Sunday, September 27, 2009
Human Resiliency and the Navy Seals
A number of months ago a fishing boat containing four football players—two NFL and two college players--capsized off the coast of Miami. The boat turned over in heavy seas. Initially all four players clung to the side of the upside down boat waiting for rescue. After about three hours one of the NFL players told the others that he quit, and then took off his life vest, let go of the boat, and allowed the waves to carry him out to sea. Shortly afterwards the other NFL player did the exact same. Both had reached the end of their tether and simply gave up.
A third player held on until the next day, when he thought he saw a light in the distance and let go of the boat to swim to it. He was never seen again. The fourth player climbed on top of the boat and was rescued after two days at sea; hypothermic, but alive.
A friend of mine noted that the three hours that the NFL players held on is the approximate length of a football game. Perhaps this is most likely a coincidence, but it reminded me of a documentary I saw about the Navy Seals. Navy Seal training is by far the most difficult in the military. During Hell week they go for three straight days without any sleep at all, and then get two hours a night of sleep for the next four days. In between they are kept wet, cold, tired and constantly moving.
Navy Seal instructors have found that strength athletes, such as football players, are not the most likely to make it through the training. Endurance athletics do much better than strength athletes because Navy Seal training requires the ability to perform for long periods of time in miserable conditions. In fact, the Navy Seals often have a recruiting table at triathlons. Is it possible that football training developed a psychological resiliency duration of three hours among the NFL players?
A couple of years ago I heard a fascinating keynote address at the CPM conference by Dr. Maurice A. Ramirez, who talked about the importance of caring for the psychological needs of workers during an emergency. He ran the temporary hospital at the New Orleans airport after Katrina. As part of their operations they had a red phone that was solely used by staff to call their family or friends. Eventually some FEMA bureaucrat decided that the phone was against regulations and removed it. Productivity immediately fell.
Business continuity experts spend a great amount of time setting up the systems and procedures to continue operations during a business disruption, but less time is spent preparing for the psychological needs of the employees that will be put under tremendous pressure during a crisis. They often assume that employees will simply do as their told. But if your community is struck by a disaster, you will care for your family before your employer. Most of the police force in New Orleans disappeared after Katrina because they cared for their family before their civic duty.
Human resiliency is becoming a hot topic within business continuity, and hopefully we’ll see it given more attention in the future.
Last Week’s Quiz Question:
Undergraduate students who live a military lifestyle at Norwich are called “Cadets.” What are Cadets called when they first enter the university as freshman?
The answer is Rooks. Rooks walk in the gutter, navigating around upper classmen, when they first come to Norwich University until they are “recognized,” which normally comes around Thanksgiving of their first year.
The winner is Andrey N. Chernyaev. Congratulation Andrey!
This Week’s Quiz Question:
Name either of the two Vermont towns that is also the name of a foreign capital (Note: Moscow, Vermont is not a town, just a location).
The winner will receive a coveted Information Assurance Practitioner Beanie Baby.
Thursday, September 17, 2009
Culture and Crisis Management
In the last decade or so, as a consequence of a variety of unfortunate events, an amalgam of knowledge has been gathered about crisis management. Yet, the majority of organizations remain in the early stages of developing a comprehensive and interoperational preparedness and response plan. Currently, many organizations focus on security and resiliency with respect to infrastructure, operations and IT functionality. Certainly, this level of preparedness is essential to any plan, yet it is insufficient if it remains the primary focal point. All organizations should be as vigilant about the viability and availability of their workers as they are on IT, infrastructure security and other aspects of continuation of operations.
Each professional orientation and every workplace has a unique culture. Hospitals differ from retail establishments. Financial institutions are unlike manufacturing settings. And, while both are educational institutions, colleges are dissimilar from public schools. While this may seem a simplistic concept, it appears to go unnoticed when it comes to crisis planning. Cultures evolve over time and set the operational guidelines, interpersonal dynamics, beliefs systems and written and unwritten rules of conduct.
