Podcasts about business continuity management

Who knows the meaning of the term “Business Continuity management” without looking it up? Our guest this week, Alex Fullick, is intimately familiar with the term and its ramifications. I first met Alex when we were connected as participants in a conference in London this past October sponsored by Business Continuity International. The people involved with “Business Continuity management” were described to me as the “what if people”. They are the people no one pays attention to, but who plan for emergency and unexpected situations and events that especially can cause interruptions with the flow or continuity of business. Of course, everyone wants the services of the business continuity experts once something unforeseen or horrific occurs. Alex was assigned to introduce me at the conference. Since the conference I have even had the pleasure to appear on his podcast and now, he agreed to reciprocate.   Our conversation covers many topics related to emergencies, business continuity and the mindsets people really have concerning business flow and even fear. Needless to say, this topic interests me since I directly participated in the greatest business interruption event we have faced in the world, the terrorist attacks on September 11, 2001.   Alex freely discusses fear, emergency planning and how we all can improve our chances of dealing with any kind of emergency, personal or business related, by developing the proper mindset. He points out how so often people may well plan for emergencies at work and sometimes they even take the step of developing their own business continuity mindset, but they rarely do the same for their personal lives.   Alex is the author of eight books on the subject and he now is working on book 9. You can learn more about them in our podcast show notes. I think you will gain a lot of insight from what Alex has to say and I hope his thoughts and comments will help you as you think more now about the whole idea of business continuity.       About the Guest:   Alex Fullick has been working in the Business Continuity Management, Disaster Recovery, and Operational Resilience industries as a consultant/contractor for just over 28 years. Alex is also the founder and Managing Director of StoneRoad, a consulting and training firm specializing in BCM and Resilience and is the author of eight books…and working on number nine.   He has numerous industry certifications and has presented at prestigious conferences around the globe including Manila, Seoul, Bucharest, Brisbane, Toronto, and London (to name a few). In July of 2017 he created the highly successful and top-rated podcast focusing on Business Continuity and Resilience ‘Preparing for the Unexpected'. The show aims to touch on any subject that directly or indirectly touches on the world of disasters, crises, well-being, continuity management, and resilience. The first of its kind in the BCM and Resilience world and is still going strong after thirty plus seasons, reaching an audience around the globe. Alex was born in England but now calls the city of Guelph, Ontario, Canada, his home. Ways to connect Alex:   www.linkedin.com/in/alex-fullick-826a694   About the Host:   Michael Hingson is a New York Times best-selling author, international lecturer, and Chief Vision Officer for accessiBe. Michael, blind since birth, survived the 9/11 attacks with the help of his guide dog Roselle. This story is the subject of his best-selling book, Thunder Dog.   Michael gives over 100 presentations around the world each year speaking to influential groups such as Exxon Mobile, AT&T, Federal Express, Scripps College, Rutgers University, Children's Hospital, and the American Red Cross just to name a few. He is Ambassador for the National Braille Literacy Campaign for the National Federation of the Blind and also serves as Ambassador for the American Humane Association's 2012 Hero Dog Awards.   https://michaelhingson.com https://www.facebook.com/michael.hingson.author.speaker/ https://twitter.com/mhingson https://www.youtube.com/user/mhingson https://www.linkedin.com/in/michaelhingson/   accessiBe Links https://accessibe.com/ https://www.youtube.com/c/accessiBe https://www.linkedin.com/company/accessibe/mycompany/ https://www.facebook.com/accessibe/       Thanks for listening!   Thanks so much for listening to our podcast! If you enjoyed this episode and think that others could benefit from listening, please share it using the social media buttons on this page. Do you have some feedback or questions about this episode? Leave a comment in the section below!   Subscribe to the podcast   If you would like to get automatic updates of new podcast episodes, you can subscribe to the podcast on Apple Podcasts or Stitcher. You can subscribe in your favorite podcast app. You can also support our podcast through our tip jar https://tips.pinecast.com/jar/unstoppable-mindset .   Leave us an Apple Podcasts review   Ratings and reviews from our listeners are extremely valuable to us and greatly appreciated. They help our podcast rank higher on Apple Podcasts, which exposes our show to more awesome listeners like you. If you have a minute, please leave an honest review on Apple Podcasts.       Transcription Notes:   Michael Hingson ** 00:00 Access Cast and accessiBe Initiative presents Unstoppable Mindset. The podcast where inclusion, diversity and the unexpected meet. Hi, I'm Michael Hingson, Chief Vision Officer for accessiBe and the author of the number one New York Times bestselling book, Thunder dog, the story of a blind man, his guide dog and the triumph of trust. Thanks for joining me on my podcast as we explore our own blinding fears of inclusion unacceptance and our resistance to change. We will discover the idea that no matter the situation, or the people we encounter, our own fears, and prejudices often are our strongest barriers to moving forward. The unstoppable mindset podcast is sponsored by accessiBe, that's a c c e s s i capital B e. Visit www.accessibe.com to learn how you can make your website accessible for persons with disabilities. And to help make the internet fully inclusive by the year 2025. Glad you dropped by we're happy to meet you and to have you here with us.   Michael Hingson ** 01:21 Well, hello, everyone, wherever you happen to be, welcome to another episode of unstoppable mindset where inclusion, diversity and the unexpected meet and unexpected is anything that has nothing to do with inclusion or diversity. As I've said many times today, our guest is someone I got to meet last year, and we'll talk about that. His name is Alex Bullock, and Alex and I met because we both attended a conference in London in October about business continuity. And I'm going to let Alex define that and describe what that is all about. But Alex introduced me at the conference, and among other things, I convinced him that he had to come on unstoppable mindset. And so we get to do that today. He says he's nervous. So you know, all I gotta say is just keep staring at your screens and your speakers and and just keep him nervous. Keep him on edge. Alex, welcome to unstoppable mindset. We're really glad you're   Alex Fullick ** 02:19 here. Thanks, Michael. I really appreciate the invite, and I'm glad to be here today. And yeah, a little nervous, because usually it's me on the other side of the microphone interviewing people. So I don't fit in this chair too often   Michael Hingson ** 02:33 I've been there and done that as I recall, yes,   Alex Fullick ** 02:37 yes, you were a guest of mine. Oh, I guess when did we do that show? A month and a half, two months ago? Or something, at least,   Michael Hingson ** 02:45 I forget, yeah. And I said the only charge for me coming on your podcast was you had to come on this one. So there you go. Here I am. Yeah, several people ask me, Is there a charge for coming on your podcast? And I have just never done that. I've never felt that I should charge somebody to come on the podcast, other than we do have the one rule, which is, you gotta have fun. If you can't have fun, then there's no sense being on the podcast. So, you know, that works out. Well, tell us about the early Alex, growing up and, you know, all that sort of stuff, so that people get to know you a little bit.   Alex Fullick ** 03:16 Oh, the early Alex, sure. The early Alex, okay, well, a lot of people don't know I was actually born in England myself, uh, Farnam Surrey, southwest of London, so until I was about eight, and then we came to Canada. Grew up in Thunder Bay, Northwestern Ontario, and then moved to the Greater Toronto Area, and I've lived all around here, north of the city, right downtown in the city, and now I live an hour west of it, in a city called Guelph. So that's how I got here. Younger me was typical, I guess, nothing   Michael Hingson ** 03:56 special. Went to school, high school and all that sort of stuff. Yeah, yeah, no.   Alex Fullick ** 04:02 Brainiac. I was working my first job was in hospitality, and I thought that's where I was going to be for a long time, because I worked my way up to I did all the positions, kitchen manager, Assistant Manager, cooks, bartender, server, did everything in there was even a company trainer at one point for a restaurant chain, and then did some general managing. But I got to a point where computers were going to start coming in to the industry, and I thought, well, I guess I should learn how to use these things, shouldn't I? And I went to school, learned how to use them, basic using, I'm not talking about building computers and networks and things like that, just the user side of things. And that was, did that for six months, and then I thought I was going back into the industry. And no fate had. Something different for me. What happened? Well, my best friend, who is still my best friend, 30 years later, he was working for a large financial institution, and he said, Hey, we need some help on this big program to build some call trees. When you're finished, he goes, get your foot in the door, and you could find something else within the bank. So I went, Okay, fine. Well, they called the position business recovery planner, and I knew absolutely nothing about business recovery or business continuity. Not a single thing. I'd never even heard the term yeah and but for some reason, I just took to it. I don't know what it was at the time, but I just went, this is kind of neat. And I think it was the fact that I was learning something different, you know, I wasn't memorizing a recipe for Alfredo sauce or something like that, you know, it was completely different. And I was meeting and working with people at every level, sitting in meetings with senior vice presidents and CEOs and giving them updates, and, you know, a data analyst, data entry clerk, and just talking. And I went, This is so much fun, you know, and that's I've been doing that now for over 28 years.   Michael Hingson ** 06:14 Well, I I had not really heard much of the term business continuity, although I understand emergency preparedness and such things, because I did that, of course, going into the World Trade Center, and I did it for, well, partly to be prepared for an emergency, but also partly because I was a leader of an office, and I felt that I needed to know What to do if there were ever an emergency, and how to behave, because I couldn't necessarily rely on other people, and also, in reality, I might even be the only person in the office. So it was a survival issue to a degree, but I learned what to do. And of course, we know the history of September 11 and me and all that, but the reality is that what I realized many years later was that the knowledge that I learned and gained that helped me on September 11 really created a mindset that allowed me to be able to function and not be as I Put it to people blinded or paralyzed by fear, the fear was there. I would be dumb to say I wasn't concerned, but the fear helped me focus, as opposed to being something that overwhelmed and completely blocked me from being capable and being able to function. So I know what you're saying. Well, what exactly is business continuity?   Alex Fullick ** 07:44 You know, there are people who are going to watch this and listen and they're going to want me to give a really perfect definition, but depending on the organization, depending on leadership, depending on the guiding industry organization out there, business continuity, Institute, Disaster Recovery Institute, ISO NIST and so many other groups out there. I'm not going to quote any of them as a definition, because if I if I say one the others, are going to be mad at me, yell at you, yeah, yeah. Or if I quote it wrong, they'll get mad at me. So I'm going to explain it the way I usually do it to people when I'm talking in the dog park, yeah, when they ask what I'm doing, I'll say Business Continuity Management is, how do you keep your business going? What do you need? Who do you need the resources when you've been hit by an event and and with the least impact to your customers and your delivery of services, yeah, and it's simple, they all get it. They all understand it. So if anyone doesn't like that, please feel free send me an email. I can hit the delete key just as fast as you can write it. So you know, but that's what a lot of people understand, and that's really what business continuity management is, right from the very beginning when you identify something, all the way to why we made it through, we're done. The incident's over.   Michael Hingson ** 09:16 Both worked with at the Business Continuity international hybrid convention in October was Sergio Garcia, who kind of coordinated things. And I think it was he who I asked, what, what is it that you do? What's the purpose of all of the people getting together and having this conference? And he said, I think it was he who said it not you, that the the best way to think about it is that the people who go to this conference are the what if people, they're the ones who have to think about having an event, and what happens if there's an event, and how do you deal with it? But so the what if people, they're the people that nobody ever pays any attention to until such time as there is something that. Happens, and then they're in high demand.   Alex Fullick ** 10:03 Yeah, that that's especially that being ignored part until something happened. Yeah, yeah. Well, well, the nice thing, one of the things I love about this position, and I've been doing it like I said, for 28 years, written books, podcasts, you've been on my show, YouTube channel, etc, etc, is that I do get to learn and from so many people and show the value of what we do, and I'm in a position to reach out and talk to so many different people, like I mentioned earlier. You know, CEOs. I can sit in front of the CEO and tell them you're not ready. If something happens, you're not ready because you haven't attended any training, or your team hasn't attended training, or nobody's contributing to crisis management or the business continuity or whatever you want to talk about. And I find that empowering, and it's amazing to sit there and not tell a CEO to their face, you know you're screwed. Not. You know, you don't say those kinds of things. No, but being able to sit there and just have a moment with them to to say that, however you term it, you might have a good relationship with them where you can't say that for all I know, but it being able to sit in front of a CEO or a vice president and say, hey, you know, this is where things are. This is where I need your help. You know, I don't think a lot of people get that luxury to be able to do it. And I'm lucky enough that I've worked with a lot of clients where I can't. This is where I need your help. You know. What's your expectation? Let's make it happen, you know, and having that behind you is it's kind of empowering,   Michael Hingson ** 11:47 yeah, well, one of the things that I have start talking a little bit about with people when talk about emergency preparedness is, if you're really going to talk about being prepared for an emergency. One of the things that you need to do is recognize that probably the biggest part of emergency preparedness, or business continuity, however you want to term, it, isn't physical it's the mental preparation that you need to make that people generally don't make. You know, I've been watching for the last now, five or six weeks, all the flyers and things down here in California, which have been so horrible, and people talk about being prepared physically. You should have a go bag so that you can grab it and go. You should do this. You should do that. But the problem is nobody ever talks about or or helps people really deal with the mental preparation for something unexpected. And I'm going to, I'm going to put it that way, as opposed to saying something negative, because it could be a positive thing. But the bottom line is, we don't really learn to prepare ourselves for unexpected things that happen in our lives and how to react to them, and so especially when it's a negative thing, the fear just completely overwhelms us.   Alex Fullick ** 13:09 Yeah, I agree with you. You know, fear can be what's that to fight, flight or freeze? Yeah, and a lot of people don't know how to respond when an event happens. And I think I'm going to take a step back, and I think that goes back to when we're young as well, because we have our parents, our grandparents, our teachers, our principals. You know, you can go achieve your goals, like everything is positive. You can go do that. Go do that. They don't teach you that, yeah, to achieve those goals, you're going to hit some roadblocks, and you need to understand how to deal with that when things occur. And use your example with the fires in California. If you don't know how to prepare for some of those small things, then when a big fire like that occurs, you're even less prepared. I have no idea how to deal with that, and it is. It's a really change in mindset and understanding that not everything is rosy. And unfortunately, a lot of people get told, or they get told, Oh, don't worry about it. It'll never happen. So great when it does happen. Well, then was that advice?   Michael Hingson ** 14:25 Yeah, I remember after September 11, a couple of months after, I called somebody who had expressed an interest in purchasing some tape backup products for from us at Quantum. And I hadn't heard from them, and so I reached out, and I said, So what's going on? How would you guys like to proceed? And this was an IT guy, and he said, Oh, well, the president of the company said September 11 happened, and so since they did, we're not going to have to worry about that anymore. So we're not going to go forward. Or worth doing anything to back up our data, and I'm sitting there going, you missed the whole point of what backup is all about. I didn't dare say that to him, but it isn't just about an emergency, but it's also about, what if you accidentally delete a file? Do you have a way to go back and get it? I mean, there's so many other parts to it, but this guy's boss just basically said, Well, it happened, so it's not going to happen now we don't have to worry about it. Yeah,   Alex Fullick ** 15:27 like you hear on the news. Well, it feels like daily, oh, once in 100 year storm, once in 100 year event, once in 100 year this. Well, take a look at the news. It's happening weekly, daily, yeah, yeah. One in 100   Michael Hingson ** 15:44 years thing, yeah. Nowadays, absolutely, there's so many things that are happening. California is going through a couple of major atmospheric rivers right now, as they're now calling it. And so Southern California is getting a lot of rain because of of one of the rivers, and of course, it has all the burn areas from the fires. So I don't know what we'll see in the way of mudslides, but the rain is picking up. Even here, where I live, we're going to get an inch or more of rain, and usually we don't get the rain that a lot of other places get. The clouds have to go over a lot of mountains to get to us, and they lose their moisture before they do that. Yeah,   Alex Fullick ** 16:23 yeah. We just had a whole pile of snow here. So we had a snowstorm yesterday. So we've got about 20 centimeters of snow out there that hasn't been plowed yet. So bit of   Michael Hingson ** 16:36 a mess. There you go. Well, you know, go out and play on the snow. Well,   Alex Fullick ** 16:41 the dog loves it, that's for sure. Like troubling it, but, yeah,   Michael Hingson ** 16:46 I don't think my cat would like it, but the animal would like it. He'd go out and play in it. If it were here, we don't get much snow here, but Yeah, he'd play it. But, but it is. It is so interesting to really talk about this whole issue of of business continuity, emergency preparedness, whatever you want to consider it, because it's it's more than anything. It's a mindset, and it is something that people should learn to do in their lives in general, because it would help people be a lot more prepared. If people really created a mindset in themselves about dealing with unexpected things, probably they'd be a little bit more prepared physically for an emergency, but they would certainly be in a lot better shape to deal with something as like the fires are approaching, but they don't, but we don't do that. We don't teach that.   