Search
Close this search box.
EPISODE 158
Business Continuity as a Revenue Generator?

EP 158: Business Continuity as a Revenue Generator?

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

May 21, 2024

Is overnight viral success is a kind of disruption that the business continuity (BC) discipline can help preapre you for? Let’s find out with our guest Erika Andresen, the Founder and Owner of EaaS Consulting, LLC. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Erika’s Book, “How to Not Kill Your Business” — https://www.amazon.com/gp/product/199018538X

Website — https://www.eaasc.com/

LinkedIn Profile — https://www.linkedin.com/in/erika-andresen/

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein partner at the law firm of K&L Gates. Visit them at cr-map.com and Klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today on episode 158 of the Cyber Risk Management Podcast?

Kip Boyle: Hey, Jake, we're going to talk about something that I think is pretty cool, pretty innovative. What we're going to do is we're going to talk about cyber resilience, but we're going to reframe it so that we're going to look at it through a more growth oriented lens. When we do this, I think we're going to detect way more business value than we have probably thought of when we otherwise talk about cyber resilience. And the best part of this is we're going to have a guest who's going to help us go through this. And her name is Erika Andresen, and she's a business continuity expert. She's the returning guest to the Cyber Risk Management podcast. Hi Erika.

Erika Andresen: Hi Kip. Hi Jake. Hi everybody.

Jake Bernstein: Hey Erika. Nice to have you back. Kip, I was so tempted, sorely tempted to just interrupt right off the bat and say that this is like a cybersecurity as business enablement or enhancement episode, but I think that's right.

Kip Boyle: I think so. Erika, would you say that's true?

Erika Andresen: I think it's true to a point, because I talk more about everything, not just cyber resilience, just resilience for businesses in general, but of course cyber is part of business continuity. So all of this is involved in, it's just a perfect setup for mindset or frame of mind and how to view something that people see as preventative and instead of it being preventative, it's opportunistic.

Kip Boyle: It's enabling. Yeah, that's something we've talked about a lot on the podcast and I want to be more explicit about it right now. Humanity in general is just not interested in preventative stuff. People will fix anything that's serious enough that comes along, any kind of a failure, they're all over it, but actually preventing stuff. And it's not just in technology, it's not just in business, I've come to realize that it's just in general, I think if there was a pill that you could take that would prevent hangovers, I still don't think it would sell anywhere near as well as aspirin.

Erika Andresen: Well, no, they have those services now where you can get IV fluid injection come to your house after you're hung over.

Kip Boyle: There you go. You've even made the case more clear. Toothpaste in the United States is another great example. There was a guy named Claude Hopkins and he figured out how to sell toothpaste not as a dentifrice, in other words, something that helps keep your teeth from getting cavities, but as an aid to beauty, he actually sold it as this is going to help you get a winning smile and that winning smile is going to give you success in business, going to give you success in relationships, it's going to make you look more attractive. People are going to want to be around you. And that completely flipped the script for tooth brushing in America. Can you believe that?

Jake Bernstein: That was brilliant too, because both are true in that sense. I mean the using toothpaste like that is an enhancement. And I think what we can say here is business continuity. It isn't just the act of having a plan to ensure that your business can continue on. I think Erika, let's hear about, and I've totally caught off script, I apologize, but this is how it is. The very act of creating a business continuity plan, the act of thinking through the business continuity process itself would pay dividends, right? Do you see that in your work?

Erika Andresen: Absolutely. When you are paired instead of, this is an interesting way to look at it. If you think about when you're going through life, you're going to have stepping stones or stumbling blocks, and it's really up to you which ones you're encountering based on how much preparedness you've done. So when you're setting up your business to start to succeed, then sky's the limit. And I like to say this is a hard truth. Hard truth is if you don't want to do the work, you don't want to succeed.

And I was watching a presentation recently, last week actually. I go to this meeting in person where entrepreneurs meet with other entrepreneurs. They present their business and say, "Hey, crowd of entrepreneurs, give me some advice on this one problem I'm having." And this person said that they wanted, they had an commerce business and they wanted to go viral, they wanted to expand in other states. They didn't actually want to do the work. They didn't actually say that, but they said that in certain things like, "Oh, this is my social media plan, but I do it based on my personal preference. No data to support that." And oh, "For inventory, you're just going to go on where the momentum takes us."

