Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your host are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today on episode 134 of the Cyber Risk Management Podcast?

Kip Boyle: Hey, Jake, we're going to talk about something that I got to tell you I'm surprised it hasn't really come up yet as a dedicated episode, but it's business continuity and it's incredibly important. We're going to explore why and we're also going to talk about how to encourage more senior decision makers to invest in it. A lot of them either think they've already got that base covered or they've never really even thought about it, or maybe they even think that it's not a thing for them, but we're going to see how true that may or may not be. And we're going to do that with a guest. Her name is Erika Andresen. She's the founder and owner of EaaS Consulting LLC, and we're going to tell you what EaaS means in a moment. But Erika, welcome. Thanks for being here.

Erika Andresen: Thank you. Good morning everybody.

Kip Boyle: Would you mind letting us know? Yeah, introduce yourself. We'd love to hear a little bit more about who you are, what you do.

Erika Andresen: Okay. I am Erika Andresen, as you said, founder of EaaS Consulting, which stands for Erika as a service. My play on software as a service, because you get me and my expertise. I am many things. First, I am a certified business continuity professional. I have a master of public administration. I am a recovering corporate lawyer and just lawyer in general after almost two decades in the legal field. I'm a professor of emergency management. I am an active duty army veteran and I am a professor of emergency management.

Jake Bernstein: That's a lot of stuff.

Erika Andresen: Oh, yeah. And I also published a book, forgot that.

Kip Boyle: That's right.

Jake Bernstein: You also published a book. You guys have a few things in common. Veteran book publisher.

Kip Boyle: Yeah.

Jake Bernstein: Cybersecurity.

Kip Boyle: How about a juggler? Are you a juggler? I'm not a juggler.

Erika Andresen: Not quite.

Jake Bernstein: You both are given how many things you're doing at once.

Kip Boyle: I'm a plate spinner.

Jake Bernstein: Yeah, I'm just trying to do one thing as a lawyer and you guys are doing at least three or four. So Kip and Erika, business continuity, this is a phrase that gets tossed around quite a bit. Interestingly enough, usually you almost always hear it, disaster recovery and business continuity. There's this phrase, you know, BCP DRP, and I guess I'm just going to immediately go off script because that's how I roll. Well, okay, it won't be totally off script. What is business continuity? Why is it important and how is it different than disaster recovery? There I just added one little piece.

Erika Andresen: Sure. So business continuity is basic, it's risk management plus. So risk management will mitigate a risk. It will not eradicate a risk. So there's still potential for failure and business continuity picks up where risk management fails and leaves off. There's a process of risk analysis and a business impact analysis that's getting into the weeds a bit about what business continuity does. But it is essential for securing assets with the plan so they can survive disasters and disruptions. And I want to make a difference between everybody thinks business continuity and disasters, they think, oh, natural disaster. But it's also disruptions as in maybe the power goes out, maybe you have a vital piece of machinery that stops working. It's whatever it is that the single point of failure in essence, that'll prevent your business from actually operating.

Kip Boyle: Like a ransomware attack?

Erika Andresen: That as well, because cyber's part of it. And under the umbrella of business continuity is DR, disaster recovery, which is all just about data and the cyber and tech posture.

Kip Boyle: Interesting. Okay.

Erika Andresen: Did I leave off one of your questions? I'm sorry.

Jake Bernstein: No, that was it. Those were all the questions there.

Kip Boyle: So what's the-

Jake Bernstein: Go ahead.

Kip Boyle: Yeah. I think, I love the way that you're contextualizing this Erika as, "Hey, business continuity is a way to keep your business alive and to ensure revenue streams," right? Because let's face it, that's what senior decision makers are most interested in. And we talk a lot on this podcast about that, about, look, if you're going to talk to somebody about cyber risk management or whatever it is, you really need to put it in terms that the audience is going to understand and appreciate. So I really liked that when we were doing show prep. I just thought, "Oh, this is really great." I really appreciate that this is where Erika has her head because I've worked with a lot of people in business continuity and disaster recovery that let's just say, didn't get that. Have you run across people like that, Erika?

Erika Andresen: That didn't get that it helps them?

Kip Boyle: Well, that said, "Well, you have to have business continuity because it's required by whatever regulation or whatever." In other words, that you need business continuity for the sake of business continuity, not because it helps your business. People who don't make that connection that they're not compelling on the topic.

Erika Andresen: Right. Yeah. Actually, one of my clients, when I first interacted with her, she was like, "Okay, great. I read your book. I learned about business continuity and I think it's useful for when I grow, but I don't need it until I grow." And I was like, "Hold my beer. I'm going to ask you a couple of questions." And I started asking her, and I used the phrase, I take it from the movie Philadelphia, when Denzel Washington will say, "Explain to me like I'm a five-year-old." I know how to do the most basic things, but I'm like, "Really? I want you to break it down for me Barney style."