Alex Fullick ** 17:43 No, we it's interesting too, that a lot of those people, they'll work on projects in their organization, you know, and they will look at things well, what can go wrong, you know, and try to mitigate it and fix, you know, whatever issues are in the way or remove roadblocks. They're actually doing that as part of their project. But when it comes to themselves, and they have to think about fires or something like that, is now that won't happen, you know. And wait a minute, how come you've got the right mindset when it comes to your projects at work, but you don't have that same mindset when it comes to your own well being, or your families, or whatever the case may be. How come it's different? You go from one side to the other and it I've noticed that a few times with people and like, I don't get it. Why? Why are you so you have the right mindset under one circumstance and the other circumstance, you completely ignore it and don't have the mindset,   Michael Hingson ** 18:45 yeah, which, which makes you wonder, how much of a mindset Do you really have when it comes to work in all aspects of it? And so one of the things that I remember after September 11, people constantly asked me is, who helped you down the stairs, or was there somebody who was responsible for coming to get you, to take you downstairs and and the reality is, as I said, I was the leader. I was helping other people go downstairs. But by the same token, I'm of the opinion that in buildings like the World Trade Center towers, there is people talk about the buddy system. So if somebody is is in the building, you should have a buddy. And it doesn't even need to be necessarily, in the same office, but there should be an arrangement so that there is somebody looking out for each each other person. So everybody should have a buddy. I'm of the opinion it isn't a buddy. There should be two buddies, and at least one of them has to be outside of the office, so that you have three people who have to communicate and develop those lines of communications and work through it. And by that way, you you have a. Better chance of making sure that more people get whatever communications are necessary.   Alex Fullick ** 20:06 Yeah, you create your like a support network, absolutely,   Michael Hingson ** 20:10 and I think at least a triumvirate makes a lot more sense than just a buddy. Yeah,   Alex Fullick ** 20:14 you you might be freaked out, you know, nervous shaking, but with a couple of people standing there, you know, talking to you, you're going to come right back hopefully. You know, with that, the calmer, you know, stop shaking when a couple of people are there. Yeah, you a lot of times when you have the same one person doing it, usually, oh, you're just saying that because you have to. But when you two people doing it, it's like, okay, thank thanks team. You know, like you're really helping. You know, this is much better.   Michael Hingson ** 20:48 Yeah, I think it makes a lot more sense, and especially if one of them isn't necessarily a person who's normally in your work pattern that brings somebody in from someone with the outside who approaches things differently because they don't necessarily know you or as well or in the same way as your buddy who's maybe next door to you in the office, right across the hall or next door, or whatever. Yeah, yeah. I agree. I think it makes sense well, the conference that we were at a lot to well, to a large degree, and at least for my presentation, was all about resilience. What is resilience to you? How's that for a general question that   Alex Fullick ** 21:31 has become such a buzzword, I know it   Michael Hingson ** 21:35 really is, and it's unfortunate, because when, when we start hearing, you know, resilience, or I hear all the time amazing and so many times we get all these buzzwords, and they they really lose a lot of their value when that happens. But still, that's a fair question. I   Alex Fullick ** 21:53 do think the word resilience is overused, and it's losing its meaning. You know, dictionary meaning, because it's just used for everything these days. Yeah, you know, my neighbor left her keys. Sorry. Her daughter took her house keys this morning by accident. She couldn't get into her house when she got him back, and she had a comment where she said, you know, oh, well, I'm resilient, but really, you just went and got some Keith, how was that so? So I'm, I'm starting to get to the point now, when people ask me, you know, what's resilience to you? What's it mean to you? I just, I start to say, Now, does it matter? Yeah, my definition is fine for me, if you have a definition of it for yourself that you understand you you know what it means, or your organization has a definition, we'll take it and run. Yeah, you know what it means. You're all behind that. Meaning. We don't need a vendor or some other guiding industry organization to say this is, this must be your definition of resilience. It's like, well, no, you're just wordsmithing and making it sound fancy. You know, do it means what it means to you? You know, how, how do you define it? If that's how you define it, that's what it means, and that's all that matters. My definition doesn't matter. Nobody else's definition matters, you know, because, and it's become that way because the term used, you know, for everything these days. Yeah, I   Michael Hingson ** 23:30 think that there's a lot of value in if a person is, if we use the dictionary definition, resilient, they they Well, again, from my definition, it gets back to the mindset you establish. You establish a mindset where you can be flexible, where you can adapt, and where you can sometimes think outside the box that you would normally think out of, but you don't panic to do that. You've learned how to address different things and be able to focus, to develop what you need to do to accomplish, whatever you need to accomplish at any unexpected time.   Alex Fullick ** 24:06 Yeah, and you're calm, level headed, you know, you've got that right mindset. You don't freak out over the small things, you know, you see the bigger picture. You understand it. You know, I'm here. That's where I need to go, and that's where you focus and, you know, sweat all those little things, you know. And I think, I think it's, it's kind of reminds me that the definitions that are being thrown out there now reminds me of some of those mission and vision statements that leadership comes up with in their organizations, with all this, oh, that, you know, you read the sentence and it makes no sense whatsoever, yeah, you know, like, what?   Michael Hingson ** 24:45 What's so, what's the wackiest definition of resilience that you can think of that you've heard?   Alex Fullick ** 24:51 Um, I don't know if there's a wacky one or an unusual one. Um, oh, geez. I. I know I've heard definitions of bounce forward, bounce back, you know, agility, adaptability. Well, your   Michael Hingson ** 25:07 car keys, lady this morning, your house key, your house key, lady this morning, the same thing, yeah, yeah. I don't resilient just because she got her keys back. Yeah, really, yeah. Well,   Alex Fullick ** 25:17 that's kind of a wacky example. Yeah, of one, but I don't think there's, I've heard any weird definitions yet. I'm sure that's probably some out there coming. Yeah, we'll get to the point where, how the heck did are you defining resilience with that? Yeah? And if you're looking at from that way, then yeah, my neighbor with the keys that would fit in right there. That's not resilient. You just went and picked up some keys.   Michael Hingson ** 25:45 Yeah. Where's the resilience? How did you adapt? You the resilience might be if you didn't, the resilience might be if you didn't panic, although I'm sure that didn't happen. But that would, that would lean toward the concept of resilience. If you didn't panic and just went, Well, I I'll go get them. Everything will be fine, but that's not what people do,   Alex Fullick ** 26:08 yeah? Well, that that is what she did, actually. She just as I was shoveling snow this morning, she goes, Oh, well, I'll just go get her, get them, okay, yeah. Does that really mean resilience, or Does that just mean you went to pick up the keys that your daughter accidentally took   Michael Hingson ** 26:24 and and you stayed reasonably level headed about it,   Alex Fullick ** 26:28 you know, you know. So, you know, I don't know, yeah, if, if I would count that as a definition of resilience, but, or even I agree resilience, it's more of okay, yeah, yeah. If, if it's something like that, then that must mean I'm resilient when I forget to pull the laundry out after the buzzer. Oh yeah, I gotta pull the laundry out. Did that make me resilient? Yeah,   Michael Hingson ** 26:52 absolutely, once you pulled it out, you weren't resilient, not until then,   Alex Fullick ** 26:57 you know. So, so I guess it's you know, how people but then it comes down to how people want to define it too. Yeah, if they're happy with that definition, well, if it makes you happy, I'm not going to tell you to change   Michael Hingson ** 27:11 it. Yeah, has but, but I think ultimately there are some some basic standards that get back to what we talked about earlier, which is establishing a mindset and being able to deal with things that come out of the ordinary well, and you're in an industry that, by and large, is probably viewed as pretty negative, you're always anticipating the emergencies and and all the unexpected horrible things that can happen, the what if people again, but that's that's got to be, from a mindset standpoint, a little bit tough to deal with it. You're always dealing with this negative industry. How do you do that? You're resilient, I know. But anyway, yeah,   Alex Fullick ** 27:56 really, I just look at it from a risk perspective. Oh, could that happen to us? You know, no, it wouldn't, you know, we're we're in the middle of a Canadian Shield, or at least where I am. We're in the middle of Canadian Shield. There's not going to be two plates rubbing against each other and having an earthquake. So I just look at it from risk where we are, snowstorms, yep, that could hit us and has. What do we do? Okay, well, we close our facility, we have everyone work from home, you know, etc, etc. So I don't look at it from the perspective of doom and gloom. I look at it more of opportunity to make us better at what we do and how we prepare and how we respond and how we overcome, you know, situations that happen out there, and I don't look at it from the oh, here comes, you know, the disaster guy you know, always pointing out everything that's wrong. You know, I'd rather point out opportunities that we have to become as a team, organization or a person stronger. Yeah,   Michael Hingson ** 29:01 I guess it's not necessarily a disaster. And as I said earlier, it could very well be that some unexpected thing will happen that could be a very positive thing. But again, if we don't have the mindset to deal with that, then we don't and the reality is, the more that we work to develop a mindset to deal with unexpected things, the more quickly we can make a correct analysis of whatever is going on and move forward from it, as opposed to letting fear again overwhelm us, we can if we practice creating This mindset that says we really understand how to deal with unexpected situations, then we are in a position to be able to the more we practice it, deal with it, and move forward in a positive way. So it doesn't need to be a disaster. September 11 was a disaster by any standard, but as I tell people. People. While I am still convinced that no matter what anyone might think, we couldn't figure out that September 11 was going to happen, I'm not convinced that even if all the agencies communicated, they would have gotten it because and I talk about trust and teamwork a lot, as I point out, a team of 19 people kept their mouth shut, or a few more who were helping in the planning of it, and they pulled off something that basically brought the world to its knees. So I'm not convinced that we could have stopped September 11 from happening. At least I haven't heard something that convinces me of that yet. But what each of us has the ability to do is to determine how we deal with September 11. So we couldn't prevent it, but we can certainly all deal with or address the issue of, how do we deal with it going forward? Yeah,   Alex Fullick ** 30:52 I agree. I I was actually in a conversation with my niece a couple of months ago. We were up at the cottage, and she was talking about school, and, you know, some of the people that she goes to school with, and I said, Well, you're never going to be able to change other people. You know, what they think or what they do. I said, what you can control is your response. You know, if, if they're always picking on you, the reason they're picking on you is because they know they can get a rise out of you. They know they it. Whatever they're saying or doing is getting to you, so they're going to keep doing it because it's empowering for them. But you can take away that empowerment if you make the right choices on how you respond, if you just shrug and walk away. I'm simplifying it, of course, yeah, if you just shrug and walk away. Well, after a while, they're going to realize nothing I'm saying is getting through, and they'll move away from you. They'll they won't bug you anymore, because they can't get a rise out. They can't get a rise out of you. So the only thing you can control is how you respond, you know. And as you keep saying, it's the mindset. Change your mindset from response to, you know, I'm prepared for what this person's going to say, and I'm not going to let it bother me. Yeah?   Michael Hingson ** 32:08 Well, bullying is really all about that. Yeah, people can't bully if you don't let yourself be bullied. Yep, and whether it's social media and so many other things, you can't be bullied if you don't allow it and if you ignore it or move on or get help to deal with the issue if it gets serious enough, but you don't need to approach it from a shame or fear standpoint, or you or you shouldn't anyway, but that's unfortunately, again, all too often. What happens when we see a lot of teenage suicides and so on, because people are letting the bullies get a rise out of them, and the bullies win.   Alex Fullick ** 32:51 Yep, yep. And as I told her, I said, you just mentioned it too. If it gets out of hand or becomes physical, I said, then you have to take action. I don't mean turning around and swinging back. I said, No, step up. Go get someone who is has authority and can do something about it. Yeah, don't, don't run away. Just deal with it differently, you know. And don't, don't start the fight, because then you're just confirming that I'm the bully. I can do this again. Yeah, you're, you're giving them license to do what they want. Yeah, but stand up to them, or tell, depending on the situation, tell someone higher up in authority that can do something and make make a change, but you have to be calm when you do it.   Michael Hingson ** 33:39 I remember when I was at UC Irvine, when I was going to college, my had my first guide dog, Squire. He was a golden retriever, 64 pounds, the most gentle, wonderful dog you could ever imagine. And unfortunately, other students on campus would bring their dogs. It was a very big campus, pretty, in a sense, rural, and there were only about 2700 students. And a bunch of students would bring their dogs to school, and they would just turn the dogs loose, and they go off to class, and then they find their dogs at the end of the day. Unfortunately, some of the dogs developed into a pack, and one day, they decided they were going to come after my guide dog. I think I've told this story a couple times on on this podcast, but what happened was we were walking down a sidewalk, and the dogs were coming up from behind, and they were growling and so on. And squire, my guide dog, jerked away from me. I still held his leash, but he jerked out of his harness, out of my hand, and literally jumped up in the air, turned around and came down on all fours, hunkered down and growled at these dogs all in this the well, about a two second time frame, totally shocked the dogs. They just slunked away. Somebody was describing it to me later, and you know, the dog was very deliberate about what he did. Of course, after they left, he comes over and He's wagging his tail. Did I do good or what? But, but he was very deliberate, and it's a lesson to to deal with things. And he never attacked any of the dogs, but he wasn't going to let anything happen to him or me, and that's what loyalty is really all about. But if something had happened and that hadn't worked out the way expected, then I would have had to have gone off and and I, in fact, I did talk to school officials about the fact that these dogs were doing that. And I don't even remember whether anybody did anything, but I know I was also a day or so later going into one of the the buildings. Before he got inside, there was a guy I knew who was in a wheelchair, and another dog did come up and started to try to attack squire, this guy with in the wheelchair, pulled one of the arms off his chair and just lambasted the dog right across the head, made him back up. Yeah, you know. But it was that people shouldn't be doing what they allowed their dog. You know, shouldn't be doing that, but. But the bottom line is, it's still a lesson that you don't let yourself be bullied. Yeah, yep, and there's no need to do that, but it is a it's a pretty fascinating thing to to see and to deal with, but it's all about preparation. And again, if we teach ourselves to think strategically and develop that skill, it becomes just second nature to do it, which is, unfortunately, what we don't learn.   Alex Fullick ** 36:48 Yeah, I didn't know that as a kid, because when I was a little kid and first came to Canada, especially, I was bullied because, well, I had a funny voice.   Michael Hingson ** 36:57 You did? You don't have that anymore, by the way, no,   Alex Fullick ** 37:01 if I, if I'm with my mom or relatives, especially when I'm back in England, words will start coming back. Yeah, there are words that I do say differently, garage or garage, yeah. You know, I hate garage, but garage, yeah, I still say some words like that,   Michael Hingson ** 37:18 or process, as opposed to process.   Alex Fullick ** 37:21 Yeah, so, you know, there's something like that, but as a kid, I was bullied and I there was, was no talk of mindset or how to deal with it. It's either put up with it or, you know, you really couldn't turn to anybody back then, because nobody really knew themselves how to deal with it. Yeah, bullies had always been around. They were always in the playground. So the the mechanisms to deal with it weren't there either. It wasn't till much later that I'm able to to deal with that if someone said some of the things now, right away, I can turn around because I've trained myself to have a different mindset and say that, no, that's unacceptable. You can't talk to that person, or you can't talk to me that way. Yeah, you know, if you say it again, I will, you know, call the police or whatever. Never anything where I'm going to punch you in the chin, you know, or something like that. Never. That doesn't solve anything. No, stand up saying, you know, no, I'm not going to accept that. You know, which is easier now, and maybe that just comes with age or something, I don't know, but back then, no, it was, you know, that that kind of mechanism to deal with it, or finding that inner strength and mindset to do that wasn't there,   Michael Hingson ** 38:43 right? But when you started to work on developing that mindset, the more you worked on it, the easier it became to make it happen. Yep, agreed. And so now it's a way of life, and it's something that I think we all really could learn and should learn. And my book live like a guide dog is really all about that developing that mindset to control fear. And I just think it's so important that we really deal with it. And you know, in this country right now, we've got a government administration that's all about chaos and fear, and unfortunately, not nearly enough people have learned how to deal with that, which is too bad, yep, although,   Alex Fullick ** 39:30 go ahead, I was going to say it's a shame that, you know, some a lot of people haven't learned how to deal with that. Part of it, again, is we don't teach that as well. So sometimes the only thing some people know is fear and bullying, because that's all they've experienced, yeah, either as the bully or being bullied. So they they don't see anything different. So when it happens on a scale, what we see right now it. It's, well, that's normal, yeah, it's not normal, actually. You know, it's not something we should be doing. You know, you should be able to stand up to your bully, or stand up when you see something wrong, you know, and help because it's human nature to want to help other people. You know, there's been so many accidents people falling, or you'll need their snow removed, where I am, and people jump in and help, yeah? You know, without sometimes, a lot of times, they don't even ask. It's like, oh, let me give you a hand,   Michael Hingson ** 40:33 yeah. And we had that when we lived in New Jersey, like snow removal. We had a Boy Scout who started a business, and every year he'd come around and clear everybody's snow. He cleared our snow. He said, I am absolutely happy to do it. We we wanted to pay him for it, but he was, he was great, and we always had a nice, clean driveway. But you know, the other side of this whole issue with the mindset is if we take it in a more positive direction, look at people like Sully Sullenberger, the pilot and