And of course my BC mind is going bananas in the back. Are you kidding me? What? You don't want to plan? That's the thing too. This all requires effort. It's effort. I understand it's effort. And sometimes, like I started calling it adulting for your business. It's not the thing that anybody really wants to do. Nobody wants to do their laundry and clean the house, but when you finish it, you're like, I did adulting for the week. It's like, great. You feel really accomplished and you can look back at something. Even with dusting, are you the type of person when you dust, are you going around the things on the desk or you're actually taking everything off and doing it right? But this person, somebody suggests in the audience a thing to become viral, like an actual linking up with a local enterprise. And the response was, "Oh yeah, but not that viral." And I leaned over to my friend and said, "Okay, how is this business not just a glorified hobby?"

And he was like, "Ooh, harsh." And I go, "No, honestly." Because you can make this a hobby, you're staying in the hobby lobby and not actually wanting to put the work in and to become actually good and successful at what you do, then you also need to be telling everybody, your clients, you need to be telling your customers, you need to tell everybody investing in you that you only want to be a hobby. Because you have no right, especially your employees too, you have a duty to them. And when you are successful, that leads to significance. It's significance in multiple people's lives. Not only your own and lining your own pocket, but the service you're providing to everybody in the community and your employees. So if you don't want to be successful, that's fine, but just tell everybody.

Jake Bernstein: And one of the things, first of all, my brain is still reacting to I finally understand where the name Hobby Lobby comes from. I don't think I've ever made that connection. That's very clever. But two, let's just say for a second, Erika, that a business that does become an overnight viral success, what if they do? I know what I'm thinking, but I'm curious, how is that a disruption that really does become a business continuity event? What can happen?

Erika Andresen: So it's funny, I only started really seeing this and it's ironic where I'm talking about seeing problems in advance or just seeing things right in front of your face, you're missing, and I even missed it myself. You look at the title of my book after the colon, the first thing is grow your business in any environment. And I didn't actually make this connection until the fall when I encountered, there were three businesses in a row I encountered who had viral overnight success and they were stressed out and they couldn't actually meet the moment. They were unable to bring on the new clientele. They were not calling people back. People were leaving messages saying, "I'm trying to give you money," and they're not calling them back. So the first thing that they did was their current customer service levels degraded. They weren't able to bring on new people, which is a problem. And then when you start making shortcuts to fix all those things, you wind up degrading the very product or service it is that you became famous for. And a perfect example, shortly after that, that was all over the news. But of course I paid attention to the nerdy aspect of it.

When Taylor Swift wore a ring to one of the playoff games, that was a Travis Kelce jersey ring. The woman whose shop makes that ring went viral of course, because Taylor Swift was wearing this ring. And she was like, "I'm so stressed out, I can't sleep. Hopefully, the order's going to be ready by March, because we're just sold out." And I saw multiple levels of issues in there that could have been prevented and fixed if she had actually thought about things in advance. And this is the thing too, with business continuity. You only really are paying somebody like me to tell you these are the things, but it doesn't actually cost you any money to do the work. It's just effort and time. It's the adulting.

So if she would've done some research in advance about having suppliers, where she's getting the material to make the rings? So she had enough on hand in case or backup suppliers in case they didn't have enough, and then maybe wrote an SOP on how to make the rings. Because this woman is not new to jewelry. She's been in the Kansas City area for 10 years. This was the first season she ever sold Kansas City Chief's jewelry featuring the number 87. Okay. She did this on purpose. She was capitalizing on Taylor Swift. How did Taylor Swift get that ring? She sent a package herself to Donna Kelsey, Donna Kelsey gave it to Taylor Swift. So if you're really trying hard to go viral, be ready for it. Because even old school-

Jake Bernstein: What if you succeed?

Erika Andresen: Yeah, like, oh my God. Then what? Because when I'm reading this article, I'm like, oh honey, you could have had a much better, easier time. You could have set up the bat signal, called in all these reserves to help you make the rings. And she's saying, "It'll be ready in March." And I'm like, it's not going to be ready in March. They're not going to be ready until at least April. I know how this stuff works. You're being really naive about how it's going to work and all you had to do was put some time in there. So back in old school times, if you were going to be on QVC, you made sure you had stock for all the calls coming in at 1:00 AM to buy whatever it is that you're selling. This is not new stuff.

Jake Bernstein: It's not.

Erika Andresen: I'm not creating this.

Jake Bernstein: No, no. So check this out, Kip. I am going to connect this to cybersecurity.

Kip Boyle: Oh, please.

Jake Bernstein: You know what this reminds me of?

Kip Boyle: Yes, what? Tell me.