And it's amazing when people have to, because the problem is you can't edit your own paper. You're too knowledgeable about the process, so you will just gloss over things. So when I'm asking the most rudimentary questions and I'm like, "ave you thought about that?" They're like, "Well, no. No, I haven't." It's like, "Okay, what is the next step? What about this?" "No, no. Well, no, haven't thought about that either." It's like, "Okay, let's continue." And a couple weeks later, I followed up with her after she implemented some of these things, and I was like, "Well, what do you think now?" And she said, it's funny, I didn't think I could use business continuity until I grew. Now I realize I can't grow until I do business continuity."

Kip Boyle: Oh, you flipped the script on her.

Erika Andresen: Yeah. Well, she flipped it on herself because there was proof of concept. In her own mind she was like, "Wow." Not only did she secure her business, she understood there was an extended ecosystem that supports her functions and her growth. And-

Kip Boyle: That is transformative. I love that.

Jake Bernstein: That is.

Erika Andresen: Yeah. Yeah. So it was pretty incredible and I'm really glad that she had that aha moment.

Kip Boyle: So can you give a couple of examples of what you were... You just told us the process. You say, "Well, what about this and what about this?" Well, can you give us some examples of what about this that you were asking her about? For example, maybe paying people, maybe you'd like to make sure the payroll works in a business continuity scenario. Is that one of them? Are there more?

Erika Andresen: Oh, there's plenty. I mean, for her business, she was that other thing too. She is a solopreneur and people, again, will think business. The thing about business continuity, the companies and organizations that do it are massive international organizations and corporations and critical infrastructure, healthcare facilities, higher education institutions and the government do it. So the small and medium-sized businesses tend to not, either because they don't know about it or they just aren't aware they should be investing in it. And like you can scale up. You could also scale down. So one of the things I asked her, she has a bakery she runs out of her home. And I was asking her about icing. I said, "All right, do you have a safety supply stock of icing?" And a safety supply stock is an industry term. She's like, "What do you mean?" I said, "All right, how far in advance can you make icing and store it?"

She went, "Well, room temp, I can leave it for a week, refrigerator, three weeks, freezer, six months." I said, "Okay, well let's pretend that your daughter has to go to the emergency room because something happened and you have a client order due in an hour. If you had a safety supply stock, you wouldn't have to make a choice between the two. You can still complete both." And she went, "I got to start doing that." And it's crazy to me that it... Because it's so natural to me, I think business continuity is easy, and we do this. Everybody does business continuity every single day. You just don't realize you do it. So if your goal, for example, is to go for a walk and the first thing you're going to do is check your weather app, you're going to see is it going to rain when you're planning to go, or is it going to rain later?

Is the temperature going to be really cold or warm? That's going to impact how you dress. So there's a lot of agility you create off of one data point. And that's really... I told you, it's easy if you know how to do it. And another example I like to use is if you want to go from point A to B and you have a map. Doing risk management is a map with all the potholes. So you know in this two-lane highway, which side to avoid when. Business continuity is as you're driving and there's cattle on the road or there is a rock slide, and it's like, "Well, I don't know how long it's going to be before I can get there." You pop open your trunk, you pull out a bucket of asphalt with a shovel, you fill in your pothole and you go on your way. So that's business continuity.

Jake Bernstein: It's a great metaphor. And it's not even a metaphor. Every-

Erika Andresen: Analogy.

Jake Bernstein: Hypothetical analogy. Yes. And that its real-

Kip Boyle: Yeah. It's easy. It like visually in my mind, I could see myself doing those things as you were talking about them, which I think is fantastic.

Jake Bernstein: And I like this idea of how business continuity picks up where risk management fails. That is a really important and different way of looking at it. Risk management has been... We talk a lot about risk management and I think that you could probably consider business continuity to be a subset of risk management in a way, but its... I'm not sure that it is anymore.

Erika Andresen: I'd flip it around. I would say risk management's a subset of, because that's one of the steps. You risk management everything. And then you figure out, well, if this fails, what are we doing? So I had a client who bless her heart, she's like, "Hey, I want to do business continuity plan." I was like, "Okay." She goes, "But I don't have the time to do it. You need to do it." And I was like, "I don't know your business."

Jake Bernstein: That's a critical point because I think as advisors, all three of us are advisors. We're all advising clients on something, whether it's the law, business continuity, cybersecurity, risk management, et cetera. And one of the biggest, I think, misconceptions about this area, all three of these areas is that we can somehow do all of it for the client. In our areas of expertise. We can offer advice, but at the end of the day, it's up to a client to take that advice and use it. And in business continuity and cyber risk management, frankly, it's even more amplified than that. We as outsiders are not able to come up with the specific plans or scenarios necessarily. We can ask you questions, right? We can ask you questions, we can make you think about things, but I wouldn't. I don't Know how long frosting or icing lasts. And so that type of example was, I think really, really critical.

