Preparing for the Unpredictable

There may be some elephants in the board room from time to time, but what about Black Swans or Gray Rhinos? Many of us might be ignoring the warnings of risks to our business from “corporate Cassandras” — named for the priestess in Greek mythology who was cursed to pronounce true prophecies, but never to be believed. By understanding how risks manifest themselves, organizations can improve their business continuity planning and, ultimately, their resiliency.

In his 2007 book, Nichola Nassim Taleb coined the term Black Swan, an unpredictable and rare event that creates a long-lasting impact. The internet itself and the 9/11 terrorist attacks are considered Black Swans. But calling an event a Black Swan can be a scapegoat or an excuse for failing to plan: “Oh we never imagined that would happen…no one saw that coming!”

Black Swan Sightings

If we can’t predict Black Swans, shouldn’t it be impossible to prepare for them? Quite the opposite. In fact, there are techniques organizations can use to identify and prepare for Black Swans. In IBM’s 109-year history, our crisis management structure and emergency planning process have helped the company meet our customers’ needs during major power outages, floods, tsunamis and terrorist attacks. Comprehensive Business Continuity Planning is essential for preparing for the unlikely, but disruptive, Black Swan. Organizations can:

  • Conduct “what if” analyses to consider impacts to business-critical areas of the organization. Those that have the highest potential impact should have contingency plans designed to mitigate their impact.
  • Stress-test systems and processes. Disrupter Analysis or Chaos Monkey testing is one way to identify the unpredictable.
  • Plan your communications ahead of time. You may not be able to control the situation, but you can control what and how you communicate about it. Identifying key stakeholders, distribution lists and draft communications ahead of time will help to keep focus on the event rather than your lack of preparedness.

Recently, experts have suggested that the U.S. electric power grid might be vulnerable to three potential Black Swans: solar flares, Electro Magnetic Pulses (EMPs) and cyber threats. But cyber threats against the power grid, or our organizations, can no longer be considered Black Swans. Rather, they are examples of Gray Rhinos, a term first introduced in 2013 by policy analyst Michele Wucker.

Gray Rhinos are Everywhere

Gray Rhinos are highly probable events with significant consequences that are headed right for us. They differ from the “elephant in the room” precisely because Rhinos are talked about. Gray Rhinos are often heralded by corporate Cassandras, the technologically savvy worry warts of the organization who are pointing out the charging Gray Rhinos. Acknowledging them can force us to get comfortable with uncertainty and take action. Otherwise, we risk being trampled.

Putting off going to the doctor for testing when you sense there might be something wrong is a personal Gray Rhino. Climate change, extreme weather and national disasters are examples of societal Gray Rhinos that can impact an organization’s business continuity posture. The known vulnerabilities associated with the Internet of Things is another example. How do we make sure our Gray Rhinos are not turning into elephants in the room?

Become a Rhino Spotter

Learn to recognize the Rhinos present in your environment today. Ask your team and yourself: “What is the big issue facing our organization today that will trample us unless we do something?” Then start by breaking long-term strategy into short-term actions:

  • Take 15 minutes each day to imagine what it would take to stay resilient.
  • Do the hard work in turning ideas into action and devise a solution.

If you do not feel you have the power to make change, become the Cassandra and share the Gray Rhino opportunity with someone who does have the power.

Think about the Future

Don’t waste a perfectly good crisis. Let this current pandemic be an opportunity to hop on that Gray Rhino’s back, listen to the Cassandras among us and use the crisis to better prepare for next time.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…