Jake Bernstein: This is a distributed denial of service attack, except it's positive. And the same thing happens to-

Kip Boyle: Although it creates the same smoking crater though.

Jake Bernstein: No, it's the same effect, right?

Kip Boyle: Mm-hmm.

Jake Bernstein: But it's a non-malicious DDoS. And it's actually very, very similar to the literal unintentional DDoS. Is that happen when a big video game launches. And these days people get really upset when the servers can't handle the load and nobody can play the game on day one because honestly, you should have known. Sometimes even when they do try to prepare, it's still not good enough because they just underestimated demand, maybe that's slightly more forgivable.

But the point is that this is a business continuity event. Proper planning could have at least mitigated the damage. Or if you don't want to call it damage, I like Erika how you put it, some of these businesses aren't able to rise to the occasion and make the profit that was right there for the taking. It's essentially magically all your fruit trees produce all at once and you're like, "Oh, but I wasn't ready for that. So all the fruit's going to fall and just rot, right?" It's a waste of, it's a waste. And obviously, when a DDoS happens, when it's a malicious DDoS, everyone looks around and goes, oh, that's horrible. So sorry, you were attacked, why weren't you ready for a cyber attack? Because we all have this cybersecurity, everyone should be ready for these cybersecurity attacks type of deal. But when something like this happens, I don't think people sufficiently understand and see it as a business continuity planning failure, but that's what it is.

Erika Andresen: Well, business continuity by definition, supposed to be for disasters and disruptions and disruptions can be positive, they're just going to feel terrible as they're happening. You're riding the wave of, oh my God, I'm popular all of a sudden.

But you need to sustain that. I mean, there's a difference between when the tech bros start their company and they get their first three clients and they hire 75 people, and of course they're going to be awesome. And then three months later they're laying them all off, that's different. There's different of your business doing okay, and then going viral. And whether or not that's going to be sustained, like I said, this woman could have thrown out the bat signal, brought in a bunch of reserves to actually help make this jewelry to get it out in time for the Super Bowl. I mean, who wants this jewelry in March or April? Football season's over.

Kip Boyle: Right, you want it now. You want to revel in the moment with your piece of jewelry.

This is reminding me, I didn't make this connection until we were in this conversation, but in my book I talk about negative visualization as an exercise the senior decision maker should be in. Because what I've noticed is, most senior decision makers, and I suppose this is probably true for most people in general, but in a business context, when they're trying to do something new, they're just thinking about the happy path. All these great things are going to happen and then we win. And they don't really stop to think about, well, what if we don't end up on a happy path? What then? And so other people call this instead of a post-mortem, they call it a pre-mortem, right? So there's different words that I've seen put on this, but the whole idea is like, okay, if you're going to spend all this time thinking about how great everything's going to be, could you just take a small amount of time and think about what could go wrong?

Erika Andresen: And I talk about this with succession planning, which has the word success in it. So you need to be a successful business for succession planning because you want to sell your business or pass it on to somebody else. When I was on a panel for succession planning, it was an M&A advisor, an HR specialist, and then me. And everyone said, "I've heard this tale told a million times." Like, "Oh, you got to start five years in advance. A lot of people start too late when they want to sell their business and blah, blah, blah, blah." And they're like, "Well, Erika, as the business continuity specialist, what is your advice for business owners?" I was like, "Have a business that actually is going to be able to be for sale later. You have to ensure that it's going to be there." I mean, there's a large amount of hubris involved in assuming that everything's going to go according to your plan and you're going to be a success.

And that is foolhardy because sometimes life throws down a express bus in your way and it runs you over and messes up all your plans. Not everything gets to go according to your plan, even the successful things. And I'm all about success. I want everybody to be successful. And part of this is stepping into fulfilling your potential. Again, do the work, do the work to be successful, because you can. You're stepping your potential, you are creating significance, and you're putting yourself in a place to succeed if you're paying attention to the signs. So I was thinking about, and I got mad, and I shouldn't have been mad about this, but I was like, this just proves why business continuity professionals are valuable.

So last January, so January 2023, I wrote a blog post about the wine industry and how climate change is messing it up for lots of reasons. But one of them, particularly in California, is they have to keep changing the harvesting time for the grapes because things are getting hotter earlier and the grapes are, because of the way they grow, they're changing. And the only thing that makes any type of grape growable in any region is the climate. So how long are you going to try to shoehorn in keeping this particular grape alive and thriving in this place when you know it's going to change, the climate's going to change and the climate's no longer going to be hospitable, it's going to be inhospitable for that type of grape. So you can either keep trying to shoehorn in something and run out of runway on that, or you can start planning a new type of grape varietal, and they normally take about 10 years to seed and bear good fruit for wine. So you can be ahead of the curve, you can follow the curve or what? And then in December, so almost a full year later, CNN's writing an article about how climate change can probably, it's going to affect the champagne we're popping because we might not be able to have champagne anymore.