Kip Boyle: Well, not only that, Jake, but you wouldn't even necessarily realize because you're not a baker that that's even a thing.

Jake Bernstein: No I wouldn't.

Kip Boyle: That that's even an option, right?

Jake Bernstein: Yeah.

Kip Boyle: The Baker knows that. It's just a matter of us using maybe a Socratic method to get them to spill that these are things that are needed. I love this. This is a really great conversation because I'm beginning to realize that even though I've been around for a long time doing this work, this is a much more productive way to think about business continuity than the way I have been thinking about it. So this is fantastic.

Jake Bernstein: I think I've gotten more value out of the last 12 minutes than the last several years of trying to think about business continuity. Because I do think it's way too easy just to go BCP slash DRP. People do that all the time. You see that everywhere. And that is just a dramatic underselling of what business continuity really is and what it's for.

Kip Boyle: And some people think it's just about, oh, if I have a plan, I can check a box. That's a big part of what they want. I know Erika's a service. I hate that too. And a lot of people come to me and say, "I need some security policies to check a box." And I'm just like, "Okay, but you really should think about operationalizing this stuff because I think it'd be better for you." So I have my own version of that conversation that you've been talking about. Okay. So now because

Erika Andresen: Sorry.

Kip Boyle: What? Go ahead.

Erika Andresen: I think from my military experience, I mean, I have extensive exercise and training experience. So I understand because the military's mission is to, number one, fight and win wars, right? That's not what any random business is going to be doing. And I think when I was in Afghanistan, we were doing risk management on an explosive scale, literally. So anytime we'd have a mission going outside, it would be the most likely, least likely and most deadly course of action because we always had to consider that. And I'm like, these are things that businesses can be doing as well.

And when you have a plan, it's like, okay, cool now what? And you need to build and I don't like the idea of a plan because a plan is very limited. So if you're like, "Oh, I need to go to the steps A to B, B to C, C to D, and then okay, I'm good." But when the shit hits the fan, not everything plays out the way you expect it. So even with exercising, a lot of people from emergency management, they're like, "We don't anticipate. We're going to practice when we have a hurricane flooding." But they're not actually thinking about the debris in the road unless they're really, really thinking about it. So it's like if you-

Kip Boyle: Or they've been through it.

Erika Andresen: Right. So if you start practicing, then you realize what works and what doesn't work, you start building muscle memory. And then if you're like, "Okay, A to B, B to... Oh no, there's no C, what do I do? What do I do?" Head explode. It's like, no, no, you can figure out a way to get to D without needing C, because that's the end result.

Kip Boyle: So this reminds me of that famous quote, and I don't know who... There was a boxer that said everybody has a plan till you get punched in the mouth.

Jake Bernstein: I believe that was Mike Tyson.

Kip Boyle: Was that Mike Tyson?

Erika Andresen: Was that... What? Mike-

Kip Boyle: Was it Mike Tyson? I don't know.

Erika Andresen: Yes. Actually it was. It was.

Kip Boyle: Was it?

Jake Bernstein: It was Mike Tyson. Yeah. That's a very Mike Tyson quote. Now, which general was it that said-

Kip Boyle: Yeah. There's another general-

Jake Bernstein: No plan survives first contact-

Erika Andresen: First contact.

Jake Bernstein: ... with the enemy. Yeah.

Erika Andresen: Yeah.

Jake Bernstein: All of these things are true. And I think what's really important is... So let me ask this. Okay, so we're saying that if business continuity is about more than planning, obviously I think it's still useful to have a plan. But you actually asked the question, now I'm curious to hear the answer. You've got a plan, now what?

Erika Andresen: You have to train on it and you have to promote it, and you have to get people to care. That is one of the... So if the two major impediments to business continuity are leadership buy-in and money, but part of leadership buy-in is once you have leadership buy-in, you get the people to actually care. Because if a leader saying, "Do this," and they never show up to any of the trainings or the exercises, then it's like, well, it's really not that important. It also becomes just an extra duty as opposed... And if anything is an extra duty, you tend to let it fall to the wayside to your primary duties. So one of the easier ways they try to explain to circumvent that is just make it part of the job description to do business continuity.

Jake Bernstein: Clever.

Kip Boyle: Oh, Erika as a service. You're awesome.

Jake Bernstein: That's amazing.

Erika Andresen: That's just a thought.

