Failure is not an option: A case for human-centric corporate resiliency.

Security Lock icon

I’ve been fascinated by the story of Apollo 13 since I saw the movie as an impressionable and space-obsessed five year old. On April 13, 1970 an explosion occurred aboard a spacecraft which was carrying three American astronauts, among them the men expected to be the fifth and sixth humans to walk on the surface of the moon. In a matter of seconds, a manufacturing defect in an electrical cable changed the goal of the mission from the aspirational motto of “Ex Luna Scientia” (latin for “from the moon, knowledge”) to a much more concrete “survive.” Over the ensuing days, thousands of contractors, scientists, and technicians combined to coerce systems to perform functions for which they were never designed. Creative thinking, knowledge and problem-solving conspired to bring all 3 astronauts on the stricken vessel safely back to earth (cue the rousing James Horner orchestrals). Victory was snatched from the jaws of defeat.

In short: the entire agency had to pivot into resiliency mode on a dime. For most humans in the United States, the past 3 years have been the most tumultuous period in our lives. Every single one of us has had to find ways to muddle through and balance work, pandemic, childcare and remote-school, civil unrest, inflation, and other more personal struggles all at once. Plus, after my 5th zoom call of the day, I often literally felt like I was floating off in my own little capsule with minimal access to a larger outside world; especially not without the proper protective gear.

Many of us found ourselves having to practice mental and physical resiliency on a near daily basis.

Yes, businesses were also focused on resiliency but, seemingly not on an existential level at scale.  Systems put in place to protect businesses helped. PPP loans and other assistance made it easier to absorb lower revenue. For some businesses there were significant gains. Unfortunately, those gains weren’t sustainable and now, it seems,  the worm has turned. Just as many of us are emerging from personal “fight, flight or freeze” mode, big business is diving into resiliency head-first.

Large-scale employee departures represent risk to data in two flavors:

Direct threats to data posed by departures:

Sabotage: Disgruntled employees will do things that the business would prefer they didn’t. I’m sure I’m not alone in having worked with an organization where an employee completely wiped their corporate device on the way out the door; erasing years of work in moments.

Human Error: Regardless of the intentions of the departing employee, not everyone follows policy. Even those who do follow policy don’t do it 100% of the time. People find shortcuts and will work in the ways they see fit whenever possible. An organizations’ “store everything on network storage” policy is only as effective as the employee’s workflow and willingness to comply. Plus, if you follow best practices and remove access in-concert-with or prior-to announcing a reduction in force anything which hadn’t been round-tripped prior to cutting off access is effectively gone.

Sharing Issues: Sometimes shared files can cause ownership/permissions issues. A cloud collaboration file is all fun and games until “REALLY_IMPORTANT_PRODUCT_DEMO_FILE” which someone created and maintained for years as a team resource gets deleted because it was in a personal network store.

Indirect threats to data posed by departures:

Burnout: Fewer team members means either a reduction in the scope of work/product offerings of the business or, the expectation of remaining employees to do more with fewer resources. I have yet to meet a business which could meaningfully say no to existing revenue so, we’re likely looking at option b. This expectation to do more leads one of two directions, neither of which are pretty: cutting corners or burnout. Both introduce their own (similar) risks to your company’s data. Cutting corners can lead to bad data hygiene or security practices (sharing a link you shouldn’t or not anonymizing customer data prior to attaching a file to an email). Burnout leads to additional concerns including the specter of quitting (leading to further staff overwork), “quiet quitting” or lack-of-engagement which can rise to the level of unintentional sabotage if not recognized and dealt with compassionately. 

Morale: Fear is not a good motivator; at the very least not for everyone. Following a reduction in force, there will be both logical AND counter-productive reactions on the part of those who remain as part of the organization. This will paradoxically result in an increase in policy compliance by some and wanton abandonment by others. Make sure you have systems in place to fall back on when humans react entirely like humans.

What you can do:

Ok, that’s enough doom and gloom. What can be done? Addressing all of these risks to data is possible both in this season and on a continuing basis. Here are a few recommendations for how:

  • The single best way across the board is to make sure you’re taking good care of your employees up-to-and-following any potential reduction in force. It’s both the right thing to do for the employee and will lead to fewer negative impacts on the business because people won’t be as pissed/hurt. If you treat humans well, they are less likely to attempt to intentionally hurt you. For some reason this is often forgotten.
  • Build out systems and processes which balance the way that human beings like to work against the needs of the business. Too often, policies expect humans to act as machines and modify behavior or processes which have been engrained over the course of decades-long careers. Building systems which meet compliance requirements but shift responsibility for things like data integrity from the risk-owners (e.g. Security or IT) onto individual users is a recipe for a well-covered rear end on the part of the risk-owner but doesn’t necessarily lead to less risk for the business.
  • If you haven’t done so yet, put formal business continuity and disaster recovery plans in place. They will help you proactively plan for the health of your business and reactively respond to any issues which will arise respectively. Examples of policies to add to your BCP to address concern about human error or burnout are cross-training and enforced minimum time-off. These policies offer strategies to ensure that a) people are taking time away for their own rest and relaxation and b) your business has the ability to absorb the temporary absence of certain resources. On the DRP side, do you have systems in place to protect your data in situations of ransom, accidental (or malicious) deletion, and hardware failure? Additionally, do you have documented recovery time and recovery point objectives?
  • The last thing, which I would be remiss in not bringing up, is to make sure you have a strong fallback plan for what happens WHEN data is impacted. Are you regularly backing up data which might not make it to the cloud but is instead stored on the laptops and desktops that your users leverage daily?

To bring everything back around: the Apollo 13 mission would not have been the qualified success it was if not for the astronauts’ ability to leverage the Lunar Module (a secondary spacecraft attached to the primary) as a lifeboat. That was the linchpin. The built in resiliency (both intentional and opportunistic) allowed the organization time to execute on a plan to survive. Nasa also got pretty lucky. If things had been even marginally different, they would not have been successful and the message of Apollo 13 would be quite different. Now, in the face of so much uncertainty, is a wonderful time for your organization to intentionally, systematically, and humanely plan a more resilient future. The best time to start was yesterday; the second best time is today.

Reach out if I or CrashPlan can help in any way.