Resilience is a Mindset
When the trains stop running, or your car breaks down, or your flight is cancelled, you experience how resilient you are. If you are in an unexpected situation with other people—as I was yesterday when the trains here in Copenhagen stopped—you get to watch resilience in action.
Some people calmly make other plans. Others are overwhelmed and whining. The situation is the same, but the mindset is different.
Tell yourself now that next time you are in an unexpected and challenging situation, you will notice how you react. Setting up this behavior in advance makes it more likely that you are able to reflect on the situation while you are in it. Once you have the awareness, you can also change your reaction if it is not helpful.
How Many People are Indispensable?
How many people are indispensable in your IT organization (you included)? The right answer is zero. The typical answer is in single digits. It is your job as an IT leader to bring this number down.
It happens automatically as you try to reduce headcount. Just as optimizing your supply chain makes it brittle and prone to disruption, cutting headcount to the bare minimum risks chaos when a key person leaves or is hit by a health or family issue.
There should be two people who can handle every important job. Make these buddy teams explicit and allocate a budget for them. It costs you very little to give each two-person team an allowance for a restaurant meal every two months and to let them attend a conference or event together once a year.
Do you have a list of your key people, the jobs they do, and who could take over? If you don’t, it might be a good idea to start one.
Backup Communication Channels
What is the difference between 30 individual soldiers and a platoon? Leadership and the ability to communicate.
The first step in your resilience planning is to ensure that you can still communicate, even when faced with an onslaught of Russian hackers or American government officials.
That could mean an on-premise open source mail server and a basic web server. Every workstation and company smartphone could have a separate open source mail client and web browser preconfigured for those servers.
There are many other options – the paranoid and those with high threat levels might have spare phones running GrapheneOS and Briar, or even establish their own Meshtastic mesh network.
If you don’t have a backup communication channel, you urgently need to establish one. Especially if you are outside the U.S. and depend on U.S. services.
Denmark is Dangerously Unprepared – Are You?
Denmark is not prepared for IT disasters and attacks. The state auditors have chosen 13 out of the approx. 4,200 public IT systems and looked at their recovery plans and procedures. A few were fairly well prepared, most were not, and one system was completely unprepared for anything to go wrong.
None of the recovery plans were adequately tested, and five systems had not tested their recovery plan at all in the last three years. For outsourced systems, half of the contracts did not require testing the recovery plan (!).
But at least the Danish state has an office that examines these things and issues a report. Who is responsible for evaluating the disaster recovery plans for critical systems in your organization? You cannot leave that to the individual system owners.