Kip Boyle: This is exactly what we tell our clients about cyber risk management. We say it's a team sport and everybody has to have a role appropriate set of responsibilities in their job description. And their supervisors have to tell them that this is a thing, otherwise it won't be a thing and people won't do it. I mean, that's my language. I love the way you said it, but I think we're talking about the same thing.

Erika Andresen: Yeah. And... Go ahead Jake.

Jake Bernstein: I was just going to say I'm looking at one of the second points here about... That I had never really thought about is there's a cycle to business continuity that people I don't think about. Usually just think about the business owner being concerned with business continuity, but it isn't just the owner that cares, is it?

Erika Andresen: Nope.

Jake Bernstein: Who else cares about business continuity and why should they care?

Erika Andresen: So, all right, the business is not just the four walls of the business. You have vendors, you have your stakeholders, you have your investors, you have your clients. So let's go specifically to something like cyber. If you suffer a cyber attack and you have a ransomware and you have insurance and you had a plan, okay, great. And you did the right thing and let your stakeholders know because you know a thing or two about crisis communications. And the problem is you may have survived it, but it doesn't necessarily mean that your reputation's intact or that your clients still feel safe to do business with you. So you can tick all the boxes in the right way and then you still suffer. So your market share can decline. If you have stock, your stock price can decline. Same thing with September 11th, that happened in New York City. That was a direct impact, especially for the two miles.

Well really one mile south of Canal Street in Manhattan. And I'm from New York City originally, and I was there that day, but that's another story for another podcast, I guess. But businesses out in Ohio suffered because the airspace was shut down for days. And they were doing just in time as opposed to just in case because it was cheaper and better. And they realized that they can't do that anymore. So that was a revolution back in 2001 about just because it doesn't. Its not you specifically that suffered something, you didn't lose any employees, you didn't lose your structure of your building is still fine, but you still suffered an impact to your reputation and your bottom line because of other factors. Specific to cyber too. I know when I was talking to somebody who works at a fully remote company, and their concern was... We talked about their safety for their employees.

They said, "All right, we have a VPN with an MFA." I'm like, "Okay, cool." But he revealed one of the biggest problems they have is with phishing. And I said, "Yeah." I was at a conference where they said 10 times out of 10, no matter how much training an employee has received, if the phishing attack has something like, "Hey, click here to find out what the bonus schedule is for the end of the year," every single one of them clicks it. So it's not just... You want to call it the enemy. The enemy doesn't exist outside. It's inside too. And it's not that your employees are necessarily actively trying to be the enemy, but that is a vulnerability that people have that they're not really thinking about.

Kip Boyle: Well, they're getting emotionally manipulated by outsiders into doing things that they consciously would never otherwise do. And Jake and I have done several episodes on phishing and why phishing works and what you should do about that. So if you're listening to this podcast and you're like, "Yeah, I need to get fishing under control, finally, I really want to put that on the top of my agenda," then go into our back catalog. Because we talk a lot about what's the true essence of phishing. And I think, Erika, you've done a really good job of actually bringing that up again. So I appreciate that.

Jake Bernstein: Well, and phishing is a business continuity problem. It really is. And Erika, speaking of the employees, how about the employees themselves, if a business is no longer operating, it isn't just the ownership, it's the employees too and it's everyone of... I mean, we just saw this and the world's largest insane experiment in two or three day shutdowns in downtown Seattle we still haven't seen restaurants come back. And why is that? Well, because employees from other companies stopped coming to the office, they stopped going to lunch. I mean, there's a lot of business continuity lessons to be drawn from the first month of the pandemic and honestly, ongoing lessons from that. But let's focus for a minute on the employees. How impactful is it if you're an employee and your business that you work for hasn't planned, hasn't done anything for business continuity?

Erika Andresen: So I was originally inspired to do business continuity first from a business review article. They were interviewing business owners who suffered through super storm Sandy, and they asked them-

Jake Bernstein: Now the New York thing?

Erika Andresen: Yeah, they asked four questions. The final question being What are you doing to prepare for next time? And almost every single one of them said, "Oh, this isn't going to happen again." And I was like, "Oh God, you're so wrong." And then shortly after I was walking down the street and I passed a restaurant which had an identity crisis. It was both an Irish pub and a Tex-Mex restaurant, and they had closed. And I was like, "Oh no, they closed. I feel so bad." And my buddy who was with me was like, "Who cares? They sucked." I said, "No, that's not what I'm thinking. I'm initially thinking there was number one, a business owner whose dream died."

I mean, it was an interesting dream. Like I said, Tex-Mex and Irish Pub, whatever. But everybody that worked for that person had to go home and tell somebody, "I don't have a job anymore. I don't have a paycheck anymore. I may not be able to pay rent. I may not be able to buy food." And that is where I think business continuity is important because you're giving employees a security not only to pay for their necessities, but also to pay for the services and things that enhance their lives and make everybody's life pleasurable and worth living.