the airplane on the Hudson, how he stayed focused. He had developed the mindset and stayed focused so that he could deal with that airplane. That doesn't mean that he wasn't afraid and had concerns, but he was able to do something that was was definitely pretty fantastic, because he kept his cool, yeah,   Alex Fullick ** 41:23 I think he knew, and others in other situations know that if you're freaking out yourself, you're not going to fix the issue, you're going to make it worse. We see that in Hollywood tends to do that a lot. In their movies, there's always a character who's flipping out, you know, panicking, going crazy and making everything worse. Well, that does happen, you know, if you act that way, you're not going to resolve your situation, whatever you find yourself in, you know. And I tell people that in business continuity when we're having meetings, well, we'll figure it out when it happens. No, you don't know how you'll behave. You don't know how you'll respond when, oh, I don't know an active shooter or something. You have no idea when you hear that someone you know just got shot down in the lobby. Are you going to tell me you're going to be calm? You sorry? You know you're going to be calm and just okay, yeah, we can deal with it. No, you're going to get a wave of panic, yeah, or other emotions coming over you, you know. And you have to have that mindset. You can still be panicked and upset and freaked out, or however you want to describe that, but you know, I have to stay in control. I can't let that fear take over, or I'm going to get myself in that situation as well. Yeah, I have to be able to manage it. Okay, what do I have to do? I gotta go hide. You know, I'm not saying you're not sweating, you know, with nervousness like that, but you understand, gotta think beyond this if I want to get out of this situation. You know, I'm going to take these people that are sitting with me, we're going to go lock ourselves in the storage closet, or, you know, whatever, right? But have that wherewithal to be able to understand that and, you know, be be safe, you know, but freaking out, you're only contributing to the situation, and then you end up freaking out other people and getting them panicked. Course, you do. They're not, you know, they don't have the right mindset to deal with issues. And then you've got everyone going in every direction, nobody's helping each other. And then you're creating, you know, bigger issues, and   Michael Hingson ** 43:37 you lose more lives, and you create more catastrophes all the way around. I remember when I was going down the stairs at the World Trade Center, I kept telling Roselle what a good job she was doing, good girl. And I did that for a couple of reasons. The main reason was I wanted her to know that I was okay and I'm not going to be influenced by fear. But I wanted her to feel comfortable what what happened, though, as a result of that, and was a lesson for me. I got contacted several years later one time, specifically when I went to Kansas City to do a speech, and a woman said she wanted to come and hear me because she had come into the stairwell just after, or as we were passing her floor, which was, I think, the 54th floor. Then she said, I heard you just praising your dog and being very calm. And she said, I and other people just decided we're going to follow you down the stairs. And it was, it was a great lesson to understand that staying focused, no matter what the fear level was, really otherwise, staying focused and encouraging was a much more positive thing to do, and today, people still don't imagine how, in a sense, comet was going down the stairs, which doesn't mean that people weren't afraid. But several of us worked to really keep panic out of the stairwell as we were going down. My friend David did he panicked, but then he. He walked a floor below me and started shouting up to me whatever he saw on the stairwell, and that was really for his benefit. He said to have something to do other than thinking about what was going on, because he was getting pretty scared about it. But what David did by shouting up to me was he acted as a focal point for anyone on the stairs who could hear him, and they would hear him say things like, Hey, Mike, I'm at the 43rd floor. All's good here. Everyone who could hear him had someone on the stairs who was focused, sounded calm, and that they could listen to to know that everybody was okay, which was so cool, and   Alex Fullick ** 45:38 that that probably helped them realize, okay, we're in the right direction. We're going the right way. Someone is, you know, sending a positive comments. So if, if we've got, you know, three, if he's three floors below us, we know at least on the next three floors, everything is okay.   Michael Hingson ** 45:56 Well, even if they didn't know where he wasn't right, but even if he they didn't know where he was in relation to them, the fact is, they heard somebody on the stairs saying, I'm okay, yeah, whether he felt it, he did sound it all the way down the stairs. Yeah, and I know that he was panicking, because he did it originally, but he got over that. I snapped at him. I just said, Stop it, David, if Rosell and I can go down these stairs, so can you. And then he did. He focused, and I'm sure that he had to have helped 1000s of people going down the stairs, and helped with his words, keeping them calm.   Alex Fullick ** 46:32 Yeah, yeah. It makes a difference, you know. Like I said earlier, you doesn't mean you're still not afraid. Doesn't mean that, you know, you're not aware of the negative situation around you. It's and you can't change it, but you can change, like I said earlier, you can change how you respond to it. You can be in control that way, right? And that's eventually what, what he did, and you you were, you know, you were controlled going downstairs, you know, with with your guide dog, and with all these people following you, and because of the way you were, like, then they were following you, yeah, and they remained calm. It's like there's someone calling up from below who's safe. I can hear that. I'm listening to Michael. He'll tell his dog how well behaved they are. And he's going down calmly. Okay, you know, I can do this. And they start calming down,   Michael Hingson ** 47:28 yeah, what's the riskiest thing you've ever done? Oh, word. Must have taken a risk somewhere in the world, other than public speaking. Oh, yeah, public speaking.   Alex Fullick ** 47:40 I still get nervous the first minute. I'm still nervous when I go up, but you get used to it after a while. But that first minute, yeah, I'm nervous. Oh, that there's, I have a fear of heights and the so the the two, two things that still surprised me that I did is I climbed the Sydney bridge, Harbor Bridge, and, oh, there's another bridge. Where is it? Is it a Brisbane? They're both in Australia. Anyway. Climb them both and have a fear of heights. But I thought, no, I gotta, I gotta do this. You know, I can't be afraid of this my entire life. And I kept seeing all these people go up there in groups, you know, on tours. And so I said, Okay, I'm going to do this. And I was shaking nervous like crazy, and went, What if I fall off, you know, and there's so many different measures in place for to keep you safe. But that that was risky, you know, for me, it felt risky. I was exhilarated when I did it. Though, would you do it again? Oh, yeah, in a heartbeat. Now, there you go. I'm still afraid of heights, but I would do that again because I just felt fantastic. The other I guess going out and being self employed years ago was another risky thing. I had no idea, you know about incorporating myself, and, you know, submitting taxes, you know, business taxes, and, you know, government documents and all this and that, and invoicing and things like that. I had no idea about that. So that was kind of risky, because I had no idea how long I'd be doing it. Well, I started in what 2007, 2007, I think so, 18 years, yeah, so now it's like, I can't imagine myself not doing it, you know, so I'm but I'm always willing to try something new these days. You know, even starting the podcast seven and a half years ago was risky, right? I had no idea. Nobody was talking about my industry or resilience or business continuity or anything back then, I was the first one doing it, and I'm the longest one doing it. Um, I've outlived a lot of people who thought they could do it. I'm still going. So that started out risky, but now I. Imagine not doing it, yeah, you know. And you know, it's, you know, I guess it's, it's just fun to keep trying new things. You know, I keep growing and, you know, I've got other plans in the works. I can't give anything away, but, you know, I've got other plans to try. And they'll, they'll be risky as well. But it's like,   Michael Hingson ** 50:21 no, let's go for it. Have you ever done skydiving or anything like that? No, I haven't done that. I haven't either. I know some blind people who have, but I just, I've never done that. I wouldn't   Alex Fullick ** 50:32 mind it. It's that might be one of those lines where should I? I'm not sure about this one, you know, but it is something that I I think I wouldn't do it on my own. I think I would have to be one of those people who's connected with someone else, with someone   Michael Hingson ** 50:51 else, and that's usually the way blind people do it, needless to say, but, and that's fine, I just have never done it. I haven't ever had a need to do it, but I know I can sit here and say, I'm not afraid to do it. That is, I could do it if it came along, if there was a need to do it, but I don't. I don't have a great need to make that happen. But you know, I've had enough challenges in my life. As I tell people, I think I learned how to deal with surprises pretty early, because I've been to a lot of cities and like, like Boston used to have a rep of being a very accident prone city. Just the way people drive, I could start to cross the street and suddenly I hear a car coming around the corner, and I have to move one way or the other and draw a conclusion very quickly. Do I back up or do I go forward? Because the car is not doing what it's supposed to do, which is to stop, and I have to deal with that. So I think those kinds of experiences have helped me learn to deal with surprise a little bit too.   Alex Fullick ** 51:52 Yeah, well, with the skydiving, I don't think I'd go out of my way to do it, but exactly came along, I think I would, you know, just for the thrill of saying, I did it,   Michael Hingson ** 52:03 I did it, yeah, I went ice skating once, and I sprained my ankle as we were coming off the ice after being on the ice for three hours. And I haven't gone ice skating again since. I'm not really afraid to, but I don't need to do it. I've done it. I understand what it feels like. Yeah, yeah. So it's okay. Have you had any really significant aha moments in your life, things that just suddenly, something happened and went, Ah, that's that's what that is, or whatever.   Alex Fullick ** 52:30 Well, it does happen at work a lot, dealing with clients and people provide different perspectives, and you just, Oh, that's interesting, though, that happens all the time. Aha moments. Sometimes they're not always good. Aha moments, yeah, like the one I always remember that the most is when I wrote my first book, heads in the sand. I was so proud of it, and, you know, excited and sent off all these letters and marketing material to all the chambers of commerce across Canada, you know, thinking that, you know, everyone's going to want me to speak or present or buy my book. Well, ah, it doesn't happen that way. You know, I got no responses. But that didn't stop me from writing seven more books and working on nine. Now, there you go, but it was that was kind of a negative aha moment so, but I just learned, okay, that's not the way I should be doing that.   Michael Hingson ** 53:34 Put you in your place, but that's fair. I kind   Alex Fullick ** 53:37 of, I laugh at it now, a joke, but you know, aha, things you know, I You never know when they're going to happen.   Michael Hingson ** 53:47 No, that's why they're Aha, yeah.   Alex Fullick ** 53:51 And one of one, I guess another one would have been when I worked out first went out on my own. I had a manager who kept pushing me like, go, go work for yourself. You know this better than a lot of other people. Go, go do this. And I was too nervous. And then I got a phone call from a recruiting agency who was offering me a role to do where I wanted to take this company, but that I was working for full time for that weren't ready to go. They weren't ready yet. And it was kind of an aha moment of, do I stay where I am and maybe not be happy? Or have I just been given an opportunity to go forward? So when I looked at it that way, it did become an aha moment, like, Ah, here's my path forward. Yeah, so, you know. And that was way back in 2007 or or so somewhere around there, you know. So the aha moments can be good. They can be bad, and, you know, but as long as you learn from them, that's exactly   Michael Hingson ** 54:57 right. The that's the neat thing about. Aha moments. You don't expect them, but they're some of the best learning opportunities that you'll ever get.   Alex Fullick ** 55:06 Yeah, yeah, I agree completely, because you never know that. That's the nice thing, and I think that's also part of what I do when I'm working with so many different people of different levels is they all have different experiences. They all have different backgrounds. You they can all be CEOs, but they all come from a different direction and different backgrounds. So they're all going to be offering something new that's going to make you sit there and go, Oh, yeah. And thought of that before,   Michael Hingson ** 55:38 yeah. So that's, that's so cool, yeah,   Alex Fullick ** 55:42 but you have to, you know, be able to listen and pick up on those kind of things.   Michael Hingson ** 55:46 But you've been very successful. What are some of the secrets of success that that that you've discovered, or that you put to use?   Alex Fullick ** 55:55 For me, I'll put it bluntly, shut up and listen.   Michael Hingson ** 55:59 There you are. Yeah. Well, that is so true. That's true. Yeah.   Alex Fullick ** 56:03 I think I've learned more by just using my two ears rather than my one mouth, instead of telling people everything they you should be doing. And you know, this is what I think you should do. And like talking at people, it's so much better just talk with people, and then they'll, even if you're trying to, you know, really, really, really, get them to see your side, they will come onto your side easier and probably better if you let them realize it themselves. So you just listen, and you ask the odd probing question, and eventually comes around, goes, Oh, yeah, I get it. What you mean now by doing this and going, Yeah, that's where I was going. I guess I just wasn't saying it right, you know. And have being humble enough to, you know, even though I, I know I did say it right, maybe I just wasn't saying it right to that person, to that person, yeah, right way. So listening to them, and, you know, I think, is one of the big keys to success for me, it has, you know, and I've learned twice as much that way. And maybe that's why I enjoy answering people on the podcast, is because I ask a couple of questions and then just let people talk,   Michael Hingson ** 57:18 which is what makes it fun. Yeah,   Alex Fullick ** 57:21 yeah. It's sometimes it's fun to just sit there, not say anything, just let someone else do all the talking.   Michael Hingson ** 57:29 What you know your industry is, I would assume, evolved and changed over the years. What are some of the major changes, some of the ways that the industry has evolved. You've been in it a long time, and certainly, business continuity, disaster recovery, whatever you want to call it, has, in some sense, has become a little bit more of a visible thing, although I think people, as both said earlier, ignore it a lot. But how's the industry changed over time?   Alex Fullick ** 57:54 Well, when I started, it was before y 2k, yes, 96 and back then, when I first started, everything was it focused. If your mainframe went down, your computer broke. That's the direction everyone came from. And then it was you added business continuity on top of that. Okay, now, what do we do with our business operations. You know, other things we can do manually while they fix the computer or rebuild the mainframe. And then it went to, okay, well, let's bring in, you know, our help desk. You know, who people call I've got a problem with a computer, and here's our priority and severity. Okay, so we'll get, we'll respond to your query in 12 hours, because it's only one person, but if there's 10 people who have the issue, now it becomes six hours and bringing in those different aspects. So we went from it disaster recovery to business continuity to then bringing in other disciplines and linking to them, like emergency management, crisis management, business continuity, incident management, cyber, information security. Now we've got business continuity management, you know, bringing all these different teams together and now, or at least on some level, not really integrating very well with each other, but just having an awareness of each other, then we've moved to operational resilience, and again, that buzzword where all these teams do have to work together and understand what each other is delivering and the value of each of them. And so it just keeps growing in that direction where it started off with rebuild a mainframe to getting everybody working together to keep your operations going, to keep your partners happy, to keep your customers happy. You know, ensuring life safety is priority number one. When, when I started, life safety was, wasn't really thrown into the business continuity realm that much. It was always the focus on the business. So the these. The sky, the size and scope has gotten a lot bigger and more encompassing of other areas. And I wouldn't necessarily all call that business continuity, you know it, but it is. I see business continuity as a the hub and a wheel, rather than a spoke, to bring all the different teams together to help them understand, you know, hey, here's, here's how you've Incident Management, you know, help desk, service desk, here's how you help the Disaster Recovery Team. Here's how you can help the cyber team. Cyber, here's how you can actually help this team, you know, and being able to understand. And that's where the biggest change of things is going is now, more and more people are understanding how they really need to work together, rather than a silo, which you know, a lot of organizations still do, but it's those walls are starting to come down, because they can understand no One can do it alone. You have to work together with your internal departments, leadership, data analysts, who have to be able to figure out how to rebuild data, or your third parties. We need to talk with them. We have to have a relationship with them our supply chain, and understand where they're going, what they have in place, if we or they experience something. So it's definitely grown in size and scope   Michael Hingson ** 1:01:27 well, and we're seeing enough challenges that I think some people are catching on to the fact that they have to learn to work together, and they have to think in a broader base than they have in the past, and that's probably a good thing. Yeah, well, if, if you had the opportunity, what would you tell the younger Alex?   Alex Fullick ** 1:01:50 Run, run for the hills. Yeah, really, no, seriously, I kind of mentioned a couple of them already. Don't sweat the small things. You know, sometimes, yeah, and I think that comes down to our mindset thing as well. You know, understand your priorities and what's important. If it's not a priority or important, don't sweat it. Don't be afraid to take risks if you if you do your planning, whether it be jumping out of a plane or whatever, you know the first thing you want to do is what safety measures are in place to ensure that my jump will be successful. You know, those kind of things. Once you understand that, then you can make knowledgeable decisions. Don't be afraid to take those risks. And it's one of the big things. It's it's okay to fail, like I said about the book thing where you all those that marketing material I sent out, it's okay to fail. Learn from it. Move on. I can laugh at those kind of things now. You know, for years, I couldn't I was really like, oh my god, what I do wrong? It's like, No, I didn't do anything wrong. It just wasn't the right time. Didn't do it the right way. Okay, fine, move on. You know, you know, don't be afraid to fail. If, if you, if you fail and get up, well then is it really a failure? You learned, you got back up and you kept going. And that's the part of resilience too, right? Yeah, if you trip and fall, you get up and keep going. But if you trip and fall and stay down, well then maybe you are   Michael Hingson ** 1:03:30 failing. That's the failure. I mean, the reality is that it isn't failure if you learn from it and move on. It was something that set you back, but that's okay, yeah,   Alex Fullick ** 1:03:41 my my favorite band, Marillion, has a line in one of their songs rich. Failure isn't about falling down. Failure is staying down. Yeah,   Michael Hingson ** 1:03:50 I would agree with that. Completely agree   Alex Fullick ** 1:03:53 with it. He'll stand by it. W