And I'm like, "Okay, would you rather be the business owner who had a year jumpstart on this and started planting their new varietal a year ago before everybody else?" I mean, I can't predict the future, but I can definitely help you meet it and shape the way you're going to do so you can be successful.

Kip Boyle: Yeah.

Jake Bernstein: Absolutely.

Kip Boyle: This reminds me of a book that I've started reading, it's called On the Move: The Overheating Earth and the Uprooting of America. And it's by a reporter who is actually aggregating all this data about how climate is predicted to change. And in the book, he's saying that, for example, in the United States in the upper Midwest, which now is considered to be a rust belt, Detroit, Wisconsin, different places around there, that the fertile land that today is more than the Kansas area at that latitude is going to shift to the north. And not only that, not only is food production going to shift, it's going to lay waste to existing farmland, but it's going to take land that currently isn't valuable for growing food and it's going to make it valuable for growing food. Not only that, but all of these coastal cities and towns are going to have to deal with flooding and permanent changes in higher temperatures and that sort of thing.

And so I was listening to this author getting interviewed on, I think it was an NPR episode, and he was saying, the richest people right now are buying farmland like crazy. And land that they expect to be farmland like crazy because they're getting out ahead of this. And so, that makes me think about what you were just saying, right? Think about the future, think about what's going to change. Don't you want to own the land? You want to be the one who was 10 years ahead of themselves and actually own the land that's going to be the solution to where's all our food going to come from? Rather than just trying to scamper with the changing temperature line as it shifts northward. I think this is similar, right?

Jake Bernstein: It is. And what I'm going to say here is, this is a good segue to skip over to the idea from this shift in almost away from lean manufacturing, or I should say maybe just-in-time manufacturing toward what I can only assume means is supply chain management. Kip just put SCM in the script here, but I'm going to call that supply chain management.

Kip Boyle: That's great, Jake.

Erika Andresen: Yep.

Jake Bernstein: Thank you. With multiple options. And I think that what you were just saying about shifting, being aware of where you're going to be able to grow food is in some ways, it's similar thinking to the supply chain management. So Erika, why don't you give us an example about how just in time has been proven or at least shown to be precarious and maybe some examples of what it looks like and why it's a business continuity problem.

Erika Andresen: So, well, lean manufacturing in and of itself is not, it's actually a good thing for business continuity because it's all about putting investments and preparedness and as little waste as possible. So I'm not against lean manufacturing at all.

Jake Bernstein: Really, I think it's more about the concept, and I think that we made that seem more negative on lean than we meant to. It's less about lean, more about the risks of just in time supply chain issues is what we're talking about.

Erika Andresen: Yeah. So we as a people have short-term memory, but we also have a lot of muscle memory when it comes to pain. And when COVID hit, there was a lot of issues with supply chain management. There was actually a international exercise. And I always tell people, if you want to know what's going on, look at what governments and big companies are spending money on for their exercises. Because one of it was, I think November or October of 2019 where they had such a big exercise for supply chain disruption. They even invited major companies to participate, because they're like, this is going to be something. It was actually for a pandemic-like flu. That's what they were exercising in October, November of 2019. And they knew the supply chain would get messed up from it.

So people, they don't want to be waiting around anymore for stuff. So they're like, okay, we can't just do the just in time, we actually need to have the extra inventory inaudible. And that's when they didn't. And you saw a trend in the United States, we're like, we now have all this money poured into semiconductor manufacturing because we're not going to wait for it to come from Asia anymore. We're going to have it here. But of course, it's going to take a couple of years, they're building the factories, before they get the capabilities to do that.

But then you look at something like Boeing, the issues with Boeing. And United is saying, you know what? We're going to have to think of a plan that doesn't include Boeing in our future. And it's like, well, yes, that is business continuity, having a backup to your supplier, but how realistic is that? Those are just words I thought from United. They're shot across the bow to Boeing and Boeing's had a lot of issues since then that come out about their safety and their manufacturing. But you look at, there's only two major suppliers of airplanes in the world, and it's Boeing and Airbus. And it makes sense from a lean manufacturing thing to only have one company's planes within your supply because you can use parts to fix other ones. You only have to train your pilots and your crew on one type of system. You don't have to do a different type of system that are different. But if United actually did want to leave Boeing, they're going to get the very back end of the waiting line for Airbus planes, which are years delayed. This is why people are doing... Why JetBlue wanted to join with Spirit, not because they think Spirit's awesome, they wanted their planes and they wanted their crew because it's going to be too long. It's going to be a long time before it comes.