And those services come from other businesses who pay their employees to do the same thing. So it's a wonderfully cyclical process. And I think it would be a wonderful opportunity for employees or employers to start advertising like, "Hey, not only are you getting these benefits, we have a business continuity plan, so you don't have to worry if we have a hurricane, we have a plan for that, you'll be able to have continued employment." I think that might be something that's like a hook that grabs them in. It can be a... What is the word I'm using? I can't think of the word right now.

Jake Bernstein: Synergy?

Erika Andresen: It's a synergy but like advertising tactic, not promotion.

Jake Bernstein: Recruitment?

Erika Andresen: Yes, recruitment. Thank you.

Jake Bernstein: It's a recruitment tactic. Well, and I was just thinking as you were talking that it's also if you could also educate the workforce and employees, you could get them bought into business continuity planning as well. And here's the thing, as outsiders, we think we don't know what's going on in... We know we don't know what's going on in a business. I think what's super interesting to understand is that the ownership may not understand as well as their employees do about what's going on. So it's almost like it has to be top down. It has to be driven from the top. The culture has to be set. But a lot of the time, I would guess that some of the most important components of business continuity planning and business continuity execution are coming from suggestions from people who are caught on the line. Is that accurate

Erika Andresen: Yeah. So it's one of the things... The benefits for business owners is you get to learn your business inside and out. Silos, you try to hope for you can break down silos. And then I heard somebody recently at a conference say, no, you don't try to break down silos. Those are too ingrained and they're too ego-driven. What you want is a porous silo. And when you get people working together as part of the business continuity planning process, and you start doing business impact analysis, you engage subject matter experts within each of the departments that are vital. And you get them to bring out their expertise and you start cross-talk.

And that when you realize that you have the ability to find out, well, we do this, and of course your department doesn't need this. And it's like, no, no, no, actually we require that to be working in order for us to be able to do that. And it's really wonderful when you realize that all these stakeholders are interrelated and they support each other. And when you have that understanding instead of just being down in your own hole, so to speak, then everything about the business becomes more of a well-oiled machine instead of something like a Frankenstein hodgepodge put together.

Kip Boyle: Well, it can get even worse than that, Erika. I've worked in organizations where the silos actually had snipers posted on the top of the silos. To keep people from thinking that they could actually come over and knock on the doors of the other silos. I mean, it was really awful.

Erika Andresen: Well, it's weird. So I was in the JAG Corps, one of the things I did, because I was very an odd duck to the other JAGs-

Kip Boyle: No.

Erika Andresen: Because they went... Yes, I know, hard to believe. They went from straight from law school into the JAG Corps, and I had practiced for six, seven years in corporate world first.

Kip Boyle: So you knew what the real world was like.

Erika Andresen: I was not necessarily indoctrinated into the military mindset. So I would ask questions like, "Well, why can't we do this?" And they're like, "What? We've always done it this way." And I'm like, "Oh no, that's a bad idea. We can do it better." And I would go to... It makes sense to me because I'm inherently lazy despite the fact I run marathons and have my own business. I would love to work smarter, not harder.

So when there was a project and there was research that required the divisions equivalent of their HR department, I'd go, "All right, let me walk over to hr, introduce myself and start asking them questions as opposed to doing the research on my own." And I became friends with everybody and all the other departments. So if I ever needed anything, they're like, "Oh yeah, here's the answer, Erika." Instead of me spending an hour or two just amongst myself. And one of my fellow officers who was not a JAG, he's like, "You know what's really funny? We don't know any other JAGs other than you. We know you're all in that part of the building and this tower and you just stay to yourselves, but you're the only one that walks around."

And I'm like, "Now when do I want to learn about what you do and how that helps me and how that fits in? I think that I have a relationship with you that I can now ask you for things." And that's the same with emergency management. I think when you have people working together, not only do you learn the language. You're able to communicate with them and you have this understanding of each other so you can work seamlessly, especially in a hard time.

Kip Boyle: Yeah. This is-

Jake Bernstein: Well, and I mean that's a lesson for business continuity right there is when everything has collapsed around you, your relationships are the one thing you may be able to fall back on.

Kip Boyle: That's right.

Jake Bernstein: And I think-

Kip Boyle: That's exactly who we grasp for when the crap hits the fan, right? Is we're thinking, who can help me? Or does Erika need help? Like, I'm okay. I wonder if she needs help. I wonder if Jake needs help. It always goes back to relationships. And I tell cybersecurity people this all the time, get the hell out of here and go meet somebody and get curious about the way things work. And I actually hire for curiosity. It's one of the requirements to come and work for me is if you don't bring curiosity with you, I can't see you succeeding because I can't teach you curiosity. Have you ever taught somebody curiosity? I have no idea how to do that.

