Change Your Mindset to Define a Minimally Viable Operation
During a severe operational outage, that we might experience in a cyber attack, time is working against us. The longer we go without addressing our customers’ needs, the less likely we are to remain a going concern.
To address the time challenge, it is essential to focus recovery efforts on as small a scope as possible. The concept of minimum viable operation (MVO) must be incorporated into the recovery strategy. To achieve desired business resilience recovery time targets, people, processes and technology will need to focus on just enough capabilities to survive.
Agreeing on what constitutes the organization’s minimum viable operation provides several key benefits to focus an organization to prepare for a devastating scenario:
- Centers on critical functions — not all functions.
- Emphasizes speed of restoration and resilience under constraint.
- Focuses on continuity of essential operations rather than full performance.
- Informs crisis response, resilience planning, and incident management.
Change the Mindset for a Different Circumstance
All of us are accustomed to operating in our regular work environment. We consciously and unconsciously follow well defined procedures - written and unwritten. Unfortunately, our common, well-established mindset forms the biggest impediment to planning for the very different and likely dire circumstances that ensue from a sudden, devastating cyber attack. To make progress on preparing for a very quick recovery of critical services, we need to change the mindset of everyone involved in defining a minimum viable operation. They must think beyond their normal patterns and recognize that survival of the organization is fully dependent on their willingness to think differently (to fit what may be a vastly different environment).
As an example, anybody who works in banking naturally thinks that we protect our customers’ assets by protecting the institution. We have extensive Business Continuity and Disaster Recovery Plans for any eventuality. While this is appropriate thinking for normal times, it could make planning for prompt recovery from a severe outage difficult and likely unachievable. This is because normal DR/BC plans are designed to recover the organization’s full functionality. These plans most often do not address a complete, sudden outage and they generally do not have fully articulated plans for prompt recovery of the most critical functions that will allow the institution to survive. To change our normal thinking, we have to shift our thinking into a different space. We must envision that survival is the ultimate target of a good resilience strategy.
Nature is full of examples of survival through minimum viable functionality. It is well known that the human body has built-in survival capabilities that prioritize survival in extreme circumstances. Should you fall into a frozen lake, your body will automatically prioritize blood flow to your core and brain, because they are vital to your survival. Extremities, such as your fingers and toes are deprioritized as relatively unnecessary. Not so surprisingly, trauma surgeons follow similar principles when deciding how to handle victims of a disaster, particularly when the number of victims overwhelm the capacity of the medical staff. They prioritize survival over quality of life, because the alternative is not acceptable.
We need to apply this same kind of impartial thinking to the survival of our organization, so that we can survive an extreme outage that may result from a dedicated cyber attack. We need to recognize what MUST be recovered and distinguish that from what should be recovered. This distinction is not easy to make, and much more challenging to get a consensus upon. Yet, this is the mental mindset change that is necessary – from the top of the organization – for the organization to have a serious chance at survival, should this scenario ever play out.
Workshop the Scenario
Due to the preponderance of cyber attacks, we need to incorporate the concept of minimum viable functionality into our business continuity planning.
Sheltered Harbor advocates that each organization prepare a full resilience plan, to supplement their normal DR/BC plans, which would enable the organization to recover critical business services in a timeframe that is appropriate for its most critical functions. The identification of critical business services is a subset of the minimum viable operation.
For example, a retail bank can survive for a few days without immediate access to functions such as loan origination or account opening. However, if its customers cannot see their balances or cannot access funds in their accounts, that bank will not survive for two days. These two services are a core part of the bank’s MVO. (MVO sets a baseline level of operation that must be upheld under stress. It helps organizations determine how much loss of functionality is tolerable without triggering systemic failure or regulatory breach.)
We need to identify what constitutes our organizational ‘core’ as well as the various organizational ‘extremities’ that are not as critical to our survival. This kind of thinking is unnatural. (Who thinks about living without arms and legs?) Further, the understanding of ‘our core’ must be universal if ‘we’ intend to recover it quickly in the most dire of circumstances. There should be no room for argument on what is included in the core (as well as what functions are deemed less-critical and therefore not part of prompt recovery.)
To accomplish clarity on this, it is recommended that the organization convene a workshop including a cross-functional group of executive leaders (or their designees).
The objectives of this workshop are:
- Establish a shared understanding of what is involved in preparing the organization for prompt recovery from a severe cyber outage
- Identify a common view of minimum viable operations that will be the focus of these preparations
- Articulate a common message regarding the timelines necessary for the organization to recover the MVO should they become unavailable
It is important to note that identification of critical business services is just the beginning of the definition of MVO. We must take the concept far enough to make it actionable. For example, if we agree that our customers need to see their balances promptly after a severely impactful cyber attack, we also need to articulate:
- How long after the outage must this service be restored?
This ‘impact tolerance’ or maximum allowable outage time defines the recovery time requirements for this service - How will the customer experience this service (by calling in, walking into a branch, through a website, on their mobile app)?
The delivery of this service via each medium requires a different set of support capabilities - each with their own recovery timeline
By doing this for every critical business service, the workshop team will provide a clear set of targets for how the organization needs to prepare for survival after a sudden, severe outage. Thereafter, a larger group should be able to create, implement, test and regularly exercise a resilience plan that will ensure the organization’s survival.
Sheltered Harbor and MVO
When I first uttered the phrase ‘minimum viable bank’ at a meeting of our Banking Working Group in early 2016, I was accused of introducing ‘consultant speak’ and admonished to stay more practical. Back then the group included about 100 subject matter experts from over 20 banks, and we were trying to get our heads around how we would maintain public confidence after a devastating cyber attack that knocks out a bank or credit union’s operations. The Sheltered Harbor Community has been defining what critical services to recover and how to recover them for a variety of financial institutions ever since. Getting such a broad swath of the industry to agree on anything is a feat. From the beginning, we learned that getting everyone to change their natural thought patterns was a key to success. The winning strategy is to get everyone to fully envision a day when none of their normal operating capabilities are available. We got there through a series of workshops. Narrowing down the absolute minimal operating functions becomes a matter of walking through tradeoffs that would be necessary to survive an extreme scenario. (Everybody thinks that their function is critical. Good collaboration enlightens all about what is truly critical.) This process requires a willingness by all participants to think differently and to stay focused on the common objective, which is to survive long enough for our BC/DR efforts to recover full operations.
Sheltered Harbor offers more than a dozen resilience planning guides to help organizations prepare to recover critical services promptly. Most recently we delivered a Maturity Model for Recovery from a Severe Outage - a simple self-assessment tool to get everyone to understand how prepared the organization is to recover critical services. Join Sheltered Harbor if you want to prepare to recover critical services promptly.