Der Digital Operational Resilience Act (DORA) verpflichtet alle Unternehmen des Finanzsektors, ihre IKT-Systeme und -Prozesse regelmäßig zu überprüfen. Dazu soll ein risikobasiertes, proportionales Testprogramm etabliert werden. Worauf Sie dabei achten sollten, welche grundlegenden Tests dazugehören und wann sich die Unterstützung durch Externe anbietet, darüber sprechen wir mit Alexandros Manakos, Cyber Security-Experte und Geschäftsführer von Apollon Security. Wir unterhalten uns außerdem über die erweiterten „Thread-Led Penetration Tests“, mit denen reale Cyber-Angriffe simuliert werden.

Stell dir vor, ein plötzlicher Stromausfall, ein Cyberangriff oder der krankheitsbedingte Ausfall einer Schlüsselperson legt dein Unternehmen lahm – was dann? In dieser Folge von  "Own your Compliance"  sprechen Andrea und Lukas über die entscheidende Rolle von Business Continuity Management (BCM), wenn der Ernstfall eintritt. Du erfährst, wie du dein Unternehmen krisenfest machst, welche Normen und Begriffe du kennen solltest – und warum es nicht reicht, „irgendwie vorbereitet“ zu sein. Lukas erklärt praxisnah, wie ein BCM aufgebaut wird, welche Hürden es gibt und wie du Verantwortung im Team sinnvoll verteilst.   Zu Gast: Lukas Rademacher, Consultant Information Security bei Nextwork.    

Seit dem 17. Januar 2025 ist der Digital Operational Resilience Act (DORA) anzuwenden. Schonfrist gibt es keine. Doch wie ist der Umsetzungsstand im Finanzsektor und welche Herausforderungen gab und gibt es möglicherweise immer noch? Darüber sprechen wir mit Professor Dr. Patrik Buchmüller von der DHBW Villingen-Schwenningen und Johannes Haupt (DZ Bank AG). Unsere Gäste geben außerdem einen Ausblick, wie es im regulatorischen Umfeld von DORA in den nächsten Monaten weitergeht.

DORA, Resilienz und das BCM 2.0: Stefanie Fekonja (KPMG) im Gespräch mit Christian Rings (Münchener Hyp)Die DORA-Verordnung hat den Finanzinstituten in Europa viele neue Anforderungen gebracht und legt die Messlatte für IT-Compliance und Sicherheit noch einmal deutlich höher als vorherige Regulierungen. Das zeigt auch ein KPMG-Benchmark zum Auslaufen der Umsetzungsfrist am 17. Januar 2025. DORA ist aber nur der Anfang, sagt Christian Rings, Business Continuity Manager bei der Münchner Hypothekenbank. Die fortlaufende Arbeit an der digitalen Resilienz eines Instituts sei nun eine interdisziplinäre, teamübergreifende Herausforderung. Dabei immer wichtiger: Das umfassende Testen. Mit Stefanie Fekonja (KPMG) spricht Christian bei uns im Podcast über Geschäftsfortführungs- und Notfallpläne, über Bedrohungslagen und Krisensituationen und die Zukunft des BCM in Zeiten von DORA.Jetzt die Folge #45 unseres Podcasts „KPMG on air Financial Services“ hören und mehr erfahren.Und hier für den im Podcast erwähnten Newsletter anmelden: https://klardenker.kpmg.de/financialservices-hub/newsletter/Das Gespräch in der Übersicht:[00:00] Intro und Begrüßung[02:00] DORA „legt eine Schippe drauf“[03:50] Ergebnisse des KPMG-Benchmarks [05:20] DORA-Umsetzung in der Münchener Hyp[08:00] So hat die Münchener Hyp Resilienz neu durchdacht[10:00] „Machen wir genug?“ – Der Cyber-Stresstest der EZB als Prüfmarke[11:30] Warum Testen so wichtig ist[12:30] Die neue Rolle des BCM [15:00] Testen und das ideale BCM unter der Lupe[18:45] Eine Jahresagenda mit Krisensimulationen[19:40] Verabschiedung

Follow Fr Alex on X @alexdjfrost Follow Clive on X @cliveatsynod Clive Billeness is a Specialist in Project / Programme / Risk / Business Continuity Management Practitioner Qualified in Prince2, MSP (Managing Successful Programmes) and M_o_R (Management of Risk) as well as Financial Management and Audit within the context of European FP7 and Horizon 2020 projects. also Certified Information Systems Auditor (CISA) also Retired Lay Minister in the Anglican Diocese of Europe Elected Member of House of Laity of Synod of the Diocese of Europe Hon. Secretary of ECO - the Ecumenical Church of the Occitanie (an online mission initiative) Specialties: EC FP7/H2020 Project Financial Regulations, IT Projects and Programmes, Risk Management, Business Continuity Management, Digital Preservation, GDPR Governance and Compliance. Recently: Researching bullying in worship communities Member of the Save The Parish Financial Scrutiny Board at General Synod of Church of England Member of the House of Laity of the General Synod of the Church of England. Supporting an inclusive church which is free of bullying. Member of Audit Committee.

AI usage has skyrocketed in the past 2 years, with many commonplace apps and software now featuring an AI integration in some form.  With the rapid development and possibilities unlocked with this powerful technology, it can be tempting to go full steam ahead with implementing AI use into your day-to-day business activities. However, new technologies come with new risks that need to be understood and mitigated before any potential incidents. In this episode Mark Philip, Information Security Manager at Cloud Direct, joins Ian to discuss emerging AI risks and how you can build AI resilience into your existing practices. You'll learn ·      Who is Mark? ·      Who is Cloud Direct? ·      How can you assess your current level of AI resilience? ·      What are some of the key threats that AI systems currently face, and how can you mitigate these? ·      How can you utilise AI to enhance your security? ·      What is best practice when responding to an AI related security incident?   Resources ·      Cloud Direct ·      Isologyhub    In this episode, we talk about: [02:05] Episode Summary – We invite Cloud Direct's Information Security Manager, Mark Philip, onto the show to discuss AI risks and how to build in AI resilience into your existing security practices.   [03:25] Who is Mark Philip?: While his primary role is as an Information Security Manager at Cloud Direct, a little known fact about him is that he is an amateur triathlete! At London earlier in 2024, he was lucky enough to bump into Alistair Brownlee, who is the UK's two time gold olympic medalist in triathlon. [05:10] Who are Cloud Direct? – Founded in 2003, Cloud Direct are a Microsoft Azure expert MSP that is the top of Microsoft accreditation that any partner can hold, putting them in the top 5% of Microsoft partners globally. They offer consultancy and professional managed services, specialising in Microsoft Cloud, which is all underpinned with security across the whole Microsoft stack. They also assist with digital transformation and modernisation. [06:30] Assessing the current AI risk landscape: Ian points out that a recent report from the Capgemini Research Institute found that 97% or organisations are using generative AI. With this increase in AI use, there is a correlation with an increase in security incidents related to AI. Mark adds that this technology is so new, with a lot of larger software companies such as Microsoft pushing AI elements into their tools. So there is a learning curve involved with utilising the technology. There is also a lack of Risk Assessment being done in relation to AI, not a lot of though is going into the use of AI on a day-to-day basis. If you're using an AI platform, you need to ask yourself: What is this platform actually doing with the data I'm inputting? There is also the fact that shady individuals are already leveraging this technology with the likes of deep fakes, bad bots and more sophisticated phishing schemes – and the harsh truth is that they're going to get better at it over time. [08:20] What is AI resilience and why is it so important? – AI resilience is about equipping businesses with the processes that control the use and deployment of AI usage, so that they can anticipate and mitigate any AI risks effectively. Similar to ISO Standards, this would involve a risk-based approach. However, this will look very different depending on your business and how you are using AI. For example, the risks of someone using AI to generate a transcript of meeting notes will be much lower in comparison to a healthcare company using complex sets of data with AI to synthesize new medicines. So, if you are using AI you need to consider what the inherent risks could be, and that would be dependent on the data you're processing i.e. is it sensitive data? And then factor in if the software is publicly available (such as ChatGPT), or it is a closed model under your control? Asking these types of questions will give you a more realistic outlook on the risk landscape you face. [10:35] How can a business assess their current level of AI resilience? AI is here to stay, so you won't be able to avoid if forever. So first, you need to embrace and understand it, and that includes creating a clear picture of your use cases. Mark states they did this exercise internally at Cloud Direct when they were starting to use Microsoft's Co-Pilot. They asked themselves: ·      What sort of data is the software interacting with? ·      What data are we putting into it? ·      How do Microsoft manage the program and related security? ·      Are Mircrosoft storing any of that data? It's not just about the security either, you need to understand why your using AI and if it will actually be to your benefit. A lot of people are using it because it's new and shiny, but if it's not actively helping you achieve your business goals, then it's more of a distraction than anything else. For those looking for additional guidance on AI policies, risks and resilience, there's a lot of guidance provided by both ISO and the NCSC. ISO 42001 in particular is useful for both people using AI and developers creating AI. If you're stuck on where to start, a Gap Analysis is a fantastic tool to see where you are currently and what gaps you need to bridge in your security to cover any AI usage, and to see how well you are complying with current legal requirements (the EU AI Act is now in effect!). Another tool is a Risk Assessment. You may not process what many would consider sensitive data, such as healthcare information, but even if you store and hold customer data, then you need to ensure that any AI you use doesn't pose a risk to it. [14:30] How can AI improve security and resilience? – Sticking with Microsoft as an example, as they are releasing a lot of AI driven tools, they can be used to fill gaps that humans may not have the time to do. Once example of this is monitoring and sending security alerts, previously a system may have just sent this to a human member of staff to resolve, but now AI security tools can act on those alerts on your behalf. So, if you have limited IT resources, this could be a fantastic addition to your security set-up. It also eliminates the lag of human response, and AI can look at things in a way a human wouldn't think to.   [17:55] How do people stay ahead of the curve in the evolving AI landscape? – You should be using the myriad of resources available to learn about AI, as there are webinars, social media feeds, blogs and videos released constantly. Microsoft in particular are offering a comprehensive feed of information relating to AI, the risks and new technologies in development. The key is to understand AI before integrating it into your business. Don't just jump at the new shiny toys being advertised to you, go to reputable sources such as the ICO, NCSC, Cyber Essentials and regulatory bodies to learn about the technology, the benefits it can bring in addition to the risks you need to mitigate against. Mark can vouch for Microsoft's though leadership in this field, as they keep all of their customers up-to-date with all of their AI related developments. Cloud Direct themselves are also putting out some great content, so don't forget to check out their resources. If you are already utilising Microsoft's tools, the Cloud Direct can help explain how their new tools can apply to your business. If you're looking for assistance with ISO 42001, then Blackmores can help you with implementing a robust AI Management System. [21:40] What is best practice when responding to an AI related incident? – To be honest, there's no reason to not treat it like any other security incident. We've already adapted to more sophisticated security risks as a result of the move towards home and hybrid working over the pandemic. This simply another stage along in this ever changing security landscape. You should treat it like assessing any new step, and you likely have all the processes in place for analysing risk already in place, simply apply them to the usage of AI and put in place the necessary governance based on your findings. Standards such as ISO 20000 IT Service Management and ISO 22301 Business Continuity are fantastic tools of you're new to this sort of incident response planning. If you've already been certified to these standards, then you likely have the following in place already: ·      Risk Assessments ·      Business Impact Assessments ·      Business Continuity Plans ·      Recovery Plans Simply add AI as an additional risk factor into your existing management system and update the necessary documentation to include actions and considerations for its use. If you update your Business Continuity and recovery plans, then make sure to test them! Don't just assume that they will work, put them to the test and adjust until you're comfortable that in a real incident, everyone in the business knows how to react, what to communicate and how to get back up and running. [24:00] What are Mark's predictions for the field of AI resilience? – People need to look at the opportunities in utilising AI, a lot of people are using it without really understanding it so there's a lot of learning still to do. So, he expects to see a lot of businesses fully grasping how they can use AI to their advantage in the coming years. With that comes the challenge of ensuring it's integrated safely, with the right governance embedded to ensure its safe and ethical usage across entire organisations. Another big challenge is the handling data privacy within AI. Scams are only going to get more complex as AI develops, and you need to ensure your business can protect against that as much as possible. Also businesses should carefully consider what AI platforms they choose to use. Ensure you understand what data is being input and stored, and the level of control you have over it. All of this to say, there are a lot of massive benefits of using AI and you should shy away from it. But, you need to ensure you are using it safely and ethically. [27:30] What is Mark's book recommendation? – The hunt for Red October by Tom Clancy [28:45] What is Mark's favorite quote? – “I have a bad feeling about this…” – Star Wars Want to learn more about Cloud Direct? Check out their website. We'd love to hear your views and comments about the ISO Show, here's how: ●     Share the ISO Show on Twitter or Linkedin ●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Join me as I talk with globally recognized Crisis, Conflict, and Emergency Management (CCEM) expert, Kyle King, as we talk about a couple of important subjects. In segment 1 we talk about The Role of Business Continuity in International Security. 1. BCM and economic stability. 2. Geopolitical risks, 3. International security and BCM, 4. Public and Private partnerships, 5. Operational continuity, 6. The inward / outward view of Business Continuity, 7. Regulations...and much more! For the second segment we talk about Emergency Management or Crisis Management: Is it Time to Evolve? 1. More complexity in crisis, 2. Redefining incidents (small events growing to large-scale events), 3. Dealing with past Emergency Mgmt. and Crisis Mgmt. doctrine, 4. Catastrophes, 5. Communications, 6. Bringing BCM, Emergency Mgmt. and Crisis Mgmt. together, 7. Clarifying authorities (vs responsibilities), 8. A change in mindset...and much more! Kyle shares some great insights about BCM involvement in International Security and how the ERM and CM professions need - and must - evolve to address our changing times. Don't miss what Kyle has to share. Enjoy!

In July 2024, A logic error in an update for CrowdStrike's Falcon software caused 8.5 million windows computers to crash. While a fix was pushed out shortly after, the nature of the error meant that a full recovery of all effected machines took weeks to complete. Many businesses were caught up in the disruption, regardless of if this affected them directly or by proxy due to affected suppliers. So, what can businesses learn from this? Today, Ian Battersby and Steve Mason discuss the aftermath of the CrowdStrike crash, the importance of good business continuity and what actions all businesses should take to ensure they are prepared in the event of an IT incident. You'll learn ·      What happened following the CrowdStrike crash? ·      How long did it take businesses to recover? ·      Which ISO management system standards would this impact? ·      How can you use your Management System to address the affects of an IT incident? ·      How would this change your understanding of the needs and expectations of interested parties? ·      How do risk assessments factor in where IT incidents are concerned?   Resources ·      Isologyhub ·      ISO 22301 Business Continuity     In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian Battersby is joined by Steve Mason to discuss the recent CrowdStrike crash, the implications on your Management system and business continuity lessons learned that you can apply ahead of any potential future incidents.   [03:00] What happened following the CrowdStrike crash?– In short, An update to CrowdStrike's Falcon software brought down computer systems globally. 8.5 million windows systems, which in reality is less than 1% of windows systems, were affected as a result of this error. Even still, the damage could still be felt from key pillars of our societal infrastructure, with a lot of hospitals and transportation like trains and airlines being the worst affected. [04:45] How long did it take CrowdStrike to issue a fix? – CrowdStrike fixed the issue in about 30 minutes, but this didn't mean that computers affected would be automatically fixed. In many cases applying the fix meant that engineers had to go on site to many different locations which is both time consuming and costly. In some cases Microsoft said that some computers might need as many as 15 reboots to clear the problem. So, a fix that many were hoping would solve the issue ended up taking a few weeks to fully resolve as not everyone has IT or tech support in the field to issue a manual reboot. A lot of businesses were caught out as they don't factor this into their recovery time, some assuming that an issue like this is guaranteed to be fixed within 48 hours, which is not something you can promise. You need to be realistic when filling out a Business Impact Assessment (BIA). [07:55] How do you know in advance if an outage will need physical intervention to resolve? – There is a lesson to be learnt from this most recent issue. You need to take a look at your current business continuity plans and ask yourself: ·      What systems to you use? ·      How reliable are the third-party applications that you use? ·      If an issue like this to reoccur, how would it affect us? ·      Do we have the necessary resource to fix it? i.e. staff on site if needed? Third-parties will have a lot of clients, some may even prioritise those that pay a more premium package, so you can't always count on them for a quick fix. [09:10] How does this impact out businesses in terms of our management standards? – When we begin to analyse how this has impacted our management systems, we can't afford to say ‘We don't use CrowdStrike therefore it did not impact us' – it may have impacted your suppliers or your customers. Even if there was zero impact, lessons can be learned from this event for all companies. Standards that were directly affected by the outage were: ·      ISO 22301 – Business Continuity: Recovery times RPO and RTO; BIA; Risk Assessments ·      ISO 27001 – Information Security: Risk Assessment; Likelihood; Severity; BCP; ICT readiness ·      ISO 20000-1 – IT Service Management; Risk Assessment of service delivery; Service continuity; Service Availability Remember, our management systems should reflect reality and not aspiration [11:30] How do we use our Management Systems to navigate a path of corrective action and continual improvement? – First and foremost an event like this must be raised as an Incident – in this case it would no doubt have been a Major Incident for some companies. This incident will typically be recorded in the company's system for capturing non-conformities or continual improvement. You could liken this to how ISO 45001 requires you to report accidents and incidents. From the Incident a plan can be created which should include changes to be considered or made to the management system. The Incident should lead us to conducting a lessons learned activity to determine where changes and improvements need to be made. We are directed in all standards to Understanding the Organisation and its context The key requirement here is to determine the internal and external issues that can impact your management system, and prevent it from being effective. Whatever method a company uses for this, perhaps a SWOT and PESTLE; the CrowdStrike/Microsoft Outage should be included in this analysis as a threat and/or Technical issue. [15:15] What are the lessons learned from our supply chain? – In many ISO Standards, such as ISO 9001 and ISO 27001, there is a requirement to review your suppliers and the effectiveness of the service they're delivering. So you could send them an e-mail to ask how they have dealt with the issue, what actions did they take and how long did it take to fully restore services. This is a collaborative process that you can factor into your own risk assessments, as you can make a better judgement on future risk level if you are privy to their recovery plans. Many people still think of that requirement only in relation to goods and products. i.e. has my order been delivered ect. However, it relates to services such as IT infrastructure as well. You rely on that service, so evaluate how well it's being delivered. [17:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [19:50] Once you have established lessons learnt, what's next?  – The Standards provide a logical path to work through. One of the first steps is to conduct a SWOT and PESTLE, and doing so after a major incident is recommended, as your threats and weaknesses may have changed as a result. Do not simply put the sole blame on a third-party who an incident may of originated from. This is about your response and recovery, your plans coming into effect to deal with the situation, not about who is at fault. One such finding may be your lack of business continuity plans, in which case, looking at implementing aspects of ISO 22301 may be an action to consider. It's also important to note down any positives from the incident too. You may have dealt with something very fast, communicated the issue effectively and worked with clients to ensure that their level of service was minimally impacted. If a team dealt with a situation particularly well, they should be recognised for that, as it really does go a long way. [23:55] The importance of revisiting your SWOT and PESTLE: These exercises shouldn't just be a one time thing. You should be addressing these after incidents and any major changes within the business. Ideally, you should be looking at these in all your meetings, as many actions may need to be escalated to a strategic level. If you'd like to learn about how one of our clients embraced SWOT and PESTLE, and used it to their advantage, check out episode 53. [25:20] How has our understanding of the needs and expectations of Interested Parties been changed? - How has the Outage impacted the needs and expectations of interested parties? Understanding this might lead companies to ask questions about the robustness and effectiveness of different parts of the management system: ·      Risk Assessment ·      BIA for BCP ·      Recovery Plans ·      DR plans ·      Service Continuity [27:50] What should you be considering with your risks assessments? - Risk Assessments, if they follow the traditional methodology, with have Likelihood and Impact/Severity scores an in the light of this outage, and any event, the likelihood and Impact scores should be updated. If a company has set the likelihood as ‘once every 5 years' it should seriously consider changing this to ‘once every 6 months' or 'once every year' to understand if this poses any new risks to the business. The likelihood score would of course be updated every year until it has recovered to ‘once every 5 years'. The impact is important to look at. If a company has been impacted by this outage, what has it cost the company to recover – talk to finance and other departments to understand the cost and change the scoring accordingly. [33:20] Why should a business carry out a risks assessment as part of lessons learnt? - Our risk assessments are not a one-off, but should be living documents that reflect the status of threats to the business. In ISO 27001 there is a statement to identify the ‘Consequences of  unintended changes,' and it could be argued that an Outage on the level of the CrowdStrike/Microsoft outage was an ‘unintended change that led to consequences in many businesses. So, use your risk assessments as live tools to report on the reality facing the organisation. Similarly, BIA assessments for BCP should be reviewed to determine if the assumed impact reflects the real impact; also look at the recovery plans to see if they are effective. If a recovery plan has stated that this type of incident could be recovered in 48 hours, and in reality it has taken 2 weeks, it means that recovery times in terms of RPO and RTO should be reviewed. Remember - your management system should reflect reality and not aspiration. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ●     Share the ISO Show on Twitter or Linkedin ●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