Jake Bernstein: No, you can't. Speaking of curiosity, Kip, thank you for that. I have a question, which is we talk a lot about vendor risk management, third party risk management. Now it occurs to me in the context of business continuity, there's this little thing that is called the supply chain that has been-

Erika Andresen: Very little, very little.

Jake Bernstein: ... rather just in the news since the pandemic and around that. I'm curious, Erika, how often do you encounter business owners who haven't, just take the supply chain for granted? Hopefully people don't do that anymore, but do you still see it? How do you advise clients to deal with this when you're working with them?

Erika Andresen: So a lot of them don't think about the supply chain. There is an optimism bias in general of human beings, oh, it's not going to happen to me. Or they're outside. So they're worrying about, it's not my concern, or I've done the research and they seem like they're good. And it's like, okay. But that may not necessarily be the case. And when you point out to people that not only are you relying on a vendor, you're relying on a vendor who may or may not have their own business continuity plan. So if you don't check that first, then you don't know that they're going to be able to survive a disaster disruption.

Well, to then will mess you up, nevermind your own thing. I did talk to a CFO recently who said he believes one of their biggest concerns is an over-reliance on their vendor being there. So everyone's like, "Oh, Google Drive." Okay, Google Drive had gone down for hours recently and it was inaccessible. So again, this is the assumption that everything's going to be there, but that's why you need a backup. That's why you need an... Is it a single source which you choose or sole source because they're the only one available?

Jake Bernstein: It's interesting. So there's a difference between single source and sole source.

Erika Andresen: Yes. Single, you choose like dating. Do you want to be single or not? That's an easy way to remember it.

Jake Bernstein: Right. Got it.

Kip Boyle: That's great.

Jake Bernstein: Got it.

Kip Boyle: I just wrote an inflection point, which is something I send to people every other week who subscribe to it. But I just wrote one, it's going to go out on Monday in early May. By the time you all listened to this, it'll have been gone. It would've gone out a long time ago. But there was a global logistics provider that got cyber attacked and the amount of damage done to them, because they couldn't move freight from different ports around the world, it was in the 60 million dollar range. Plus a lot of their clients relied on them for highly integrated logistics. So for example, there was this one customer of the logistics provider that had a contract, and for 15 years, the logistics provider was moving all of their finished goods out of China and into warehouses in the United States and would actually give them a dashboard that said, how many goods are in transit?

How many of them made it to a west coast warehouse, east coast warehouse? And they would actually fulfill the orders and actually ship them. And they had a four hour SLA for every inventory change to be reported. Well, as you can imagine, the whole thing just fell apart and it just turned into sand and just disappeared as soon as this cyber attack happened. And so the customer of the logistics company had to actually spin up a logistics workforce in the moment and actually send them to the warehouses, manually count inventory. And then they had to contract for trucks to actually distribute that inventory. Basically they had to create an entire logistics department overnight because their provider disappeared and they had no plan to do that.

Jake Bernstein: Wow. So this is a good opportunity to ask the question that is in the script, which I like here, which is... And I think we've all seen this, that it is surprisingly challenging to get clients to prevent bad things from happening to them. You'd think it would be in everyone's best... I mean it is in everyone's best interest. But there's this quote from Claude Hopkins, apparently in my life, in advertising, and here it is, the natural idea to sell a toothpaste is to make it a preventive. But my long experience had taught me that preventive measures were not popular. People will do anything to cure a trouble, but little to prevent it.

Prevention offers slight appeal to humanity in general. Folks give little thought to warding off disasters. Their main ambition is to attain more success, more happiness, more beauty, more cheer. That is a depressingly accurate quote. So how do you get senior decision makers to invest in business continuity? I mean, think we've established pretty darn well in the last 30 minutes or so that business continuity is important. And you said earlier that it's not going to happen if senior leaders don't buy in. So how do you get that and when do you just walk away and say, "Okay, good luck to you?"

Erika Andresen: So first thing, I think framing it as you want to keep money is an important. You want freedom from fear. You want to keep money. And business continuity is a cost saving program. It's not an expense. It's a cost saving program that you're investing in. It's an asset because the statistic is for every $1 you spend in preparation, you save $7 in the backend. And I don't know why it makes sense to anybody to write a blank check to fix things after a disaster when they could have done it before. And that doesn't make-

Jake Bernstein: That's common though. I see that all the time.

Kip Boyle: Yeah. Three of us are weirdos because we believe in prevention, but we are the only ones I think.