Kip Boyle: Right. Right. And this also reminds me of a news item I heard the other day which is, imports to the United States of goods from Mexico has exceeded in value imports from China for the first time in 20 plus years. And the reason for this is because companies that do the importation have decided that it's politically too risky to have so much manufacturing concentrated in China. And I just also read that the first significant quantities of iPhones have been rolling off the production lines in India. So I think you're right, that if we look and see the kinds of moves big companies make, that's a crystal ball, right?

Erika Andresen: 100%. Because all this is lead time exposure. And even with that person, the e-commerce person, it's like how long does it take to get your stuff? Oh, faster than we expected. But okay, what is that though? How much faster? Is that going to be replicated? Is that consistent? Do you have a backup with the like and kind to do that? I mean, if all you relied on was lean for supply chain management, that's fine for most days, but most days don't exist anymore. Things are just getting worse. And then not only are we having pandemics, we're having hankers that are crashing into bridges and closing down down shipping ways.

Kip Boyle: And this doesn't even include the kinds of supply chain disruption that cyber attacks and cyber failures. There was a logistics company, I wrote about it recently, who had a global outage due to a ransomware attack. And one thing I know I learned about logistics when I was working in that industry is if you can't move data, you can't move freight. If you cannot accurately transmit to the port where this container is going to, then they won't allow you to load the container on the ship at the port that it's trying to disembark in. In other words, you can't float that thing on the ocean waiting for the data to catch up to where it's going to. And they ended up stranding freight all over the planet because their systems couldn't notify the receiving ports as to what exactly was going to be delivered. And yeah, I mean, wow. Talk about impact and cyber failure. That's massive.

And I don't think we've really seen the cyber failure that a lot of people have nightmares about at this point. I remember insurance company executive saying things in the last couple of years, like cyber is this silent risk. And if there really was a big cyber failure, could it even be insured? Is it even possible to insure for mass cyber failure? I don't know. Have you heard of any of these things that I'm saying? Erika, is there something here in your opinion?

Erika Andresen: Yeah, I mean, we always put an overreliance in a lot of things in order for our success. And I especially, and even DRI, which is the body that certified me as a business continuity professional, they're even pushing, and it's not like it's a new thing, they're just pushing it more, is that supply chain management is one of the newer things that they really are putting a premium on. And it's not just doing the... You have to look at not just your supplier. You have to see that they have continuity plans. And I say more than that, don't trust and verify. Don't even trust, verify. Because if they're like, I have one I've seen, it's been a year since we've last talked and there's a lot that's happened in a year and things I've encountered and seen, and when I see certain business continuity plans, I could tell from the second I start reading them if they're terrible or not.

Jake Bernstein: I'm curious about that. Let's say, what are a couple dead giveaways? Here's a concrete example for someone like me. I might be doing some due diligence to help a business buy another business in the M&A transaction context. And one of the things I'll get, maybe, is a business continuity plan to review. And let's say I get one, what are the top three things that I should look for or that would be red flags to you when you start reading a business continuity plan?

Erika Andresen: Fluff is number one. There's no substance in it. So I've read a part of a business continuity plan. Was there cyber plan? Was this a recitation of the NIST framework?

Jake Bernstein: I've seen that. I have seen that. I know exactly. I was like, wait a second, this is just copy and paste.

Erika Andresen: Yep. There's no scaling down, there's nothing, there's nope nothing. That actually is a plan in this.

Kip Boyle: Now, really the purpose of those plans are just to make the auditors go away. When the auditors come and say, show me your plan, you show them the plan, they thumb through and go, "Yes, very good." And then that's it.

Erika Andresen: Yeah, that hurts my soul.

Jake Bernstein: It does. So fluff, that's a big one.

Erika Andresen: Yeah.

Jake Bernstein: Let's say it's not quite that bad. What next?

Erika Andresen: I've seen plans where the plan was to meet up with the building manager to assess the actual damage and then see what they can do at that point. And I'm like, that's not a plan. That's a plan to plan late. That's kicking the can down the road. So there is no-

Jake Bernstein: That's only slightly better than the fluff.