In this episode of the Crisis Lab Podcast, host Kyle King interviews Alex Fullick, an expert in business continuity planning and the Founder and Managing Director of Stone Road Inc. In the first part of our discussion, hosted on the 'Preparing for the Unexpected' channel, Alex and Kyle covered the macro-level impact of BCP on global stability, including economic stability, supply chain security, crisis management, and geopolitical risks. Be sure to check out and subscribe to Alex's podcast, Preparing for the Unexpected. Now in part two of the podcast series, Kyle and Alex delve into the practical aspects of business continuity at a community level. They explore the role of BCP in preparing for and responding to local crises and discuss the importance of coordination between local businesses, governments, and organizations. Alex Fullick is a seasoned expert in business continuity planning with over 26 years of experience. As the Founder and Managing Director of Stone Road Inc., he specializes in Business Continuity Management and Resilience, offering consulting and training services. Alex is an accomplished author of eight books and the host of "Preparing for the Unexpected," a global internet talk radio show and YouTube channel focusing on preparing for and overcoming adverse situations. Tune in for insights on how small businesses can effectively plan for and mitigate risks, build networks, and support community resilience. Show Highlights [04:27] Building Local Business Resilience [10:43] Shared Responsibility in Community Resilience [17:28] Workforce Considerations in Business Continuity [22:59] Testing and Exercising for Resilience [25:27] Understanding Federal Contracts and Small Business Contributions [26:01] Identifying Business Threats and Risk Assessment [27:57] Mitigating Risks and Contingency Planning [30:41] Resources for Risk Assessment and Business Continuity [33:47] The Importance of Training and Education [35:33] Practical Training and Real-World Simulations [41:18] Aligning Business Continuity with Daily Operations [43:16] Trends in Business Continuity Management Connect with Alex Fullick -Linkedin Listen to Part 1: The Role of Business Continuity in International Security

Join me as I talk with experienced Operational Resilience and Business Continuity professional, Yusuf Ukaye, as we talk on the topic of Starting a BCM Program from Scratch. During our discussion we talk about: 1. Asking the right questions (What are we protecting? and more), 2. Impacts of not doing what you do, 3. Feeling about risk, 4. Good governance, 5. RACI, 6. It's NOT a project, 7. Everyday BC usage, 8. Building roadmaps, 9. Articulating needs, 10. Standards and guidelines, 11. Stakeholders, 12. Soft Skills, 13. Escalate and communicate w/ leaders, 14. Looking for support, 15. Listen more, 16. Be aware of the human element, 17. Validating you're on the right track, 18. Understanding assumptions and dependencies, 19. Communications...and more! Yusuf provides lots of great insights for those new to the field to help them get started, but also some insights to those that might be wondering why their program isn't as effective as it could be. Don't miss what Yusuf has to share. Enjoy!

This episode of CISO Tradecraft dives deep into the New York Department of Financial Services Cybersecurity Regulation, known as Part 500. Hosted by G Mark Hardy, the podcast outlines the significance of this regulation for financial services companies and beyond. Hardy emphasizes that Part 500 serves as a high-level framework applicable not just in New York or the financial sector but across various industries globally due to its comprehensive cybersecurity requirements. The discussion includes an overview of the regulation's history, amendments to enhance governance and incident response, and a detailed analysis of key sections such as multi-factor authentication, audit trails, access privilege management, and incident response. Additionally, the need for written policies, designating a Chief Information Security Officer (CISO), and ensuring adequate resources for implementing a cybersecurity program are highlighted. The podcast also offers guidance on how to approach certain regulatory mandates, emphasizing the importance of teamwork between CISOs, legal teams, and executive management to comply with and benefit from the regulation's requirements. AuditScripts: https://www.auditscripts.com/free-resources/critical-security-controls/ NYDFS: https://www.dfs.ny.gov/industry_guidance/cybersecurity  Transcripts: https://docs.google.com/document/d/1CWrhNjHXG1rePtOQT-iHyhed2jfBaZud Chapters 00:00 Introduction 00:35 Why Part 500 Matters Beyond New York 01:48 The Evolution of Financial Cybersecurity Regulations 03:20 Understanding Part 500: Definitions and Amendments 08:44 The Importance of Multi-Factor Authentication 14:33 Navigating the Complexities of Cybersecurity Regulations 20:23 The Critical Role of Asset Management and Access Privileges 25:37 The Essentials of Application Security and Risk Assessment 31:11 Incident Response and Business Continuity Management 32:36 Concluding Thoughts on NYDFS Cybersecurity Regulation

According to the ISO Survey, there's been a 82.9% increase in worldwide ISO 22301 certificates issued following 2020. Business Continuity is a must have for businesses who want to ensure long-term survivability following a disruptive event. Many turn to ISO 22301 to help put a framework in place, including today's guest – Lifelong Learner. However, what usually takes businesses a minimum of 6 months, Lifelong Learner managed to accomplish in just 4 months across an international organisation! That is no small part due to the tremendous effort of Lifelong Learner's Manager of Information Security, Governance, Risk and Compliance, Lauren Taylor. Lauren joins Mel on this weeks' episode to share her journey and explains the challenges associated with implementing a Business Continuity Management System in just 4 months. You'll learn ·       Who are Lifelong Learner? ·       Why did they decide to Implement ISO 22301? ·       What did they learn from implementing ISO 22301? ·       What was the biggest challenge with Implementation? ·       What are the benefits of implementing ISO 22301?   Resources ·       Isologyhub ·       Lifelong Learner ·       PSI Testing Excellence ·       Talogy   In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Lauren Taylor who is the Manager of Information Security, Governance, Risk and Compliance at Lifelong Learner Holdings LLC. Lifelong Learner and it's brands represent a fusion of comprehensive workforce solutions, with a human-first focus of changing lives through assessment. This includes helping people advance in educational and career aspirations, earning or maintaining licensing or certifications, or providing the tools to develop future leaders. Lauren has helped Lifelong Learner accomplish a massive milestone, and that's the implementation of the Business Continuity Standard ISO 22301 across an international organisation, which she managed to do in just 4 months! She's here to share her journey and lessons learned from implementing ISO 22301. [03:30] Not many people know this about Lauren  – She had previously trained to be a mental health counsellor. [04:05] Who are Lifelong Learner LLC? – Lifelong Learner is the parent company of two subsidiaries: PSI Testing Excellence: a leading provider of assessment solutions for the licensing and certification markets, to Educational Testing Services. Talogy: A market leader in the talent management space whose core purpose is helping organizations achieve their potential. They manage the talent management side of the business. So what they'll do is they'll put together psychometric tests that help companies find the right person for the right job, and will assist with skills development. [05:00] Adding to Lifelong Learner's ISO Collection: Lifelong Learner already have an impressive ISO Library, being certified to: ·       ISO 9001 – Quality Management ·       ISO 14001 – Environmental Management ·       ISO 27001 – Information Security Management [05:20] What was the main driver behind obtaining ISO 22301? – The main driver, as with most companies, is usually a client contractor requirement, but business continuity has been something that we've wanted to look further into for a while, just because there's elements of ISO 27001 that cover the business continuity. While we were able to get through the audits with what we had, we just felt that it just needed a little bit more building out. Business Continuity is a requirement in part of ISO 27001, but for Stakeholders that want assurance that a business has robust business continuity plans in place, ISO 22301 is the next step. [06:10] The Implementation Timeline  – In October 2023, we began with the context workshop where we could kind of get a better idea of the scope of the management system. This was followed by a number of SWOT and PESTLE workshops to help identify what the perceived risks would be. Next came the Business Impact Analysis (BIA) - So essentially what you're needing to find out from these workshops is, the core activities that each of the teams perform on the day-to-day basis. You also need to understand what their systems are that they use, if they have any dependencies, and essentially it all comes down to understanding that if the business cannot perform those activities, what would be the impact overtime if those activities were to stop. Once you have all that information, the next step was to map it across into a risk assessment, which really helps you to understand the granular risks to your business when it comes to business continuity planning. This risk assessment helped to highlight some weaknesses that we hadn't considered before, and gave us a point in the right direction as to what we needed to work on to bridge those gaps. Next was the creation and revamping of documentation inline with ISO 22301 requirements. Thankfully, due to the other ISO's we hold, we already had a lot in place. Same goes for Internal Audits, so this was more a case of integrating ISO 22301 into our existing Management System. Once we had all the documentation, we conducted a ransomware test exercise, which we also documented all the findings from. Then we were we were ready for stage 1! [09:15] What were the biggest gaps Lifelong Leaner needed to address?: Following the BIA and Risk Assessment, we were able to see where we needed response plans because business continuity is always your Plan B. So in our minds, we had an idea of what kind of response plans we would need in terms of i.e. a malware response plan, a ransomware response plan, those sorts of things. But until we actually looked at the BIA we released we needed a few more. [10:25] What difference did addressing those gaps make? – For us it was understanding the real risks to our business. We already had ISO 27001 in place, and we figured if there were to be another pandemic for example, that we'd be covered. However, it wasn't until we did those exercises did we realise that there was a lot we could improve on.   [13:25] What did Lauren learn from Implementing ISO 22301? – How much people underestimate the importance of a good business impact analysis. After going through this in a very, very short space of time, I realised that it is actually the driving force behind a good business continuity management system. Also, it highlighted just how many people believe business continuity is just all about IT and physical security, they completely loft out the human element. An example of this is having a single point of failure, which is where if somebody left there would be a gap. [14:40] What benefits have Lifelong Learner experienced since implementing ISO 22301? – Lauren has noticed that more clients are requesting to see their Business Continuity Plans. It's helped with the introduction of the latest ISO 27001:2022 controls – as these too also focus on elements of business continuity. [15:50] Lauren's top tips for implementing ISO 22301 – Definitely give yourself longer than 4 months! Logically think about how everything links together, the clauses all have purpose and flow in a logical pattern to help create a Management System. Your Management Review can be your best friend. It's your opportunity to really engage with senior management and help them understand what your risks are to the business, how your internal audit is coming along, how you manage your nonconformities and it can be all neatly wrapped up in that nice management review bow. [18:00] Lauren's book recommendation – The Matthew Perry Autobiography, Friends, Lovers and the Big Terrible Thing. [19:30] Lauren's favorite quote – “You catch more flies with honey than vinegar.” If You'd like to learn more about Lifelong Learner, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ●      Share the ISO Show on Twitter or Linkedin ●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Johannes Haupt verantwortet in der DZ BANK das bankweite Business Continuity Management (BCM) und leitet zudem in der DZ BANK AG die fachliche Umsetzung des Digital Operational Resilience Acts, kurz DORA. Für uns ein guter Grund mit Johannes Haupt über Wichtiges zum BCM im Kontext von DORA zu sprechen und der Frage nachzugehen, ob DORA ein etabliertes BCM-System auf den Kopf stellt.

In letzter Zeit hört man viel von Resilienz im Zusammenhang mit IT-Sicherheit. Aber was bedeutet das genau? Wie kann sich ein Unternehmen cyber-resilient aufstellen und wie können Security Frameworks dabei helfen? Diesmal ist Le-Khanh Au von Splunk bei Salsabil und Tobias zu Gast. Sie erklärt uns, wie das MITRE ATT&CK-Framework Unternehmen dabei helfen kann, eine zielführende Cybersicherheits-Strategie anzuwenden.

When catastrophes happen, insurance companies are expected to respond quickly to assist insureds who have suffered a loss as a result of the catastrophe.  Many states require that these companies have plans in place prior to the event and that these plans are filed with the state, including contact information. Join Sam Garro, Senior Vice President of the Compliance Department at Philadelphia Insurance Companies, as he sits down with James Bryant, Sr. Manager of Business Continuity Management for Tokio Marine North America Services, to discuss those requirements and how insurance companies get ready for the next catastrophe whether it is a hurricane, earthquake, flood, or any other catastrophic event. Featuring: James Bryant, Sr. Manager of Business Continuity Management, Tokio Marine North America Services Hosted by: Sam Garro, Sr. Vice President, Compliance Department, Philadelphia Insurance Companies

Business Continuity Management ist ein ganzheitlicher Ansatz, der darauf abzielt, die Fortführung der Geschäftstätigkeit und insbesondere die Bereitstellung der Produkte und Services eines Unternehmens auch bei Eintreten schwerwiegender Ereignisse und Entwicklungen sicherzustellen. Welche Rolle spielt dabei das Controlling? Wie können Controlling-Instrumente unterstützen? Und welche Praxisbeispiele gibt es? Diesen Fragen widmet sich die aktuelle Ausgabe der Fachzeitschrift CONTROLLING. Prof. Dr. Burkhard Pedell von der Universität Stuttgart stellt das Heft im Podcast vor.  Als Mit-Herausgeber der Fachzeitschrift hat er das Thema „Business Continuity Management und Controlling“ in der dritten Ausgabe des Jahres 2023 federführend begleitet und die Aufsätze der verschiedenen Autoren koordiniert.  Ihr Probeabonnement bestellen: https://bit.ly/Probeabo-controlling-zeitschrift 

Wenn ich Notfallpläne und Krisenmanagement entwickeln will – wie gehe ich am besten vor? Zuerst Notfallpläne und dann das Krisenmanagement? Oder umgekehrt? Weder noch! Warum und wie es besser läuft – darüber mehr in der 96. Episode meines Podcasts.