Erika Andresen: Right. But successful, thriving businesses anticipate and create adaptive processes. And that's another dangling carrot. It's like, are you a successful and thriving business? Are you able to anticipate? Are you creative? Are you using this as an opportunity to be more agile? Or you just waiting for something to happen to you? And there are people who are like, "Oh, I can't." Okay, can't means that you're hamstrung by an external authority. I don't means you choose not to. So if you say, I don't want to do business continuity, then are you going to advertise that to your clients and your vendors and everybody you do business with? I don't think so. I don't think you're going to tell people my business model is to just wait for stuff to happen and then see what happens afterwards.

Kip Boyle: And react. We're the best reactors.

Erika Andresen: Yeah, we're the best reactors. We're going to roll the dice.

Kip Boyle: I hear that all the time. Actually, Erika, I ask people, so what's your plan if you have a cyber attack? And very often I'll hear the senior decision maker go, "Well, we have an awesome IT team. They'll handle it." It's really the same thing.

Jake Bernstein: Just so you know, real time, I just bought your book, so everyone should probably do that. It's called How to Not Kill Your Business, grow Your Business in Any Environment, navigate Volatility, and Successfully Recover When things go wrong. All you have to do is Google Erika Andresen, Amazon and you'll find the book. So do that now if you haven't done so-

Kip Boyle: We'll put it in the show notes. We'll put it-

Jake Bernstein: This is not a sponsored episode, by the way. I just did that.

Kip Boyle: No, we're just inspired.

Jake Bernstein: We are inspired.

Erika Andresen: I appreciate that. I appreciate that. I still want to answer the question, but I do want to take the moment to just do my own little quick plug for the books. I know Kip read the book too. I wrote it the way I talk. So I'm using more industry speak in this podcast than I do in the book, believe it or not. So I had my sister who has zero interest in business, read the book as a pre-read. She's like, "Oh, it was really entertaining and an easy read."

My buddy who is the, he's in charge of business continuity Netflix. His eight-year-old son was reading it to practice reading because it was just the book available in the car. He didn't bring a book with him. And he was like, "Dad, is this what you do?" And he is like, "I've explained to him multiple times what I do and he never understood." He goes, "He read the first chapter of your book. And he was like, 'Oh, this is what you do.' That's like, so if an eight-year old can understand it, and it's a music theme too. So the chapters are titled with the song and then the lyrics of the song forecast team, the chapter. So it's like Rolling Stones, Wu-Tang Clan, Nine Inch Nails, David Bowie, U2, and et Cetera.

Kip Boyle: So do you have to be a person of a certain age to read your book?

Erika Andresen: No.

Jake Bernstein: Clearly not.

Erika Andresen: No. No.

Kip Boyle: Because I don't know if the young... It's no those inaudible-

Jake Bernstein: I mean, it doesn't matter. Yeah, the eight-year olds are not going to... Heck, the 20-year olds aren't going to understand half those song references at this point.

Kip Boyle: And I got 2 21 year olds living at my house right now. They came back home and I love them to death, but they don't understand anything I ever say to them apparently. And I don't understand them either. It's really been fun. It's like, "Well, what are you listening to? What is that? Tell me a little bit more about that." So anyway, well we do-

Erika Andresen: I felt old the other day when there was an oldie station and then they were playing Bon Jovi. And I'm like, "Since when is that oldies?" I started doing the math. I remember when I was a kid and my parents was listened to the 50s on the oldies. I started doing the math. I'm like, "Oh no. Oh no. That's exactly how many years ago."

Jake Bernstein: Yeah. That's how many years. Yeah. Yes.

Kip Boyle: Have you heard Hell's Bells as a Muzak when you're going up and down an elevator in a high rise yet?

Erika Andresen: No.

Kip Boyle: Yeah, that's scary.

Erika Andresen: No, no.

Jake Bernstein: Let's let Erika finish the answer to the question because-

Erika Andresen: Oh, fine.

Jake Bernstein: ... we will do this otherwise. So we were talking about people-

Erika Andresen: inaudible is, I'll pull it out. Yes. So one of the guys that I heard speak, his name's Mike Janko, he's in charge of global continuity for Goodyear Tire. And his quote is basically the only thing that's harder than doing business continuity, and he specifically works a lot in supply chain, is explaining why you didn't.

Jake Bernstein: That's good.

Erika Andresen: So again, are you going to advertise to your clients and your shareholders that you have no plan and you're just going to roll the dice? But if you are made aware of what this is, what the potential disruptions and disasters are on the impacts of that, and you actively say, "No, I'm not going to do that." I mean that's also... Now I'm going to put my legal hat back on for a second because sometimes I get pulled back inaudible-

Kip Boyle: That's right. You have one of those.

