The Hedgehog and the Fox

Подробнее о видео

The Hedgehog and the Fox E059
A Bit of Security for March 10, 2025
Isaiah Berlin wrote “The Hedgehog and the Fox” in 1953. The title comes from a fragment of Greek poetry, which reads, “A fox knows many things, but a hedgehog knows one big thing.” He then goes on to classify major thinkers as hedgehogs or foxes. Freud was a hedgehog, as was Marx (sex or money). Dostoyevsky was a fox. But Tolstoy? He was a fox who believed in being a hedgehog.
When the IT guys in London developed BS7799, they argued whether business continuity should even be on the list. They decided it should, because the job doesn’t stop even after a breach. Simply returning to the way things were before isn’t enough – you have recreated the same set of weaknesses that took you down the first time.
As you make your business continuity plan, look at the impact of an outage on your constituencies. This is why BC is so much harder for governments. If you are running a business in New Jersey and there is a fire, you can move to Pennsylvania. You may have to hire new people, build a new building, adjust some borrowing, but you can make the transition. But if you are New Jersey, and there is a fire, you must fix it while preserving essential services for your citizens.
The idea of constituencies is crucial. You ask “Who cares if the business isn’t working? How do they care?” Employees care about their paychecks; investors care about their investment, customers care about their orders, and so on. Your continuity of operations plan comes down to meeting the needs of those constituencies as efficiently as possible while rebuilding the enterprise. If the payroll system is down, give your employees whatever they got in the last pay cycle, and when things get back to normal, make up any bonuses etc. later. Each business must run through the exercise itself. I worked with a large auto manufacturer some time ago. Their business continuity plan prioritized accounts payable. You might think that accounts receivable would be top, but this company realized something. Would you go to Tijuana to buy an ashtray? They did – and if their supplier of ashtrays were out of business, then they could not build any more cars. Making sure they could pay their suppliers was a top priority.
For a business, there are just four goals: Build and sustain revenue, profit, your customer base, and your environment. Failing those your business will collapse. Recent events show us that business leaders can make a lot of mistakes and still keep going, at least for a while. But running a country is much more complex than merely turning a profit. A strong government builds and sustains the population, builds and sustains the environment, builds and sustains the infrastructure, and builds and sustains trade and peaceful relationships with other nations. This is much more difficult, because other nations may have different agendas.
A weak political leader may try to break a government up into separate businesses, because with a simple mandate for each business it becomes an easier problem to solve. This always fails because the overall goals of the country are far broader than the narrow one-dimensional metrics assigned to a company.
When you develop a business continuity plan, the largest danger is you overlook the broader impacts of an outage on key constituents. When you try to develop a continuity of operations plan for a government, you quickly realize that each person has a set of goals, and you need to correlate those while dealing with the scope of the outage optimally.
You cannot get stuck on one goal. The fox must prevail over our hedgehog instincts. “What if we just give each resident some money and let them fend for themselves?” is dangerous nonsense. Many constituents cannot fend for themselves – children, the elderly, the infirm. Will fire services auction respond to calls? Will justice go to the highest bidder? Fairness is harder to govern than one-dimensional metrics like revenue. Any enterprise facing challenges to the continuity of its operations must avoid the false simplification of abandoning its core values simply to accommodate weak-minded, emotionally stunted leaders. The fox knows much more than the hedgehog ever will.
This talk is entirely about business continuity.
The Hedgehog and the Fox E059 - A Bit of Security for March 10, 2025
How complicated is business continuity? It depends on what your idea of a successful recovery is. Listen to this -
Let me know what you think in the comments below or at wjmalik@noc.social
#cybersecuritytips #DR #BCP #continuity #continuousoperations #BitofSec