IT-based business solution rarely grab management's interest. But bad news can really get their attention. What's your scorecard on turning disasters into opportunities?
Was there ever a better opportunity than Y2K to educate management to the importance of IT in the organization? While many technology managers simply hammered away at remediation, others used Y2K as an opportunity to forge new relationships with senior managers.
Now we've got a big fat denial-of-service attack on some major players. The DoS attack kicked the confidence of your executive committee in e-commerce right where it hurts. And the question is: what are you going to do about it? Beyond running some sniffer programs and rethinking your IT architecture, I mean.
What lessons do you want your management team to learn from DoS? What's your memo to the executive committee going to look like? And what are you going to advise the President to say to the Board about your company's exposure? In short, how are you going to turn this disaster into some opportunities?
First order of business is a quick memo to the CEO with a cc. to all the other members of the executive committee. The memo should do five things: a) offer a brief non-technical description of the attack; b) identify the general implications of such an attack on company operations, revenue streams, distribution channels, customers and business partners; c) indicate the present state of the company's technical readiness to respond to such an attack; d) indicate your intention to consult with executives to assist them in developing contingencies for such an attack and to more clearly identify the implications of such an attack on the company; and, e) attach a draft memo to the Chairman of the Board (cc. to all Board members) for the CEO's signature outlining the impact such an attack would have on operations, revenue, channels, customers and business partners and indicating the steps the company is taking to mitigate the effects.
Next, review your company's security policy. Is it sufficiently responsive to technical attacks generally? If it isn't, now's the time to identify required changes because you can lobby for them as you consult with executives on the damage a DoS (or other technical) attack could deliver and the damage-control measures required by each department.
First item on the agenda of your meetings with executives and their senior managers is to briefly describe the effects of a DOS attack on the company's technical services and their availability. Next, you're ready to work with the business managers to identify the effects the lack of technical services will have on the business operations and external and internal customers of each department.
Of course, if the departments have solid contingency plans for Y2K, then you're more than halfway home. You've already identified mission critical operations and worked out response strategies. What's left for each department is to work out with you a gap analysis of measures in place and measures required, given the profile of the attack in question.
Don't overlook legal in this exercise. A denial-of-service attack can raise all sorts of legal challenges, especially if you can't keep up your end of a supply chain or e-business commitment. You want to make sure your company's business insurance covers the obvious contingencies.
Less than two weeks after your first memo to the CEO, your five-page report will be on the executive committee's agenda. The report will provide a business impact summary of a DoS attack on the company, business and technical countermeasures in place and in train, and a one-paragraph summary of the company's legal exposure in the event of such an attack.
There you have it. You leveraged a well-publicized DOS disaster to upgrade company security and further educate your colleagues in the management smarts required to protect operations, business partners and customers from the dangers of a wired world.
Chuck Belford is president of Management Smarts Inc., a Nepean, Ontario-based management consulting and training company. He can be reached at firstname.lastname@example.org.