The long-awaited update of ISO 27001 arrived in October 2022, having gone 9 years since its previous 2013 iteration. Needless to say, it was much overdue. The new 2022 version of the Standard includes 11 new controls and sees around 56 other controls combined into 24 newly titled controls. In order to cover every aspect of the new Standard, we'll be running a mini-series through January and February on the updated ISO 27001:2022 in addition to how you can transition to the new version. Starting off the series strong, Mel is joined once again by Steve Mason, our very own Information Security guru, to broadly discuss the changes to ISO 27001:2022. You'll learn Who is ISO 27001:2022 applicable to? An overview of the changes to ISO 27001:2022 What is Steve's favorite change to ISO 27001:2022? What are the challenges involved with updating to the 2022 version?   Resources Isologyhub ISO 27031 (Guidelines for information and communication technology readiness for business continuity) ISO 27005 (Risk assessment) ISO 22301 (Business Continuity)   In this episode, we talk about: [01:50] Steve Gives an overview of what's new in ISO 27001:2022 – The updated version of ISO 27001 was released on the 26th Oct 2022. The new version included 24 changes and clarifications within the main clauses.  [02:50] The controls for the new standard are now categorised into 4 groups: Organisation, People, Physical and Technology   [05:50] We covered some of the new controls in more detail in previous episodes: #109, #110, #111, #112, #113 and #114 [06:17] The 24 changes and clarifications to Clauses include older existing clauses which have been tidied up to be more transparent. We recommend reviewing to ensure that you are complying in a way that aligns with the Standard. [06:35] There are 11 new Controls. 56 controls from the 2013 version have been reduced to 24 with 58 remaining unchanged. So, in short, Annex A has been simplified with less duplication of controls. [07:44] Steve highlights section A.9 for Access Control as one of the much-improved controls – due to the lack of repetition and simplified requirements for compliance. [08:35] Steve's favourite update to the Standard: The whole Standard now collectively encourages incorporation into your business. Your ISMS should not feel like a bolt on, it should be a part of your businesses DNA. [10:36] Steve's favourite update to the Standard #2: It's not a static Standard, it encourages development and continual improvement.   [13:45] For those completely new to ISO 27001 – check out our 3-part Steps to Success series which explains the Implementation process from start to finish. [14:38] Listen to some of our client interviews to hear the challenges others faced when Implementing ISO 27001 in addition to the benefits gained as a result of adopting the Standard:    [14:50] Why would the business continuity elements of ISO 27001:2022 pose a challenge?  There used to be a clause in the 2005 version of the standard which documented the need for a business impact analysis – this was removed in the 2013 version. The new ‘ICT readiness for business continuity' control will require at the very least, a risk assessment.    [16:48] Steve recommends checking out the Plan, Do, Act, Check diagram in ISO 27031 (Guidelines for information and communication technology readiness for business continuity). It also includes some great guidance on business impact analysis. [18:40] The ICT readiness control is not designed to be an all encompassing business continuity strategy – it's designed to work in tandem with as existing one (you may already be certified to ISO 22301 Business Continuity Management).  [19:50] It's highly recommended that if you don't have a Business Continuity Plan or strategy – at least have a framework in place. Disasters by their nature are unpredictable, as is the resulting damage to an extent. You will not know the full extent until you've lived it – so don't write an exhaustive 80+ page manual that no-one will read, document the what, who and how of getting yourself back up and running again. [21:11] There has also been an update to ISO 27005 (Risk assessment in relation to info sec). It includes a new set of threat categories: physical threats, natural threats, infrastructure failures, technical failures, human actions, compromised services or functions and organisational threats. These may help you when putting a business continuity framework in place. [22:05] Above all else – ISO 27001:2022 has modernised and aligned itself more with the likes of cyber essentials and NIST. Keep an eye out for next weeks episode where we dive into the clause updates… We'd love to hear your views and comments about the ISO Show, here's how: Share the ISO Show on Twitter or Linkedin Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Episode 129: How to Build a Business Continuity Management Program That Lasts This episode is brought to you by Fusion Risk Management, Building a More Resilient World Together. Request a demo at https://bit.ly/FusionDECODED today! With a recession looming, climate change, and political strife ever present, more and more organizations are looking to an uncertain future. One way to help mitigate this uncertainty is to build a lasting business continuity program. But how exactly do we do this? Vanessa talks with business continuity expert Shane Mathew about key steps to take when building a program that will last. Shane Mathew has years of experience working in public health building emergency response plans and is currently the head of enterprise resilience for Zoom. Connect with Shane Mathew LinkedIn - https://www.linkedin.com/in/shanemathew/ Failover Plan Podcast - failoverpodcast.com Sign up for our Four Corners newsletter for opportunities to connect, access to exclusive content, bonus interviews, and more at https://bit.ly/BRDFourCorners. Three things to consider when building a lasting business continuity program: Don't just jump in. Develop a transformational statement of where the business currently stands and where they would like to be in the future. Look at the culture and big picture of an organization and make sure your business continuity program matches that culture. Make sure your purpose is in alignment with what they want. What they say is not always what they want. For example, they may say they want a business resilience plan, when in fact, they want a compliance program. Scope and order. Scope needs to be clearly defined in terms of what comes first and what comes afterwards. Prioritize your timeline and then you'll know where and how to proceed. Disaster Recovery Journal: Register for DRJ's weekly (Wednesday) webinar series: https://drj.com/webinars/up-coming/ Register for DRJ Spring 2023: Solutions for a Resilient Tomorrow: https://www.drj.com/spring2023 Asfalis Advisors: Visit our website here: https://www.asfalisadvisors.com Apply to be a guest on the podcast: https://www.asfalisadvisors.com/decoded/ Download the 5 Step Crisis Strategy: https://www.asfalisadvisors.com/services/ Connect with the podcast! Email us: podcast@drj.com Podcast website: https://drj.com/decoded/ Twitter: https://twitter.com/BRDecoded LinkedIn: https://www.linkedin.com/showcase/business-resilience-decoded/ YouTube: https://www.youtube.com/channel/UCNEIrqWlxuyDvkXB24h6Obw/videos Vanessa Mathews, host Vanessa Mathews is the founder and chief resilience officer of Asfalis Advisors, where they are focused on protecting the legacy of the leaders they serve through business resilience. Before becoming an entrepreneur, Mathews developed global crisis management and business continuity programs for government and private sector organizations to include Lowe's Companies, Gulfstream Aerospace, and the Department of Homeland Security. LinkedIn: https://www.linkedin.com/in/vanessa-vaughn-mathews-mba-cbcp-70916b4b/ Book Mathews as a speaker: https://bit.ly/VanessaMathews Jon Seals, producer Jon Seals is the editor in chief at Disaster Recovery Journal, the leading magazine/event in business continuity. Seals is an award-winning journalist with a background in publication design, business media, content management, sports journalism, social media, and podcasting. LinkedIn: https://www.linkedin.com/in/jonseals/ Disaster Recovery Journal: https://drj.com/

It's time once again for my regularly scheduled chat with globally recognized resilience and business continuity management expert, Regina Phelps. For this episode we talk about Shifting Baselines, defined as failure to notice change over time. We also touch on ROI vs VOI, which means how resilience, BCM, and DR professionals showing value, rather than trying to 'guess' at ROI dollars. It's a great conversation with Regina, and there is allot here to capture and take back to your own organizations to ensure your programs display value - and increase your own value. Don't miss this episode! Enjoy!

It's time once again for my regularly scheduled chat with globally recognized resilience and business continuity management expert, Regina Phelps. For this episode we talk about Shifting Baselines, defined as failure to notice change over time. We also touch on ROI vs VOI, which means how resilience, BCM, and DR professionals showing value, rather than trying to 'guess' at ROI dollars. It's a great conversation with Regina, and there is allot here to capture and take back to your own organizations to ensure your programs display value - and increase your own value. Don't miss this episode! Enjoy!