Erika Andresen: Correct. Slightly.

Kip Boyle: In some ways, that's even worse because people might think that's an actual legit plan.

Erika Andresen: Yep.

Jake Bernstein: Yeah, that is true.

Kip Boyle: Guess what? Building manager's nowhere to be found. That person will not be available to have that meeting because everybody in the building's going to be pounding that poor person's phones and email and trying to catch them in the hallway or whatever. It's like you're not going to get any time with that person.

Erika Andresen: No, no. And then from a DR aspect over reliance on the cloud and that they were doing manual hard drive backups every week or two, and they were a financial advisory firm, which I think is a bit too risky. I'm like, do you want to go back and do a week or two weeks worth of data re-entry because you didn't act that up? Okay.

Jake Bernstein: So what you're saying is over reliance on cloud in the place of more deliberate backups.

Erika Andresen: Right. One of the things I asked them like, okay, do you think this is a good plan or not if you had to, because part of FINRA for these types of things, they required to disclose their plan, not all the nuts and bolts of their plan, but the plan to any client that wants to see it. I'm like, is this something you'd be proud of or ashamed of? And if you're ashamed, you know, just tick the box. If you're proud, you don't know what you actually have, which makes it dangerous, and you just wasted a lot of money. And that's the thing that I hate. Because I figured out what company they got it from. They got it from a compliance company.

They're basically like the IKEA of compliance products. It's like, well, let me just take a continuity plan. Let me take a cyber plan. And I'm like, "I'd rather you spend no money because you're going to fail regardless if you have this plan or no plan. But at least you didn't waste money doing it the other way. At least you didn't actually think you're going to be successful." That also hurts me too. It hurts me for those people that they think they're doing the right thing and they have no idea how poorly they put themselves in a position. They actually, some of them want to succeed. They think, "Okay, cool, I got a plan." It's like, you don't actually have a plan. You just have a really expensive thing that is going to fail.

Jake Bernstein: Well, and I think this circles back to what you said at the very beginning, which is you've got to put in the work and with business continuity and disaster recovery. And remind me, because I might want to ask you to differentiate those again for the audience if possible. But writing a good business continuity plan, and maybe that's how I'll frame this question. That was the top three things to look for as red flags. What are the top three things you look for that make you think, wow, this is an actually decent plan? Not including written by Erika Andresen on behalf of X, not including that. That's an obvious one.

Kip Boyle: By the way, everybody, I'm going to buy Erika a little bit of time before she answers this by telling you Jake is so far off script right now that poor Erika is probably like, "What the hell, man? You told me there would be no map on this examination."

Jake Bernstein: We already talked about the grapes, and that's all that was left. So I was curious.

Erika Andresen: There was another page, there's a full other page. Do you not see that one?

Jake Bernstein: I thought we did that.

Erika Andresen: No.

Jake Bernstein: Airbus. Taylor Swift, Airbus, and then gray rhino, which is climate change.

Erika Andresen: inaudible. No.

Kip Boyle: No.

Jake Bernstein: There's an interesting disconnect that between whatever gray rhino is.

Kip Boyle: Well, listen, Erika, we can either wrap up this episode with one of the three things you look for, or we can talk about gray rhinos.

Erika Andresen: I could probably do both. The first one is, okay, it also cross, it's a cheat answer. It's making sure that all the responses aren't going to the CEO. It's like, okay, there's your single point of failure because apparently the CEO is going to be walking around in a bubble where nothing's ever going to happen to her or him. Another is training, actual training and evidence of training and exercising. Because if they're not doing that, it's not going to succeed. And then, actually figuring out what the RTO is, because I've seen a definition of an RTO, the definition, but no, actually figuring it out.

Jake Bernstein: Just for the audience, RTO means?

Erika Andresen: A recovery time objective. It actually helps you figure out what your critical operations are, so you're strategically investing in the right things to shore those things up.

Kip Boyle: And not just the stuff that somebody will sell you.

Erika Andresen: Right. No. I'll let somebody throw me the gray rhino the question.

Jake Bernstein: So gray rhino is not about grapes, is it?

Kip Boyle: No. Unless that's the new bottle of wine you just brought at home. gray rhino.

Jake Bernstein: It could be. It could be. Okay. So tell us about this. So we're rethinking a challenge as an opportunity courtesy of the gray rhino issue. And I admit, I don't know what that is. So tell us.

