At UKFast we are firm believers that putting yourself out of your ‘comfort zone’ is essential to team and personal development. We are a company peopled by innovative, dynamic and passionate individuals who are constantly looking for challenges.
For several years now the company has actively run team building and leadership exercises in Snowdonia with a mind to testing each other in a very different environment from the sterile environment of our datacentres and support operations. Exercising our problem solving abilities in a novel environment insures that our business approach does not become ‘blinkered’ or dictated by the norm.
This has insured that our flexible, supportive and innovative approaches to service provision have remained at the forefront of our market sector and that we continue to build our team with a similar mindset. It matters not whether it is a multi-datacentre, high resilience, business continuity solution or a raft to cross a lake in Wales that must be engineered – all are approached with the same drive, determination and ‘swept-up’ approach.
Of course, conducting such activities does not come without potential risk. Wales, as most of us know, can turn from a beautiful, sunny playground to a miserable, cold quagmire in an instant; where one minute you can practically see Ireland from the peak of Snowdon to the next, where you are lucky if you can see your own hand.
In concert with a number of types of challenging terrain this can make for an environment in which a simple stumble in the wrong place, at the wrong time, could prove life threatening. So why on earth would UKFast place their dearly loved employees in such potential jeopardy?
For 2 reasons:
1. Because the benefits of such activities to individuals, teams and the company are vast – in health, shared experiences, team building and exercising both mental and physical commitment and robustness, through calm but decisive command and control.
2. Because UKFast is a risk aware organisation, not a risk averse organisation.
The correlations and similarities between undertaking such ‘outbound’ activities and insuring information security are startling:
1. Business benefits to employees and clients alike.
2. Confidence building activities for both employees and clients.
3. Improved communication both internally and externally.
4. Continued capability development through continuous monitoring of results – making weaknesses into strengths.
5. Continuously assessing hazards and threats and putting in place controls to minimize the likelihood of such events and/or reduce the impact of such events occurring.
It is perhaps the last point that stands out, largely because it is the subject that makes most companies outbound activity and information security averse – the dreaded risk assessment!
If you are the member of such an organisation it is at this point that you will mentally switch off or navigate elsewhere. If so, you will miss the realisation that such threat assessment is not something to roll your eyes at or run and hide from, but a business enhancing tool that justifies and aids in the development of plans and making of decisions and produces greater efficiencies.
The methodology employed matters little, so long as the product of such an assessment is effective.
For example; let us take a single hazard that may affect our team climbing a mountain in North Wales – a cold weather injury.
There is the very real risk that in the process of trekking in Snowdonia an unprepared and un-fit individual could fall fowl of hypothermia; especially if they pick-up an injury or are caught in sudden, inclement weather (not unlikely in Snowdonia).
We assess the risk of such a hazard by looking at the ‘likelihood’ of such an event occurring in conjunction with the ‘impact’ of such a situation and measure this against any existing controls that we may have. We then consider whether these controls to cater for this level of risk are acceptable or not.
If they are not then we seek to reduce the ‘likelihood’ by adding controls that will reduce the chance of such an incident occurring (e.g. training on the correct clothing to wear on the hills and the importance of the ‘layers’ principle) and / or by adding controls that will reduce the ‘impact’ of such an event occurring (e.g. the carrying of a Safety Pack containing additional warm clothing, a shelter and a stove and training on treating individuals with a cold weather injury).
This approach aids in developing assured plans in relation to assessed risk, providing the confidence to undertake such activities without restricting the benefits of such training.
Exactly the same approach should be employed to ensuring Information Security. An example may be the loss of service to business critical data that would affect business availability.
We assess likelihood in conjunction with impact against the existing controls in place (if any) and decide whether this level of risk is acceptable. If not, we must reduce the risk by:
1. Employing controls to stop such data loss occurring (likelihood), e.g.
a. Employing physical access controls to such data.
b. Controlling access logically to such data (e.g. passwords).
c. Employing redundant and back-up services and utilities.
d. Partnering with an organisation with suitable controls in place and the ability to offer such technologies and services.
2. Employing controls to deal with such data loss occurring (impact), e.g.
a. The use of RAID in servers.
b. The use of a replication technology.
c. The use of multiple datacentre solutions.
d. Again, partnering with an organisation with suitable controls in place and the ability to offer such technologies and services.
Continually employing such an approach as part of an Information Security Management System (ISMS) ensures that we remain risk aware but don’t let such risks constrain our evolution, innovations and actions as a business.