How do you become a Cyber Security Expert? Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.  My name is G. Mark Hardy, and today we're going to talk about how to provide advice and mentoring to help people understand how to become a cybersecurity expert.  As always, please follow us on LinkedIn, and subscribe to our podcasts. As a security leader, part of your role is to develop your people.  That may not be written anywhere in your job description and will probably never be on a formal interview or evaluation, but after years of being entrusted with leadership positions, I have learned what differentiates true leaders from those who just accomplish a great deal is the making of the effort to develop your people. Now, you may have heard the phrase, "take care of your people," but I'll take issue with that.  I take care of my dog.  I take care of a family member who is sick, injured, or incapacitated.  Why?  Because they are not capable of performing all of life's requirements on their own.  For the most part, your people can do this.  If you are constantly doing things for people who could have otherwise done it themselves, you run the risk of creating learned helplessness syndrome.  People, and even animals, can become conditioned to not do what they otherwise could do out of a belief that someone else will do it for them.  I am NOT going to get political here, so don't worry about that.  Rather, I want to point out that effective leaders develop their people so that they may become independent actors and eventually become effective leaders themselves.  In my opinion, you should measure your success by the promotion rate of the people entrusted to you, not by your own personal career advancement or financial success. That brings me to the subject of today's podcast -- how do you counsel and mentor others on how to become a cyber security expert?  If you are listening to this podcast, there's a very good chance that you already are an expert in our field, but if not, keep listening and imagine that you are mentoring yourself, because these lessons can apply to you without having seek out a mentor.  Some people figure it out, and when asked their secret, they're like Bill Murray in the movie Stripes, "We trained ourselves, sir!"  But most of the time, career mastery involves learning from a number of others. Today on CISO Tradecraft we are going to analyze the question, " How do you become a Cyber Security Expert?"  I'm going to address this topic as if I were addressing someone in search of an answer.  Don't tune out early because you feel you've already accomplished this.  Keep listening so you can get a sense of what more you could be doing for your direct reports and any proteges you may have. Let's start at the beginning.  Imagine being a high school kid with absolutely zero work experience (other than maybe a paper route -- do kids still do that?)  You see someone that tells you they have a cool job where they get paid to ethically hack into computers.  Later on, you meet a second person that says they make really good money stopping bad actors from breaking into banks.  Somehow these ideas stick into your brain, and you start to say to yourself, you know both of those jobs sound pretty cool.  You begin to see yourself having a career in Cyber Security.  You definitely prefer it to jobs that require a lot of manual labor and start at a low pay.  So, you start thinking, "how I can gain the skills necessary to land a dream job in cyber security that also pays well?" At CISO Tradecraft we believe that there are really four building blocks that create subject matter experts in most jobs.  The four building blocks are: Getting an education Getting certifications Getting relevant job experience, and Building your personal brand So, let's explore these in detail. Number 1:  Getting an education.  When most people think about getting an education after high school, they usually talk about getting an associate's or a bachelor's degree.  If you were to look at most Chief Information Security Officers, you will see the majority of them earn a bachelor's degree in Computer Science, an Information Systems or Technology degree from a college of business such as a BS in Management of Information Systems (MIS) or Computer Information Systems, or more recently a related discipline such as a degree in Cyber Security. An associate degree is a great start for many, particularly if you don't have the money to pay for a four-year university degree right out of high school.  Tuition and debt can rack up pretty quickly, leaving some students deeply in debt, and for some, that huge bill is a non-starter.  Fortunately, community colleges offer quality educational opportunities at very competitive rates relative to four-year degree institutions.  For example, Baltimore County Community College charges $122 per credit hour for in-county residents.  A couple of miles away, Johns Hopkins University charges $2,016 per credit hour.  Now, that's a HUGE difference -- over 16 times if you do the math.  Now, Hopkins does have some wonderful facilities and excellent faculty, but when it comes to first- and second-year undergraduate studies, is the quality and content of the education THAT different?  Well, that's up to you to decide. The important take-away is, no one should decide NOT to pursue a cybersecurity education because of lack of money.  You can get started at any age on an associate degree, and that may give you enough to go on to get your first job.  However, if you want to continue on to bachelor's degree, don't give up.  Later I'll explain about a program that has been around since 2000 and has provided over 3,300 students with scholarships AND job placement after graduation. Back to those going directly for a bachelor's degree.  Now, the good news is that your chosen profession is likely to pay quite well, so not only are you likely to be able to pay off the investment you make in your education, but it will return dividends many times that which you paid, for the rest of your career.  Think of financing a degree like financing a house.  In exchange for your monthly mortgage payment, you get to enjoy a roof over your head and anything else you do with your home.  As a cybersecurity professional, in exchange for your monthly student loan payment, you get to earn well-above average incomes relative to your non-security peers, and hopefully enjoy a rewarding career.  And, like the right house, the value of your career should increase over time making your investment in your own education one of your best performing assets. Does this mean that you 100% need a bachelor's degree to get a job in cyber?  No, it does not.  There are plenty of cyber professionals that speak at Blackhat and DEF CON who have never obtained a college degree.  However, if ten applicants are going for an extremely competitive job and only seven of the ten applicants have a college degree in IT or Cyber, you shouldn't be surprised when HR shortens the list of qualified applicants to only the top five applicants all having college degrees.  It may not be fair, but it's common.  Plus, a U.S. Census Bureau study showed that folks who have a bachelor's degree make half a million dollars more over a career than those with an associate degree, and 1.6 times what a high school diploma holder may earn over a lifetime.  So, if you want more career opportunities and want to monetize your future, get past that HR checkbox that looks for a 4-year degree. Now, some people (usually those who don't want to do academic work) will say that a formal education isn't necessary for success.  After all, Bill Gates and Mark Zuckerberg were college dropouts, and they're both worth billions.  True, but that's a false argument that there's a cause-and-effect relationship there.  Both were undergraduates at Harvard University when they developed their business ideas.  So, if someone wants to assert a degree isn't necessary, counter with you'll agree once they are accepted into Harvard, and they produce a viable business plan as a teenager while attending classes. You see, completing four years of education in a field of study proves a few things.  I've interviewed candidates that said they took all of the computer science and cybersecurity courses they wanted and didn't feel a need to "waste time" with fuzzy studies such as history and English composition.  Okay, I'll accept that that person had a more focused education.  But consider the precedent here.  When a course looked uninteresting or difficult, that candidate just passed on the opportunity.  In the world of jobs and careers, there are going to be tasks that are uninteresting or difficult, and no one wants to do them, but they have to get done.  As a boss, do you want someone who has shown the pe  d completed it with an A (or maybe even a B), or do you want someone who passed when the going got a little rough?  The business world isn't academia where you're free to pick and choose whether to complete requirements.  Stuff has to get done, and someone who has a modified form of learned helplessness will most likely not follow through when that boring task comes due.   Remember I said I was going to tell you how to deal with the unfortunate situation where a prospective student doesn't have enough money to pay for college?  There are a couple of ways to meet that challenge.  It's time to talk to your rich uncle about paying for college.  That uncle is Uncle Sam.  Uncle Sam can easily finance your college so you can earn your degrees in Cyber Security.  However, Uncle Sam will want you to work for the government in return for paying for your education.  Two example scholarships that you could look into are the Reserve Officer Training Corps (ROTC) and Scholarship for Service (SFS).  ROTC is an officer accession program offered at more than 1,700 colleges and universities   across the United States to prepare young adults to become officers in the U.S. Military.  For scholarship students, ROTC pays 100% of tuition, fees, books, and a modest stipend for living expenses.  A successful degree program can qualify an Army second lieutenant for a Military Occupation Specialty (or MOS) such as a 17A Cyber Operations Officer, a 17B Cyber and Electronic Warfare Officer, or a 17D Cyber Capabilities Development Officer, a great start to a cybersecurity career. For the Navy, a graduating Ensign may commission as an 1810 Cryptologic Warfare Officer, 1820 Information Professional Officer, 1830 Intelligence Officer, or an 1840 Cyber Warfare Engineer.  The Navy uses designators rather than MOS's to delineate career patterns.  These designators have changed significantly over the last dozen years and may continue to evolve.  The Marine Corps has a 1702 cyberspace officer MOS.  Note that the Navy and the Marine Corps share a commissioning source in NROTC (Navy ROTC), and unlike the Army that has over 1,000 schools that participate in AROTC and the Air Force that has 1,100 associated universities in 145 detachments, there are only 63 Navy ROTC units or consortiums, although cross-town affiliates include nearly one hundred more colleges and universities. There are a lot of details that pertain to ROTC, and if you're serious about entering upon a military officer career, it's well worth the time and effort to do your research.  Not all ROTC students receive a scholarship; some receive military instruction throughout their four years and are offered a commission upon graduation.  Three- and four-year scholarship students incur a military obligation at the beginning of sophomore year, two-year scholarship students at the beginning of junior year, and one-year scholarship students at the start of senior year.  The military obligation today is eight years, usually the first four of which are on active duty; the rest may be completed in the reserves.  If you flunk out of school, you are rewarded with an enlistment rather than a commission.  These numbers were different when I was in ROTC, and they may have changed since this podcast was recorded, so make sure you get the latest information to make an informed decision. What if you want to serve your country but you're not inclined to serve in the military, or have some medical condition that may keep you from vigorous physical activity, or had engaged in recreational chemical use or other youthful indiscretions that may have disqualified you from further ROTC consideration?  There is another program worth investigating.   The National Science Foundation provides educational grants through the Scholarship For Service program or SFS for short.  SFS is a government scholarship that will pay up to 3 years of costs for undergraduate and even graduate (MS or PhD) educational degree programs.  It's understood that government agencies do not have the flexibility to match private sector salaries in cyber security.  However, by offering scholarships up front, qualified professionals may choose to stay in government service; hence SFS continues as a sourcing engine for Federal employees.  Unlike ROTC, a participant in SFS will incur an obligation to work in a non-DoD branch of the Federal government for a duration equal to the number of years of scholarship provided. In addition to tuition and education-related fees, undergraduate scholarship recipients receive $25,000 in annual academic stipends, while graduate students receive $34,000 per year.  In addition, an additional $6,000 is provided for certifications, and even travel to the SFS Job Fair in Washington DC. That job fair is an interesting affair.  I was honored to be the keynote speaker at the SFS job fair back in 2008.  I saw entities and agencies of the Federal government that I didn't even know existed, but they all had a cybersecurity requirement, and they all were actively hiring.  SFS students qualify for "excepted service" appointments, which means they can be hired through an expedited process.  These have been virtual the last couple of years due to COVID-19 but expect in-person events to resume in the future. I wrote a recommendation for a young lady whom I've known since she was born (her mom is a childhood friend of mine), and as an electrical engineering student in her sophomore year, she was selected for a two-year SFS scholarship.  A good way to make mom and dad happy knowing they're not going to be working until 80 to pay off their kid's education bills. In exchange for a two-year scholarship, SFS will usually require a student to complete a summer internship between the first and second years of school and then work two years in a government agency after graduation.  The biggest benefit to the Scholarship for Service is you can work at a variety of places.  So, if your dream is to be a nation state hacker for the NSA, CIA, or the FBI then this offers a great chance of getting in.  These three-letter agencies heavily recruit from these programs.  As I mentioned, there are a lot of other agencies as well.  You could find work at the State Department, Department of Health and Human Services, the Department of Education, the Federal Reserve Board, and I think I remember the United States Agency for International Development (USAID).  Federal executive agencies, Congress, interstate agencies, and even state, local, or tribal governments can satisfy the service requirement.  So, you can get paid to go to college and have a rewarding job in the government that builds a nice background for your career. How would you put all this together?  I spent nine years as an advisor to the National CyberWatch Center.  Founded as CyberWatch I in 2005, it started as a Washington D.C. and Mid-Atlantic regional effort to increase the quantity and quality of the information assurance workforce.  In 2009, we received a National Science Foundation award and grants that allowed the program to go nationwide.  Today, over 370 colleges and universities are in the program.  So why the history lesson? What we did was align curriculum between two-year colleges and four-year universities, such that a student who took the designated courses in an associate degree program would have 100% of those credits transfer to the four-year university.  That is HUGE.  Without getting into the boring details, schools would certify to the Committee on National Security Systems (CNSS) (formerly known as the National Security Telecommunications and Information Systems Security Committee or NSTISSC) national training standard for INFOSEC professionals known as NSTISSI 4011.  Now with the help of an SFS scholarship, a student with little to no financial resources can earn an associate degree locally, proceed to a bachelor's degree from a respected university, have a guaranteed job coming out of school, and HAVE NO STUDENT DEBT.  Parents, are you listening carefully?  Successfully following that advice can save $100,000 and place your child on course for success. OK, so let's fast forward 3 years and say that you are getting closer to finishing a degree in Cyber Security or Computer Science.  Is there anything else that you can do while performing a summer internship?    That brings us to our second building block.  Getting certifications.   Number Two:  Getting a Certification  Earning certifications are another key step to demonstrate that you have technical skills in cyber security.  Usually, technology changes rapidly.  That means that universities typically don't provide specialized training in Windows 11, Oracle Databases, Amazon Web Services, or the latest programming language.  Thus, while you may come out of a computer science degree with knowledge on how to write C++ and JavaScript, there are a lot of skills that you often lack to be quite knowledgeable in the workforce.  Additionally, most colleges teach only the free version of software.  In class you don't expect to learn how to deploy Antivirus software to thousands of endpoints from a vendor that would be in a Gartner Magic quadrant, yet that is exactly what you might encounter in the workplace.  So, let's look at some certifications that can help you establish your expertise as a cyber professional.  We usually recommend entry level certifications from CompTIA as a great starting point.  CompTIA has some good certifications that can teach you the basics in technology.  For example: CompTIA A+ can teach you how to work an IT Help Desk.  CompTIA Network+ can teach you about troubleshooting, configuring, and managing networks CompTIA Linux+ can help you learn how to perform as a system administrator supporting Linux Systems CompTIA Server+ ensures you have the skills to work in data centers as well as on-premises or hybrid environments. Remember it's really hard to protect a technology that you know nothing about so these are easy ways to get great experience in a technology.  If you want a certification such as these from CompTIA, we recommend going to a bookstore such as Amazon, buying the official study guidebook, and setting a goal to read every day.  Once you have read the official study guide go and buy a set of practice exam questions from a site like Whiz Labs or Udemy.  Note this usually retails for about $10.  So far this represents a total cost of about $50 ($40 dollars to buy a book and $10 to buy practice exams.)  For that small investment, you can gain the knowledge base to pass a certification.  You just need to pay for the exam and meet eligibility requirements. Now after you get a good grasp of important technologies such as Servers, Networks, and Operating Systems, we recommend adding several types of certifications to your resume.  The first is a certification in the Cloud.  One notable example of that is AWS Certified Solutions Architect - Associate.  Note you can find solution architect certifications from Azure and GCP, but AWS is the most popular cloud provider, so we recommend starting there.  Learning how the cloud works is extremely important.  Chances are you will be asked to defend it and you need to understand what an EC-2 server is, types of storage to make backups, and how to provide proper access control.  So, spend the time and get certified.  One course author who provides a great course is Adrian Cantrill.  You can find his course link for AWS Solutions Architect in our show notes or by visiting learn.cantrill.io.  The course costs $40 and has some of the best diagrams you will ever see in IT.  Once again go through a course like this and supplement with practice exam questions before going for the official certification. The last type of certifications we will mention is an entry cyber security certification.  We usually see college students pick up a Security+ or Certified Ethical Hacker as a foundation to establish their knowledge in cyber security.  Now the one thing that you really gain out of Security+ is a list of technical terms and concepts in cyber security.  You need to be able to understand the difference between Access Control, Authentication, and Authorization if you are to consult with a developer on what is needed before allowing access to a site.  These types of certifications will help you to speak fluently as a cyber professional.  That means you get more job offers, better opportunities, and interesting work.  It's next to impossible to establish yourself as a cyber expert if you don't even understand the technical jargon correctly. Number Three:  Getting Relevant Job Experience OK, so you have a college degree and an IT certification or two. What's next?  At this point in time, you are eligible for most entry level jobs.  So, let's find interesting work in Cyber Security.  If you are looking for jobs in cyber security, there are two places we recommend.  The first is LinkedIn.  Almost all companies post there and there's a wealth of opportunities.  Build out an interesting profile and look professional.  Then apply, apply, apply.  It will take a while to find the role you want.  Also post that you are looking for opportunities and need help finding your first role.  You will be surprised at how helpful the cyber community is.  Here's a pro tip:  add some hashtags with your post to increase its visibility. Another interesting place to consider is your local government.  The government spends a lot of time investing in their employees.  So go there, work a few years, and gain valuable experience.  You can start by going to your local government webpage such as USAJobs.Gov  and search for the Career Codes that map to cyber security.  For example, search using the keyword “2210” to find the job family of Information Technology Management where most cyber security opportunities can be found.  If you find that you get one of these government jobs, be sure to look into college repayment programs.  Most government jobs will help you pay off student loans, finance master's degrees in Cyber Security, or pay for your certifications.  It's a great win-win to learn the trade. Once you get into an organization and begin working your first job out of college, you then generally get one big opportunity to set the direction of your career.  What type of cyber professional do you want to be?  Usually, we see most Cyber Careerists fall into one of three basic paths.   Offensive Security Defensive Security Security Auditing The reason these three are the most common is they have the largest amount of job opportunities.  So, from a pure numbers game it's likely where you are to spend the bulk of your career.  Although we do recommend cross training.  Mike Miller who is the vCISO for Appalachia Technologies put out a great LinkedIn post on this where he goes into more detail.  Note we have a link to it in our show notes.  Here's some of our own thoughts on these three common cyber pathways: Offensive Security is for those that like to find vulnerabilities in things before the bad guys do.  It's fun to learn how to hack and take jobs in penetration testing and the red team.  Usually if you choose this career, you will spend time learning offensive tools like Nmap, Kali Linux, Metasploit, Burp Suite, and others.  You need to know how technology works, common flaws such as the OWASP Top Ten web application security risks, and how to find those vulnerabilities in technology.  Once you do, there's a lot of interesting work awaiting.  Note if these roles interest you then try to obtain the Offensive Security Certified Professional (OSCP) certification to gain relevant skill sets that you can use at work. Defensive Security is for the protectors.  These are the people who work in the Security Operations Center (SOC) or Incident Response Teams.  They look for anomalies, intrusions, and signals across the whole IT network.  If something is wrong, they need to find it and identify how to fix it.  Similar to Offensive Security professionals they need to understand technology, but they differ in the types of tools they need to look at.  You can find a defender looking at logs.  Logs can come from an Intrusion Detection System, a Firewall, a SIEM, Antivirus, Data Loss Prevention Tools, an EDR, and many other sources.  Defenders will become an expert in one of these tools that needs to be constantly monitored.  Note if you are interested in these types of opportunities look for cyber certifications such as the MITRE ATT&CK Defender (MAD) or SANS GIAC Certified Incident Handler GCIH to gain relevant expertise. Security Auditing is a third common discipline.  Usually reporting to the Governance, Risk, and Compliance organization, this role is usually the least technical.  This discipline is about understanding a relevant standard or regulation and making sure the organization follows the intent of the standard/regulation.  You will spend a lot of time learning the standards, policies, and best practices of an industry.  You will perform risk assessments and third-party reviews to understand how we certify as an industry.  If you would like to learn about the information systems auditing process, governance and management of IT systems, business processes such as Disaster Recovery and Business Continuity Management, and compliance activities, then we recommend obtaining the Certified Information Systems Auditor (CISA) certification from ISACA.   Ok, so you have a degree, you have certifications, you are in a promising job role, WHAT's Next?  If you want to really become an expert, we recommend you focus on… Number Four: Building your personal brand.   Essentially find a way to give back to the industry by blogging, writing open-source software, creating a podcast, building cybersecurity tutorials, creating YouTube videos, or presenting a lecture topic to your local OWASP chapter on cyber security.  Every time you do you will get smarter on a subject.  Imagine spending three hours a week reading books in cyber security.  If you did that for ten years, think of how many books you could read and how much smarter you would become.  Now as you share that knowledge with others two things happen:   People begin to recognize you as an industry expert.  You will get invited to opportunities to connect with other smart people which allows you to become even smarter.  If you spend your time listening to smart people and reading their works, it rubs off.  You will absorb knowledge from them that will spark new ideas and increase your understanding The second thing is when you present your ideas to others you often get feedback.  Sometimes you learn that you are actually misunderstanding something.  Other times you get different viewpoints.  Yes, this works in the financial sector, but it doesn't work in the government sector or in the university setting.  This feedback also helps you become smarter as you understand more angles of approaching a problem. Trust us, the greatest minds in cyber spend a lot of time researching, learning, and teaching others.  They all know G Mark's law, which I wrote nearly twenty years ago:  "Half of what you know about security will be obsolete in eighteen months." OK so let's recap a bit.  If you want to become an expert in something, then you should do four things. 1) Get a college education so that you have the greatest amount of opportunities open to you, 2) get certifications to build up your technical knowledge base, 3) find relevant job experiences that allow you to grow your skill sets, and 4) finally share what you know and build your personal brand.  All of these make you smarter and will help you become a cyber expert.   Thanks again for listening to us at CISO Tradecraft.  We wish you the best on your journey as you Learn to Earn.  If you enjoyed the show, tell one person about it this week.  It could be your child, a friend looking to get into cyber security, or even a coworker.  We would love to help more people and we need your help to reach a larger audience.  This is your host, G. Mark Hardy, and thanks again for listening and stay safe out there. References: https://www.todaysmilitary.com/education-training/rotc-programs  www.sfs.opm.gov  https://www.comptia.org/home  https://www.whizlabs.com/ https://www.udemy.com/ https://learn.cantrill.io/p/aws-certified-solutions-architect-associate-saa-c03  https://www.linkedin.com/feed/update/urn:li:activity:6965305453987737600/ https://www.offensive-security.com/pwk-oscp/  https://mitre-engenuity.org/cybersecurity/mad/ https://www.giac.org/certifications/certified-incident-handler-gcih/  https://www.ccbcmd.edu/Costs-and-Paying-for-College/Tuition-and-fees/In-County-tuition-and-fees.aspx https://www.educationcorner.com/value-of-a-college-degree.html  https://www.collegexpress.com/lists/list/us-colleges-with-army-rotc/2580/  https://www.af.mil/About-Us/Fact-Sheets/Display/Article/104478/air-force-reserve-officer-training-corps/ https://www.netc.navy.mil/Commands/Naval-Service-Training-Command/NROTC https://armypubs.army.mil/pub/eforms/DR_a/NOCASE-DA_FORM_597-3-000-EFILE-2.pdf https://niccs.cisa.gov/sites/default/files/documents/SFS%20Flyer%20FINAL.pdf https://www.nationalcyberwatch.org/  

If the COVID19 global pandemic has taught organizations anything, it's to develop a stronger focus on their supply chain. I speak with Supply Chain Management (SCM) expert Matthias Rosenberg about what you should know about SCM to help your organizations and communities deal with disruptions in a proactive and positive manner. We talk about: 1. Defining Supply Chain Management, 2. The different perspectives on Supply Chain (e.g., Corporate view vs. SCM view), 3. SCM complexities, 4. Supply Chain Continuity Management (SCCM), 5. The SCCM Lifecycle (Analysis, Design, Implementation, Validation...), 6. SCCM solution options, 7. SCCM/SCM challenges, and 8. Some quick tips for professionals and organizations. It's an in depth talk about SCM you don't want to miss. Enjoy!

If the COVID19 global pandemic has taught organizations anything, it's to develop a stronger focus on their supply chain. I speak with Supply Chain Management (SCM) expert Matthias Rosenberg about what you should know about SCM to help your organizations and communities deal with disruptions in a proactive and positive manner. We talk about: 1. Defining Supply Chain Management, 2. The different perspectives on Supply Chain (e.g., Corporate view vs. SCM view), 3. SCM complexities, 4. Supply Chain Continuity Management (SCCM), 5. The SCCM Lifecycle (Analysis, Design, Implementation, Validation...), 6. SCCM solution options, 7. SCCM/SCM challenges, and 8. Some quick tips for professionals and organizations. It's an in depth talk about SCM you don't want to miss. Enjoy!

If I'm 100% honest, I don't know why cheerleaders have to spell everything. “Be aggressive. B-E aggressive. B-E  A-G-G-R-E-S-S-I-V-E.  What's the point? Hello everyone, welcome to episode 44 -  as the Resilience Think Tank presents the Resilient Journey podcast! This week I'm joined by Michele Turner. Michele is going to spell for us today as she walks us through her methodology for business continuity program development. This is based on Michele's latest book Lessons Learned: Short Stories of Continuity and Resilience. As we work our way through the word “PARSE”, we will discuss: Tips if you're having trouble getting executive level support Making sure your program demonstrates VALUE The use of Risk Assessments  How sometimes we need to slow down to speed up Why it's important for you to have a personal career strategy How our unique view of the organization can help develop resilience strategies Be sure to follow The Resilient Journey!  We sure do appreciate it! Learn more about the Resilience Think Tank here. Connect with Michele here. Want to learn more about Mark? Click here or on LinkedIn or Twitter. Special thanks to Bensound for the music.

If there's one thing organizations have learned throughout the COVID19 global pandemic, it's how fragile our supply chains are. I speak with longtime noted Business Continuity Management and Risk expert, and global award winning industry personality R. Vaidhyanathan (RV), about how to create resilience within our Supply Chains. We touch subject such as: a) Risks identification and management, b) Evaluating vendors and partners, c) Trends in Supply Chain Mgmt., d) Strategizing alternatives, e) Linking compliance and 3rd party arrangements, f) Contracts and regulatory obligations, and much, much more, Enjoy!

If there's one thing organizations have learned throughout the COVID19 global pandemic, it's how fragile our supply chains are. I speak with longtime noted Business Continuity Management and Risk expert, and global award winning industry personality R. Vaidhyanathan (RV), about how to create resilience within our Supply Chains. We touch subject such as: a) Risks identification and management, b) Evaluating vendors and partners, c) Trends in Supply Chain Mgmt., d) Strategizing alternatives, e) Linking compliance and 3rd party arrangements, f) Contracts and regulatory obligations, and much, much more, Enjoy!