Erika Andresen: I do. So there is a growing concern and there actually has been action taken on this where there shareholder derivative actions for companies and board of directors not investing in business continuity in cyber specifically. And the even interest. So Southwest Airlines, clearly after what they did in December, because they received a couple of billion dollars in pandemic aid and they spent none of that on updating their software. So now they're also under investigation with the Department of Transportation

What do you do with that money then? So their stock plummeted. And that's the other thing too. Think about are you going to spend the money for something and then just have it, or are you going to... Is it more expensive to wait, watch your stock value plummet and your sharehold in the market plummet while you're trying to get yourself spun up again because you've been shut down because you haven't done any planning? I mean, everybody, money talks, people don't like getting kicked in the bank account. If we're not going to talk about preventative is not sexy. Well, having money in your bank account and not getting kicked in the bank account is probably sexy too.

Kip Boyle: I got kicked in the bank account. I love that.

Jake Bernstein: That's a good phrase. But it's also very... It is just so incredibly evocative, poignant, is that a word? I mean, I'm not sure these are words that apply here, but it's destructive.

Kip Boyle: Well, and it's concrete. Again-

Jake Bernstein: It's concrete.

Kip Boyle: ... Erika, I want to compliment you because you and I and Jake too, we all live and work in this highly abstract world like an engineer does. But you do a wonderful job of taking an abstract concept of making it concrete, easy for people to visualize and understand. So I want to compliment you because I don't... And I don't know if you've had to work hard to be able to do that. I've had to work hard to be able to do that. I've had to actually read books and shit.

Erika Andresen: No, no. Actually it's one of the skills I started. Again, I mentioned already that I'm really lazy. So when I was a lawyer, I was really good at writing articles. I actually started, it was on my own. I wrote an article for the local installation newspaper because I was like, "If I can educate my clients before they come in, it would make my headache a lot less frequent. And my appointments go by a lot faster." Because I would say-

Kip Boyle: You can help more.

Erika Andresen: I can help more. And this thing too is as we talked about with consultants and advisors, you can tell someone what to do and they can ignore you. And same thing as a lawyer, they can take your advice or not. And oftentimes they don't because they think they know better. But if I educate someone and I can do it in a way that makes it. Because I can tell you, I can use the biggest words in the dictionary. All that does is tell you that I'm pompous and that I'm probably a little intelligent, but probably more pompous. That doesn't endear me to anybody. And it also doesn't get the job done. If I can explain things I again, lazy. If I can get you to help me because you understand what I'm talking about. Awesome. And then I'm a teacher as well.

I would do trainings in the military to people. I am a professor now and it's just an easy part of me. And that's why I wrote the book the way I did. Somebody recommended it to write it from an academic perspective. And I'm like, "I don't want to read that book, let alone write it. Gosh." And then my students were like, "We love your way you speak it, you don't talk like a professor at all." And I'm like, "I'm sorry, is this a compliment?" They're like, "No, no, no. You don't talk from theory. You talk like a real person." And I was like, "Okay."

And that's something, even when I would advise commanders, they're like, "You're in the only JAG we've ever met that you speak interestingly, because you're very graphic at times. But there you go." And I would say to people, and this is my New Yorkness, I said, "Would you rather me spend 45 seconds telling you something?" Or I can't use the word that I usually use cause blanking around and spend 10 minutes explaining the same thing. I'd rather just tell you straight up and directly and maybe hurt your feelings, but at least we're saving nine minutes of time.

Kip Boyle: Time is money people.

Jake Bernstein: There you go.

Kip Boyle: So we're out of time, unfortunately, but what a wonderful conversation this has been. Erika, we're going to put the url, as I said to your book in the show notes so people can grab that if they'd like. But is there any place else that listeners can go if they want to find out more about Erika as a service?

Erika Andresen: Yeah, you can go to my website, which is www.eas... Sorry, EAASC, I have to put the C there because somebody got EAS first before me.

Kip Boyle: Okay.

Erika Andresen: .com. And I have a blog on there and most of my blog stuff turns into my LinkedIn posts. I'm also on LinkedIn both as EaaS Consulting and me personally. But yeah, and also on my website why don't you go about Erika and then there's speaking engagements and under that I pretty much link all the podcasts I've been on. So if you want to hear me talk and wax poetic about a plethora of things that aren't just business continuity you can find that there.

Kip Boyle: That's great. Thank you so much. We'll add all of that into the show notes. Any last words?

Jake Bernstein: Not in any way, that would take less than 10 minutes more. So we should wrap it up.

Kip Boyle: Well then we shall. This wraps up this episode of the Cyber Risk Management Podcast, and today we explored the function of business continuity, why it's so important, and how to encourage more senior decision makers to invest in it. When we did that with our guest, Erika Andresen, who's the founder and owner of EaaS Consulting. Thanks for being here, everybody. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.