Erika Andresen: So some people have heard of a black swan, which is one of those things that nobody expected, and it is knocks us all on our butts. The gray rhino is the thing that everybody sees and they talk about, but they do nothing about. So they're like, "We don't have to worry about this right now. It's not a big deal." And it's-

Jake Bernstein: Denial.

Erika Andresen: It's part of denial. It's part of just not want to do the work. A good recent example is when the SEC 8-K filing for Microsoft came out in January, it revealed that they didn't actually protect their legacy products because they knew they should have done it, but they just didn't do it. And the result being that they had a cyber intrusion of their legal team's emails, their senior executive emails and their cyber team's emails. And it's like, oh, well. Because the thing about the gray rhino is, very, very aligned with cyber, it's not a if it's a when.

Jake Bernstein: Interesting.

Erika Andresen: And a lot of people are like, "I don't want to do this." So you can talk about the elephant in the room. And the woman who wrote about the gray rhino, she talked about this too. So I'm not trying to make people think that I'm super brilliant and making these examples to myself, but she said, "The difference between the gray rhino and the elephant in the room, the elephant in the room is something that people ignore and they're not talking about. The gray rhino, people are talking about and they're ignoring it."

Jake Bernstein: Interesting. Okay, now, okay, so I really like that. So you've got black swan, which is, oh, who could have seen that coming?

Kip Boyle: For real. For real. Nobody saw it.

Jake Bernstein: For real. Nobody saw it, right? Yeah. Sorry.

Erika Andresen: Yeah.

Jake Bernstein: Yeah. Actual, nobody saw it coming. gray rhino is, everybody sees it, they're talking about it and they just ignore it. And the elephant in the room is fricking obvious, impossible to miss, but nobody's talking about it and everyone's ignoring it for whatever reason. Those are three really useful.

Kip Boyle: Those poor, dark-colored animals. Why are we picking on them so much?

Jake Bernstein: The gray rhino is, it's the funny thing about the gray rhino is that that's the color of a rhino. That's probably the point, right? Is black swan-

Kip Boyle: Doesn't happen.

Jake Bernstein: That doesn't happen. But the gray rhino, all elephants are gray. I'm sorry, all elephants are gray, but all rhinos are also gray. I got my animals all messed up.

Erika Andresen: But rhinos are also peaceful type of animals too. It's only when they're provoking charging at you. So this is where I'm flipping it back to having an opportunity to be successful. So you can see the thing and either let it mow you down and be like, "Oh, I'm paralyzed by this. I don't know what I'm going to do. I'm just going to ignore it and hope it away. And that's never going to happen." Or you'd be like, oh, I'm going to meet this thing. I want to make it my friend, and I'm going to take this opportunity to see the challenge and be successful and find a way to, like I said, step into success, step into significance, step into full potential.

Jake Bernstein: So that's why the climate change and viticulture growing grapes for wine production, it's really more of a gray rhino issue.

Erika Andresen: Yes. Yeah.

Jake Bernstein: It's right there. Everyone's talking about it. You literally know it's going to charge, but it's hard.

Erika Andresen: Adulting is hard.

Jake Bernstein: Adulting is hard. Yeah.

Kip Boyle: It's so funny you use that phrase, because I have a couple of 22 year-old kids. They're not twins, they're step-siblings. And that's where I first heard this adulting thing was from them, right? Good old Gen Z giving us a new name for something that we already through.

Jake Bernstein: Oh, I think it's a millennialism.

Kip Boyle: You think so?

Jake Bernstein: Adulting is a millennialism. Absolutely.

Kip Boyle: Well see, I don't have a millennial, so why would I know that?

Jake Bernstein: No, no, no. It's definitely a millennialism.

Kip Boyle: Okay. All right. But I get that.

Jake Bernstein: Okay. Well, I think we have now hit the gray rhino issue, which I like that. That's super helpful.
And if you don't mind, Erika, if you wouldn't mind indulging me as we end this episode, we've talked about things that I think can muddy the waters for people when you talk about business continuity versus disaster recovery. And I think to some degree, everybody knows they're linked. I mean, I tend to see BCP/DRP extremely often, almost as if there's a single phrase and it's, oh, it's business continuity plan, disaster recovery plan. But they are different. Let me ask you this. In your opinion, is it helpful to think of them as different things or is one really a subset of the other, or what's your opinion on this? There's no right or wrong answer, I'm just curious.

Erika Andresen: The answer's yes. The answer's yes. One is a subset of the other, and they're both different and they're important. So disaster recovery is all about data. It's the technological aspect of business continuity along with cyber, where you're saving, it's part of a robust business continuity plan. So it falls under the umbrella of business continuity.