In this first part of the conversation with an IT industry veteran, Satyendra Kumar, he sharesComing from a humble background and doing his initial education in a villageGetting into Delhi University based on his good academic performanceHaving to take up a job, to meet some family needsHow he chose a job in a defence agency and rising to a senior levelLeaving his job and getting into consulting and qualitySetting up the Tata Business Excellence Model for the groupWorking with different business units in different domainsSwitching to an IT organization before joining and spending 14 years at InfosysContinuing to work with different organizations post retirement from InfosysHow learning came naturally to him, particularly in very new, challenging and different environmentsHow he gains confidence about being able to do anything, amidst uncertaintyThe experience based on a major decision to switch from the comforts of a government jab, to a small apartment in a distant suburbHow he thinks scale in conceiving and implementing organization wide initiatives, while making sure he has enough bandwidth to plan for the future and growing his team to 700His experience of recruiting people from non IT organizationsHow to get comfortable with delegation, with trust in the teamHis experience of creating an awareness and acceptance of processes among technical teamsThe tendency in quality professionals to become more of audit persons than having a direct connect with the senior leadership, to help them steer the businessWhy there should be shared goals for improvement between the quality function and the business unitsIn the next part, Kumar shares the answer to the question on his experience and perspectives related to Agile approaches and many more interesting points. Do not miss that..Independent Advisor and Consultant to several large and medium scale institutions and enterprises since 2013. Was the Global Head and Senior Vice President– Productivity & Quality, Technology Tools & Software Reuse at Infosys Limited ( 2000 – 2013). Worked as Vice President at IMR Global, USA between 1998 and 2000. Worked as Deputy Chief Executive for Tata Quality Management Services – Tata Group between 1996 and 1998. Has consulted for over 50 national and multi-national clients in areas of Business Excellence, Operational Efficiencies, Customer Satisfaction Management, Business Continuity Management, Project and Program Management, and Quality Management. Had been Board member ( QuEST USA) , On the Panel of Judges - Wisconsin State Award ( USA) , Administrative Reforms Committee of Indian Institute of Science, Bangalore and Chief Technical Advisor to the Confederation of Indian Industry – Institute of Quality.Has been a recipient of IEEE-Software Engineering Institute ( Carnegie Mellon University) International award (2011) and honoured with the “ Life Time Achievement Award for Quality and Business Excellence “ by a IT Industry association

We do something a little different for this episode. Globally recognized Business Continuity Management and Resilience expert and author of 'My Experiments with BCM', Daman Dev Sood, will read a few chapters from his new book, and then we'll talk about the chapter content after each reading. We touch on chapters titled: a) And a Million Dollar Question, Answering While I Close this Book (What do Business Continuity Mangers Do?), b) Communication and Commitment (Continued Commitment) c) I am the Boss, I know the Business, and d) My Principles Valued @ Half a Million INR. All the chapters are from Daman's own personal experiences in the BCM industry, and you're sure to relate to the stories and follow up discussions, as we talk about each experience (Chapter) in detail. Enjoy!

We do something a little different for this episode. Globally recognized Business Continuity Management and Resilience expert and author of 'My Experiments with BCM', Daman Dev Sood, will read a few chapters from his new book, and then we'll talk about the chapter content after each reading. We touch on chapters titled: a) And a Million Dollar Question, Answering While I Close this Book (What do Business Continuity Mangers Do?), b) Communication and Commitment (Continued Commitment) c) I am the Boss, I know the Business, and d) My Principles Valued @ Half a Million INR. All the chapters are from Daman's own personal experiences in the BCM industry, and you're sure to relate to the stories and follow up discussions, as we talk about each experience (Chapter) in detail. Enjoy!

Climate Change is one of the hottest topics in news headlines and in the business world. I talk to climate change evangelist Pinaki Bhaduri about the effects of climate change on organizational resilience. We touch on: a) how businesses can reposition themselves b) Changing BCM and Resilience strategies c) the impacts on supply chains and risk management d) Environmental, Sustainability, Governance (ESG) e) mitigation activities f) the Board room, and much more. Pinaki shares many thoughts and ideas for organizational leadership and industry professionals about what they need to consider with regards to climate change. Either organizations will adopt climate change into their plans, or they won't...and end up failing. A very enlightening talk, so don't miss it. Enjoy!

Climate Change is one of the hottest topics in news headlines and in the business world. I talk to climate change evangelist Pinaki Bhaduri about the effects of climate change on organizational resilience. We touch on: a) how businesses can reposition themselves b) Changing BCM and Resilience strategies c) the impacts on supply chains and risk management d) Environmental, Sustainability, Governance (ESG) e) mitigation activities f) the Board room, and much more. Pinaki shares many thoughts and ideas for organizational leadership and industry professionals about what they need to consider with regards to climate change. Either organizations will adopt climate change into their plans, or they won't...and end up failing. A very enlightening talk, so don't miss it. Enjoy!

What opportunities are there in the Resilience / Business Continuity Management (BCM) industry that enable professionals to be - and stay - relevant? The answer to that that question and many more, are discussed as I talk with the CEO of Crisis Ally, Alexandra Hoffmann. In this episode, Alexandra talks about: a) the role of Diversity and Inclusion, b) soft (Human) skills c) linking activity to the organization's purpose (and the overall culture), d) the differences between resilience and sustainability...or the lack thereof, and so much more. Alexandra's passion for the Resilience, Business Continuity Management, and Security industries is easily apparent, as she shares many great insights into how industry professionals can shine before, during, and after, an adverse event. Don't miss it!

What opportunities are there in the Resilience / Business Continuity Management (BCM) industry that enable professionals to be - and stay - relevant? The answer to that that question and many more, are discussed as I talk with the CEO of Crisis Ally, Alexandra Hoffmann. In this episode, Alexandra talks about: a) the role of Diversity and Inclusion, b) soft (Human) skills c) linking activity to the organization's purpose (and the overall culture), d) the differences between resilience and sustainability...or the lack thereof, and so much more. Alexandra's passion for the Resilience, Business Continuity Management, and Security industries is easily apparent, as she shares many great insights into how industry professionals can shine before, during, and after, an adverse event. Don't miss it!

Whether you're a new or an experienced BCM practitioner, and whatever your specific role within your organization, if you have an interest in implementing and maintaining an effective BCM program, this episode is for you. We speak with highly recognized BCM, Risk, and Crisis Mgmt. industry expert and author, Andy Osborne. We'll talk about many of the concepts, tips, and ideas contained in his book Practical Business Continuity Management: Tops Tips for Effective, Real-World Business Continuity Management. Andy provides some great insights and examples when discussing the BIA, RA, BCP, and even how to work with Executive Management. Regardless of your level of BCM experience, you're sure to enjoy this episode with Andy.

Artificial Intelligence (AI) is becoming a key component in many components of our daily lives and that includes Technology Plans and Business Continuity Management. I talk with longtime security expert Agnidipta (Agni) Sarkar about how AI can help the BC industry in the future and what AI is doing for us now. Agni will also talk to us about Cyber Resilience, and how it differs from Cybersecurity. He will provide an overview of what organization's need to have in place to address Cyber attacks (e.g. Ransomware) prior to any actual instance occurring. An information chat about AI and Cyber Resilience you don't want to miss.

In this episode of CISO Talk, James Azar is joined by Sam Phillips, SVP and Head of Enterprise Information Security Architecture at Wells Fargo to talk about cybersecurity innovation and the drastic changes by consumers and employees and what does this mean for practitioners. Tune in to this amazing podcast and make sure to subscribe and comment Bio: Senior Technology Executive with extensive experience in establishing and growing technology, security and risk programs in large international corporations as well as medium sized companies, including establishing and developing business requirements, creating and implementing governance and architecture models, infrastructure development and executing critical processes, products, and services with a strong focus on security, quality and availability. Specialties: Business Strategy, Technology Strategy & Innovation, Business Operations Management, Mobile Solutions and Services, Security Integration (physical and logical), Information Security, Cyber Security, Identity, Authentication, Systems Security, Supply Chain Security, Business Continuity Management, Threat and Risk Management, Online & Mobile Commerce.  Linkedin Profile: https://www.linkedin.com/in/samphillipscissp/   CISOTalk Webinar Series: Modernizing the Vendor Risk Management with Airbnb and Whistic Webinar on May 25th, 2021 register here: https://zoom.us/webinar/register/WN_Frugj1ehRbOa3v05tTP7Qw   CISOTalk Paisley Shirt Challenge Donate now to support the wounded warrior project and get James to wear an ugly paisley shirt for one or all of his shows: https://tiltify.com/@cisotalk/ciso-talk-paisley-shirt-challenge   “The Microsoft Doctrine” by James Azar now on Substack https://jamesazar.substack.com/p/the-microsoft-doctrine   CISO Talk is supported by: KnowBe4: https://info.knowbe4.com/phishing-security-test-cyberhub  Whistic: www.whistic.com/cyberhub Attivo Networks: www.attivonetworks.com **** Find James Azar Host of CyberHub Podcast, CISO Talk, Goodbye Privacy, Tech Town Square, Other Side of Cyber and CISOs Secrets James on Linkedin: https://www.linkedin.com/in/james-azar-a1655316/ James on Parler: @realjamesazar Telegram: CyberHub Podcast ****** Sign up for our newsletter with the best of CyberHub Podcast delivered to your inbox once a month: http://bit.ly/cyberhubengage-newsletter ****** Website: https://www.cyberhubpodcast.com Youtube: https://www.youtube.com/channel/UCPoU8iZfKFIsJ1gk0UrvGFw Facebook: https://www.facebook.com/CyberHubpodcast/ Linkedin: https://www.linkedin.com/company/cyberhubpodcast/ Twitter: https://twitter.com/cyberhubpodcast Instagram: https://www.instagram.com/cyberhubpodcast Listen here: https://linktr.ee/CISOtalk   The Hub of the Infosec Community. Our mission is to provide substantive and quality content that's more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.  

In this episode of CISO Talk, James Azar is joined by Sam Phillips, SVP and Head of Enterprise Information Security Architecture at Wells Fargo to talk about cybersecurity innovation and the drastic changes by consumers and employees and what does this mean for practitioners, this is a preview to our full Fireside chat for the Cyber FinTech Conference hosted by Atlanta Tech Park and CyberHub Summit. The Event is on April 27th, 2021 and the rest of the episode will be available then to watch…   Tune in to this amazing podcast and make sure to subscribe and comment Bio: Senior Technology Executive with extensive experience in establishing and growing technology, security and risk programs in large international corporations as well as medium sized companies, including establishing and developing business requirements, creating and implementing governance and architecture models, infrastructure development and executing critical processes, products, and services with a strong focus on security, quality and availability. Specialties: Business Strategy, Technology Strategy & Innovation, Business Operations Management, Mobile Solutions and Services, Security Integration (physical and logical), Information Security, Cyber Security, Identity, Authentication, Systems Security, Supply Chain Security, Business Continuity Management, Threat and Risk Management, Online & Mobile Commerce.    Linkedin Profile: https://www.linkedin.com/in/samphillipscissp/   CISOTalk Paisley Shirt Challenge Donate now to support the wounded warrior project and get James to wear an ugly paisley shirt for one or all of his shows: https://tiltify.com/@cisotalk/ciso-talk-paisley-shirt-challenge   April 27th, 2021 –  Cyber FinTech Conference in hybrid mode, tickets are available at atpcyberfintech.com   The Practitioner Brief is sponsored by: KnowBe4: https://info.knowbe4.com/phishing-security-test-cyberhub  Whistic: www.whistic.com/cyberhub Attivo Networks: www.attivonetworks.com   **** Find James Azar Host of CyberHub Podcast, CISO Talk, Goodbye Privacy, Tech Town Square, Other Side of Cyber and CISOs Secrets James on Linkedin: https://www.linkedin.com/in/james-azar-a1655316/ James on Parler: @realjamesazar Telegram: CyberHub Podcast ****** Sign up for our newsletter with the best of CyberHub Podcast delivered to your inbox once a month: http://bit.ly/cyberhubengage-newsletter ****** Website: https://www.cyberhubpodcast.com Youtube: https://www.youtube.com/channel/UCPoU8iZfKFIsJ1gk0UrvGFw Facebook: https://www.facebook.com/CyberHubpodcast/ Linkedin: https://www.linkedin.com/company/cyberhubpodcast/ Twitter: https://twitter.com/cyberhubpodcast Instagram: https://www.instagram.com/cyberhubpodcast Listen here: https://linktr.ee/CISOtalk   The Hub of the Infosec Community. Our mission is to provide substantive and quality content that's more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Each organization has its own culture and how it perceives Business Continuity, sometimes in a positive light and others no so. BCM industry expert Dwayne Grizzle will talk about his presentation from the BCI World Virtual 2020 conference entitled 'Cultural Change and Awareness'. We'll learn about the definition of Culture and how through change triggers and awareness measures, organizations can change their organization's thinking, participation, and culture surrounding Business Continuity Management.

Successful business continuity requires the creation of and adherence to a plan, which ensure an organization's critical functions are maintained or restored in the event of disruption (e.g. fires, natural disasters, etc.). Join me as I talk with recognized industry expert and author Stuart Hotchkiss and his book 'Business Continuity Management: In Practice. BCM can be made very over-complicated and Stuart provides a clear and simple approach to understanding what BCM is, and what it isn't. We'll touch on such subjects as the BCP, testing, audit, awareness, and the problems associated with the Business Impact Assessment (BIA) and the establishment of recovery time objectives. Some may consider this a controversial episode - I think it's one not to be missed!

COVID-19 has forever changed the way we do business, think about business, adapt to business needs, and think about our responses to crisis and disaster situations. I speak to renown industry expert, entrepreneur, trainer, and author, Geary Sikich, as we chat about some of the COVID-19 related thoughts he presented at the Continuity & Resilience Today (CRT) conference in Oct/20. Geary touches on some key themes relating to COVID, from Supply Chain Mgmt. to Risk Management to the growing needs for an 'all-hazards' approach to help build resilience, Be sure to tune in and listen to Geary's incredible insights on COVID-19, and the future of the Risk and Business Continuity Management industries, including how Governments and the Private sector will need to work together going forward. Don't miss it!

There's no doubt that business continuity has evolved into a critical team that helps organizations become - and stay - resilient. As the risk to reputational damages moves into the forefront for corporations, many BC teams are faced with growing the scope and scale of their programs to meet new demands. Many are struggling with finding the best and fastest path forward, as there are always roadblocks that tend to get in the way. I talk with renown industry expert James Green, who presented the topic 'Conquering the Top 5 Roadblocks' at the 2020 Continuity & Resilience Today conference. James will talk about the top roadblocks BCM professionals face and what we can do to overcome them; from obtaining and keeping executive attention to continuity, resilience, and our well-being. It's a lively discussion with James you won't want to miss.

Whether you're a new or an experienced BCM practitioner, and whatever your specific role within your organization, if you have an interest in implementing and maintaining an effective BCM program, this episode is for you. We speak with highly recognized BCM, Risk, and Crisis Mgmt. industry expert and author, Andy Osborne. We'll talk about many of the concepts, tips, and ideas contained in his book Practical Business Continuity Management: Tops Tips for Effective, Real-World Business Continuity Management. (Volume 2 is expected in early 2021) Andy provides some great insights and examples when discussing the BIA, RA, BCP, and even how to work with Executive Management. Regardless of your level of BCM experience, you're sure to enjoy this episode with Andy.

What happens when someone moves from the vendor management team to spearhead and expand an FI's business continuity management program? We found out first-hand from Ronnie Emmanoulakis, CRVPM II, Manager, Data Operation and Business Continuity Management who shared what it was like to step into the new role, how he approached the comprehensive strategy from management oversight to training, and how challenges were addressed along the way.

We hear allot about Business Continuity Management and Organizational Resilience but usually the examples are from Europe and/or North America. We'll talk with Organizational Resilience and Business Continuity expert Timothe Graziani, who is headquartered in the Dominican Republic, and chat about BCM in the Latin America (LATAM) region. We'll chat about some of the different challenges LATAM countries face with BCM and what's driving the push to move BCM and Org Resilience to the forefront. We'll also touch on how Covid-19 has impacted the LATAM region and what countries and their resilience people are doing to address it. It's a very information show with some new perspectives on some traditional ideas. Don't miss it!

EMCOR has gone from strength to strength over the years, so Alex is joining us today to discuss ISO 22301 (Business Continuity Management) and how the system is helping them to not just survive, but thrive during these difficult times.

The global Business Continuity Management (BCM) landscape is changing; from supply chain management to disaster response to the effects and impacts of the Covid-19 global pandemic. We talk to internationally recognized BCM industry leader and expert, Patrick (Pat) Corcoran from IBM. Pat will talk to us about the changing BCM landscape and what BCM planning aspects - and program components - organizations will need to revisit and refocus, as a result of the global Covid-19 pandemic. From the new challenges of Working from Home (WFH) strategies to IT Disaster Recovery to the ever increasing potential of Cyber Threats, Pat will give us all something to think about, as we move our BCM programs forward through the pandemic...and beyond.

Join Mel this week as she discusses ISO 22301 (Business Continuity), a standard that is completely focused on resuming operations to get back to ‘business as usual'.

Mastering Business Continuity Management (BCM) can be a very tough goal since professionals are not just dealing with a couple of departments within an organization, they are working with the entire organization, including its 34rd party external partners and their local communities. We talk to globallay recognized Business Continuity expert, speaker, trainer, consultant and author, Dr. Michael D Redmond as we talk about some of the key foundational components of a good BCM program that all BCM professionals must know and understand. will touch on Project Management, Risk Assessments and Risk Analyses (and the difference between them) and the Business Impact Analysis.