The recent Crowdstrike outage is a wake-up call for many businesses. Currently being dubbed as the largest IT outage ever, the true impacts will unfold over time. However, one thing is certain: many businesses were caught ill-prepared and have senior leaders asking why their business continuity plans didn’t work, or at the very least why their business continuity plans didn’t live up to expectations.
There’s a dirty secret in the contingency planning industry that has been around for many years. Far too many business continuity programs rely on annual tabletop exercises that fail to address current threats. At worst, these exercises are purely a compliance exercise.
The Tabletop Exercise Trap
The advent of business systems operating 24/7/365 drove the switch to tabletop simulation exercises. The primary reason is the lack of appetite among businesses to disrupt critical production systems for the sake of contingency planning. Most businesses and their customers tolerate downtime only for system maintenance, not for testing contingency plans.
Stop Testing for Success
Unfortunately, some business continuity leaders fall into a pattern I call “testing for success.” This involves designing exercises to be as short and cause the least amount of controversy as possible. The tactics include:
- Hand-picking exercise participants who are known not to be critical: This ensures that the exercise runs smoothly but doesn’t test the real pressure points of the business.
- Choosing a simulation scenario that is too simple: Scenarios that are easily overcome with current controls do not test the true resilience of the business.
- Avoiding known vulnerabilities: Ignoring the ‘elephant in the room’ means that critical weaknesses in resilience capabilities are not addressed.
- Over-prepping key participants: Providing too much information beforehand avoids embarrassing any participants but also prevents genuine testing of their response under pressure.
The Real Impact
The result of these practices is that businesses are not prepared for real-world disruptions. When an actual crisis hits, these businesses find their continuity plans lacking. The plans may look good on paper and pass compliance checks, but they fail to deliver when it counts.
What Should Be Done Differently?
To ensure your business continuity plan works when it matters most, consider the following strategies:
1. Conduct Realistic and Challenging Exercises:
- Include scenarios that reflect current and emerging threats.
- Involve critical participants who would be central to real crisis management.
2. Embrace Disruption:
- Occasionally disrupt production systems in a controlled manner to test the resilience of your operations.
- Use these disruptions as learning opportunities to improve your contingency plans.
3. Address Known Vulnerabilities:
- Be honest about your weaknesses and focus on improving them.
- Incorporate these vulnerabilities into your exercises to ensure they are addressed.
4. Foster a Culture of Continuous Improvement:
- Business continuity planning should be an ongoing process, not just an annual compliance exercise.
- Regularly update your plans to reflect changes in your business and the threat landscape.
5. Engage External Experts:
- Consider bringing in external experts to provide an objective assessment of your business continuity plans.
- They can offer new perspectives and highlight areas for improvement that internal teams might overlook.
The ‘So What?’
The Crowdstrike outage is a stark reminder that business continuity plans need to be robust and realistic. By avoiding the pitfalls of tabletop exercises and “testing for success,” businesses can build genuine resilience. Ensure your plans are more than just compliance exercises; make them a living, evolving part of your business strategy.