And unfortunately, that's where some people fail. So you have some MSPs who do IT and DR. And they're like, "Okay, now you're good. You've done business continuity." It's like, no, that's just the technical side. There's a whole other aspect. There's people, there's premises, there is procedures and processes that you're not thinking about that also need to be solved for. So DR falls under a very big, robust business continuity plan. It's an important thing to have, of course, because it's saving data, but it's strictly just about the data.

Jake Bernstein: Okay, that's really helpful. I think that's good terminology. Because we like to find terms, don't we? Kip? At least I do.

Kip Boyle: And I'm hanging out with you, so guess what? I like it too. Yeah.

Erika Andresen: Can I interject something that I know we missed in the script?

Kip Boyle: Please.

Erika Andresen: Because Kip was so excited to start. I know I'm a recurring guest, but I didn't actually get to talk about my background or who I am.

Kip Boyle: Well, okay.

Jake Bernstein: Don't worry. We'll put a link in the show notes to Erika's original appearance. But no, why don't you go ahead and do that since we did actually forget.

Kip Boyle: Definitely.

Erika Andresen: Okay. So Erika Andresen of EaaS Consulting, where EaaS stands for Erika as a Service. You get me and my expertise in business continuity and everything else. I'm also a professor of emergency management. I'm a veteran. I'm a recovering lawyer. I'm a published book author. I am in a lot of podcasts and media. I was just telling you all before the show that I'm in the current issue of Success Magazine with Tony Robinson on the cover. I have a two-page spread in that. I'll be teaching at MIT's Advanced Business Resiliency Course this summer. And I think that is it.

And at the end of the day, one of my New Year's resolution type things, it was also a shift in my mindset, which came along with this success, seeing a disruption also as a success and how business continuity helps with growth is I used to be very, I don't want to say jealous, but it would bother me that other people would be successful in continuity, because I'm concentrating in the small medium space, which is hard because I have to educate people about this first.

And I was like, you know what? I'm actually happy if other people do when I do succeed, because at the end of the day, I really just care about people being successful and communities being served by businesses staying alive and being an option for them, and people being employed and making money. So I don't care who gets it done, of course I'd prefer if I made money doing it, but at the end of the day, I'm just thrilled that businesses are learning something and doing something that they need to do. For not just their own bank account, but for their employees, for their clients, for inaudible.

Kip Boyle: And not just for keeping the auditors away.

Erika Andresen: Right. Click that box. Please don't. Please don't.

Kip Boyle: Yeah. And honestly, Erika, that's the same reason why I'm in business, is because I think it's just completely wrong that people who own businesses, small beating businesses, and they're just trying to serve their customers, and then all of a sudden one day they get up in the morning and their entire business has been taken away from them by a ransomware attack. And I just think it's just wrong. It's just morally indefensible. There's a lot of purpose in my work to help organizations avoid that.

Erika Andresen: Well, the great thing is that it's preventable from multiple points. It's preventable from... Or it's reprehensible that has happened to the bad actor. But also, if you've done nothing to protect yourself, especially if you know about it, then it's on you.

Kip Boyle: Well, but then it comes back to the whole thing we talked about at the top of the hour, which is people aren't really interested in prevention. And so there's a lot of education and it has to be done. And that's entirely how I go to market is through this podcast and courses on LinkedIn learning, courses on Udemy, public speaking, because I just think education is just a major component of helping people realize what you just said.

Jake Bernstein: Excellent. Well, Erika, one thing you did not add was how should people reach out to you or where could they go to find out more?

Erika Andresen: My website, it's www.eaasc.com. I've added, since the last time I talked to you, a Cosmo-style quiz where you could just see how resilient you are with mostly As, mostly Bs, mostly Cs. See how much of a rock star or how much into assistance you need for business continuity and just preparedness. And all my speaking engagements are on there. All the podcasts I've been on are linked off of there.

Kip Boyle: Cool. Excellent.

Erika Andresen: My book's there, all the stuff.

Kip Boyle: All right, well, thank you Erika for coming back and putting up with a little bit of rough water during the recording of this episode. But this is life and sometimes water is a little rough, but we're really glad you were here.

And that wraps up this episode of the Cyber Risk Management Podcast. Today we talked about reframing resilience, both cyber resilience and business resilience in general through a more growth-oriented lens. And we're so glad Erika Andresen was here to help us do that. And Erika's a business continuity expert, her company is EaaS Consulting. Thanks for being here, everybody. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.