"If you want to survive, don't be surprised."
This quote by economist Nouriel Roubini perfectly sums up the central theme of the recent GFMI Operational Resilience for Financial Institutions two-day conference in New York from 28th-30th September, and many of the sessions referred back to it frequently.
Time and time again, this message keeps coming up. We should expect things to fail. We should embrace the learning opportunities that failure can offer.
Understandably, there was a large focus on cyber recovery at the conference. There was clear agreement that the threat posed by cyber attacks is unique in that despite being a “victim” of an attack, there is a distinct lack of public empathy for organizations that get hacked. So, even if you have a robust cyber defence approach, you won’t win points with the public when it comes to their data being breached.
There was also robust agreement that a cyber attack is not solely a technology problem. It potentially encompasses a wider range of internal and external stakeholders than a traditional technology outage. Coupled with an unclear timeline and multiple impact points, many of which fall outside of technical impact, a cyber attack really is a different type of crisis, according to the consensus in the room.
Does your cyber response capability acknowledge the unique nature of this threat or does it view the problem purely in technology terms? If so, it may be time to rethink your approach. It was clear that many of the organizations represented in New York were starting to do just that.
Alongside this, there was a clear consensus in the conference that there are other things we should expect:
- The strengthening of ties between regulators in different jurisdictions – within financial services, many of the firms we talk to are large multinational companies. There was a sense that given the size of these firms, it is likely that regulators would be able to show a united and consistent approach to resilience before individual firms whose size and complexity limit integration. What might that mean for organizations?
- For many companies, migration to the cloud could also signal a move away from Recovery Time Objectives and a reliance on Service Level Agreements. That could require a significant adjustment in terms of expectations.
- The notion of “severe but plausible” is putting a strain on industry preparedness and there is a growing realization that technology is not the only component of data resilience. Business context is paramount.
Here’s another quote that was mentioned at the conference from Charles Darwin:
“It is not the strongest of the species that survives, nor the most intelligent…it is the one that is most adaptable to change.”