One of the more difficult tasks in developing a critical infrastructure protection / assurance program is selling the benefits to those who may not be educated in the area, but control the funds (or support) required to implement it. This challenge has increased dramatically during these last few months of economic free-fall.
To some of us, the benefits are intuitive and lie largely on what has been avoided. Like the old safety adage says, you never know the accident you have prevented. That's not entirely true for CI protection or emergency management.
If you suffer a large crisis event, it is readily apparent what might the costs might have been if certain measures hadn't been taken prior. Your Return On Investment - ROI - becomes obvious. Unfortunately, you have to suffer the event in order to realize the results.
Nearly as good (or bad) is to be witness to a nearby crisis event much like watching a neighbor's house burn and thanking your lucky stars that you have fire insurance, "what if that was me?" You really haven't proven or realized your ROI, but the reality has come perceptively closer.
In both the above cases, you (or someone close to you) has to suffer some catastrophic event for the value of the protection program to be seen. However, we also know that if we gamble, and get impacted before putting a program in place... well it's too late. No investment, no return, only loss.
Unfortunately, it is too easy to explain away, or hide from, or ignore the risks and threats that face us. So the task is how to sell the program to those-who-decide or those-who-fund without having to face a disaster?
I remember back to my days of high school algebra and the proofs we had to develop. You have to remember this: if it is true for 'N' and it is true for 'N+1', then it must be true for all 'N' (induction). Can I apply this to an argument for CI protection? I think I can.
What, then, is 'N'? If we consider the simplest of events, or at least one with less than catastrophic impacts, say localized flooding around a swollen creek. You can then run a quick analysis of either the cost saved by the application of a mitigation technique (ROI = potential damage - cost of program) or the cost of the damage less the cost of the technique (negative ROI, or lost potential). Many examples of the simple events can be found and should be chosen for the applicability to your jurisdiction, or company.
N+1? Ratchet up the event, find a slightly more complex example. It should be a natural extension of the 'N' example. In this case, perhaps the flood rather than from mere intensive rainfall, involves a small failure of the flood control program based on a readily available mitigation program - either implemented or not. Run the same sort of ROI analysis as above. Now you have your N+1.
This obviously isn't algebra and I wouldn't expect executives to roll over on just two small samples. However, displaying an increasing upward trend, either ROI or cost of impact, against readily applicable events (or doable mitigation techniques) may serve to bring home the realities we face and dispel the "wont happen to us" mentality.
Photo by Mtellin. Creative Commons License Attribution 2.0 Generic
Subscribe to this blog's feed
Leave a comment