What will you do when your organisation be annihilated by a cyber-attack?
By Eh’den Biber, Sense of Awareness
A Sense of Death
A few years ago my best friend was sitting next to her dad’s bed. It was a cold winter night, and he was dying of a stomach cancer. For more than six hours she set there, alone, tortured by her dad excruciating pain, and the fact she was unable to help him nor knew what to do. Late at night her dad took his last breath, and left this world. After he did, she called me, crying, telling me it was the most horrible experience she ever had.
Death, the final frontier, has been a profound element in what we call “self-awareness”. All human cultures that we know of – both in current days and in the past – have and had death-related rituals. Death is as integrated in the fabric of our existence as life is, and our ability to acknowledge is an indication of our evolutionary state.
The realisation of the notion of death is an evolutionary process. You first develop a sense of self (ego), and then you discover (or become “aware”) that this self is limited, that it must die at some point. The ego then depend on the information it will receive and how it will interpret it to devise plan on how to handle that fact, and that plan will be engraved in him and define many of his actions, consciously and subconsciously, becoming the young ego biggest challenge.
If the acknowledgement of death is an indication of self-awareness, organisations have seems to be extremely infantile. Even the largest, biggest organisations – countries and multinationals – act like children who knows death exists but refuse to embrace it. Open up an annual report of any company and I can assure you that while elements like profit, loss and risk will be covered, the notion that one day the organisation will cease to exist is never mentioned, it is a taboo.
The Corporate Clergy
Consultancy firms act like a religious clergy to organisations. Some people follow their rabbi/priest/imam, while big corporations follow the big four. Some people go to their clergy for advice, and reassurance, and comfort in the bad times, while corporations do the same – they get consultancy, audited for compliance, and get special advisory when things goes bad from their big four.
Do you remember the days before the big four started to come to your board and tell them that information security breaches are a matter of when, rather than if? The same management who refused to listen to information security experts listened to consultancy firms. Why? Because suddenly everyone else around them got hacked, management of the organisations got scrutinised (or even worse, penalised), and they wanted to avoid that pain.
We, as humans, we all know we will die at some point (unless you Larry Ellison – love you Larry 🙂 ). Organisations, as explained above, don’t really have that understanding. It took YEARS for most organisations to be aware that their security fences will fall down eventually. It will take many years, perhaps decades for organisations to start to accept that they are not immune from the big ripper. The lack of “awareness” to the simple truth of death when it comes to corporation is also one of the reason why “awareness” training is not working. How can anyone train about information security awareness when the possible consequences of the event are still a taboo?
There are countless examples of nations and companies that disappeared, or were taken over by other organisations. Silicon Valley and its replications all around the world are an example of a world in which companies are being created and then being invested in in order to be taken over by larger organisations. When it doesn’t work, the start-up simply shut down, when it does, it is being swallowed. Death and technology are inseparable, because they are part and in the heart of the evolutionary process. This is why net neutrality is important because it allows smaller technology organisms a better chance of survival. Without it evolution is being tampered and technology becomes just an accelerator of death.
While everyone talks about building companies and using the latest technology to grow barely no one talks about the fact that all technologies are fragile. Organisations are organisms that uses multiple types of resources (human, physical, intellectual, technological) – all of them are fragile, and their fragility creates an emerging property of new types of fragility. We have a human body which is fragile and has an expiry date, and so does organisations. On top of that, decisions being taken by an organism can be fatal to its lifespan: so things like jumping in front of a train and you might kill yourself, nominate the wrong people to the leadership position, assume your latest cyber-protection technology will protect you – and you end up with all your intellectual property being sucked out by a third party or even see how your technology is used against you. All technology will fail at some point – either by inner failure or by outer force who will make it fail.
In nature, when hyena is eating an antelope it is using the antelope resources in order to sustain itself. In the technology world, a nation state will stealing intellectual property that was developed by companies in other countries in order to sustain itself as a country.
The DR Delusion
Organisations are pretty smart – so they thing. Any respectable organisation have a DR site, a DR plan, and all of them (sort of) fully practice it periodically (sort of) to make sure it can recover in case of a serious, catastrophe event. Great idea, with one small problem – if your DR solution rely on the same technologies that you rely on for your production environment, which are, as explained above, vulnerable, why do you think your DR solution will be more effective in withstanding a technology breach such as a cyber-attack? Did you ever threat evaluated it? If you have the same technology which is being used every day, why do you think it will not be again compromised, or used against you?
Some believe in Backups. What good backups were for Target, or the NSA? Information leakage DR plan is non-existing, unless of course you have a time machine.
I will say it again – the only solution for data leakage is a time machine. If you have one, you’re covered. if not, and the data leaked can destroy you, it is not a matter of “if” it will be leaked, it’s a matter of “when” it will be leaked. If you have nothing to hide, fine. until now we have seen via wikileaks that everyone hides from others, and lie.
There is nothing new under the sun…
Book of the Dead
Let’s assume an organisation – from a start-up to a multinational or a country – have realised that it have a limited lifespan. What’s next? As I said before, religions talk about the afterlife and promise multiple promises, and I’m sure consulting companies will do the same. However, there is one book that was written about 1200 years ago that gives clue to how to handle and bypass this stage.
The 1927 publication of “The Tibetan book of the dead” had exposed the western civilisation to a guide that was written in the 8th century. This book, which was translated and published thanks to the work of W.Y. Evans-Wentz, is attributed to Padmasambhava (the Lotus Born). This mystical figure who was known as Guru Rinpoche have transformed the Tibetan kingdom, which was a military empire, into Buddhism.
What is so special about the book of the dead? In the preface to the second edition of his book Evans-Wentz wrote “The art of dying is quite as important as the art of living (or of coming to birth), of which it is the complement and summation … In the west, where the art of dying is little known and rarely practiced, there is, contrastingly, the common unwillingness to die, which as the Bardo Ritual suggest, produces unfavourable results.”
The Tibetan book of the dead is unique because it provides a person the power to look at death and instead of fear it, know that he can continue with his life with an understanding that this cycle of life one is experiencing is just one of many. Instead of seeing life “ending”, one is learning to embrace the endlessness of consciousness. The thing is – almost all of us experienced it on a smaller scale: how many of us changed jobs in our lives? How many of us changed companies we worked for? How many of us changed their city in which they live, or the country in which they live in? How many of us changed partners? Regardless of how hard sometimes it seems, when one thing end, another begin.
There are two types of cells in the body that do not constantly regenerated – neurons, and cancel cells. The neurons allow the self-awareness to grow and provide a possibility of true awareness, cancer cells have no visibility to the body state and its own growth kills the organism it rely on. When an organisation don’t care about the environment, or is totally consumed with its own growth it is bringing upon itself its own death.
Organisations dominate our reality. We are all part of them. Only after we, as individuals, will start to embrace our own death and see the continuity in everything there will be a shift within organisations. Change always, ALWAYS comes from within.
Be the change, embrace your own death, and start living in the now.
© All rights reserved 2015.