Nothing can disrupt a culture more than a crisis. Further, the response of an organization to a crisis may be dramatically influenced by its culture. To operationalize this, let’s look at a few critical questions: What are the services or products that are provided and to whom? What are the “customer expectations” of the organization? If a crisis occurs, do you shut the doors and all go home… as in the case of a restaurant or school? Or, is the expectation that “all hands remain on deck” as would be expected of a healthcare facility? Is the organization public or private? Is it for profit or non-profit? Does it have employees who have been there for decades or is it a revolving door of transitory workers searching for better employment? Has it had a previous history of critical events that have impacted its viability? Is it union or non-union? Demographically, is it made up of predominantly “babyboomers,” “gen xers,” “yers” or “zers?” How about the “genderization” of the workforce? There are a variety of other determinants that help to ascertain a cultural assessment and thus facilitate a determination as to how the culture is structured and thus how it may react to a crisis.
Crises, contracts and covenants
In addition to customer expectations, employee/employer expectations (written and unwritten rules) are critical components that may be severely tested during times of crisis. In, Why Do Employees Resist Change, Paul Strebel talks about 3 levels of “personal compact” between employees and employers:
Formal-
• basic tasks-
• job description
• Conditions of employment
• Salary, benefits, etc
Psychological- unwritten/unspoken
• Commitment
• Loyalty
• Effort
• Trust
Social- unwritten/unspoken
• Values matching
• Career development
• Promotions
• Conflict resolution
• Layoffs
• Risk sharing
People do not work just for monetary reward. After the formal level (contractual) has been established and satisfied people then look beyond to a deeper level of unwritten/unspoken expectations (covenants) between employee and employer that satisfy their sense of esteem and appreciation. This is the level where organizational resiliency lives and flourishes or withers and dies.
Last week’s Quiz Question:
Vermont has four seasons; summer, foliage, winter, and _________.
The answer is “Mud Season.” Vermont has many dirt roads, and they turn to muffler-sucking mud during the spring. A true Vermonter becomes an expert at navigating mud without getting stuck, assessing which lines to pick upon approaching different situations.
The winner is: Andrey N. Chernyaev. Congratulations Andrey.
This week’s Question:
Undergraduate students who live a military lifestyle at Norwich are called “Cadets.” What are Cadets called when they first enter the university as freshman?
Send answers to: jorlando@norwich.edu
The winner receives one free entry into the Dog River Run, and will get a chance to crawl and run through the dog river with Cadets carrying a stone before the first day of classes.
Monday, September 7, 2009
Ethical Issues in Penetration Testing
Imagine that you are charged with implementing and testing security policies at your organization. You know that most security breaches exploit employees who are lax in following security policies, and so you hire an outside agency to test if policies are being followed by employees. The agency uses the following tests.
Piggybacking: An operative wearing a suit and tie, and carrying a briefcase, stands at the front entrance to a corporation. He waits for an employee to unlock the door with his ID scan and follows him in.
Shoulder Surfing: An operative notices employees standing outside a door smoking on their break. He walks over and mills about looking over his shoulder as employees type the keypad code to reenter the building. With that information he lets himself in.
Computer Technician: Two operatives walk in to an office wearing “Computer Doctors” jumpsuits. They tell the administrative assistant that they have an order to fix the system. The assistant tells says that “Mr. Smith did not tell me about this, and he’s on vacation and can’t be reached.” They reply that “We’re booked for the next two weeks. The system is overheating and could melt down at any moment. It has all of the customer information on it. If it burns up because we were not allowed to work on it, somebody’s going to get into a lot of trouble. Are you sure that you didn’t forget the order?” The assistant nervously lets them in.
Bribery: An operative posing as a representative of another company approaches an employee outside of work and offers him $50,000 to get some memos concerning the company’s plans for a new product.
Are all of these forms of penetration testing ethically permissible? What do you think?
Last Week’s Question:
Until recently, Norwich University owned what other college in Vermont?
The answer is: Vermont College in Montpelier
The winner is Autumn Crossett. Congratulations Autumn!
This week’s Question:
Vermont has four seasons; summer, foliage, winter, and _________.
The winner receives two tickets and round trip airfare to the Information Assurance Hall of Fame, housed at an undisclosed underground bunker in the Appalachian Mountains.
Send your guesses to: jorlando@norwich.edu