Business Continuity: Battling ComplacencyISACA's Ex-International VP on Shortcomings of Security Professionals
In the decade since the 9/11 terrorist attacks, security leaders have learned to think the unthinkable, von Roessing says. "It was a wake-up call for all of us to basically accept the reality of terrorism, accept the reality of having to do more for security, accept the reality of having more forward intelligence and generally having to be much more diligent than before," he says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
Combating the complacency held by security professionals will take encouragement. "We have to keep that spirit awake," von Roessing says. Organizations, businesses and government agencies will have to continue making their critical infrastructure secure, maintaining business resilience and thinking about protecting their environment from hostile forces.
"In a nutshell we have reached a much higher maturity level of security than 10 years ago, but there is a ways to go to really make things safe and secure," von Roessing says.
In an exclusive interview, von Roessing discusses:
- Lessons security leaders learned from the attacks;
- Areas that still need improvement;
- Advice to professionals entering the field today.
Von Roessing is a member of ISACA's Framework Committee and Professional Influence & Advocacy Committee, and a past international vice president of the association. He is also president of Forfa AG, a Swiss consulting network, and a retired partner at KPMG Germany.
He has many years of experience in consulting with large international banks and insurance companies, responsible for international projects in business continuity management and information security.
Prior to entering the consulting sector, he was head of IT for the EMEA region in a leading global security firm.
He is a former member of the Board of Directors at the Business Continuity Institute (BCI), where he served from 2001-2008 and where he served as chair of the Audit Committee from 2003-2008.
TOM FIELD: To start out with, why don't you tell us a little bit about yourself and your current work today please?
ROESSING: At this point I'm very active with ISACA as you just mentioned. I work on several committees and task forces, and in my main line of work I'm the president of a small Swiss holding company with subsidiaries in Germany and other places, specializing in fields of security, governance, risk and compliance, as well as business continuity and crisis management.
9/11: Looking BackFIELD: We're all looking back. Where were you ten years ago in 2001?
ROESSING: Actually I was in Vienna, Austria in a high-rise building right next to the United Nations headquarters, and that was quite an exposed location actually at the time.
FIELD: Give us a sense of what the impact of Sept. 11 was, the news of that day was, on you.
ROESSING: Basically I got a phone call from someone saying "Look, the towers are burning, the United States is under attack; there's a war going on." Because we didn't have television, I appropriated a webcam in Hoboken, NJ ... so I could literally watch it from the other side of the river and I could see the buildings burning literally and it was shocking. It was quite a big impact on all of us because people are standing around my screen and watching it. Others would go down to the cafeteria and see it on TV there. Everything sort of came to a standstill.
FIELD: What your comments tell me is you didn't have to be in the United States or a citizen of the United States to be affected by the events?
ROESSING: I felt a deep sympathy with the U.S. citizens and the shocking events that were unfolding and I thought, "I'm probably a lucky guy to be outside of the U.S. at the time." But then I was looking at the next building, the UN headquarters, and I was thinking, "Well are we in danger? Is something happening to us? Should we be watching the airport locally?" All of these sorts of things drift through your mind that eventually the crisis management element took over, and then we started asking questions about friends, colleagues. I was at Ernst & Young at the time. We started shooting e-mails back and forth, saying, "Are you alright? Are you in New York City? Are you elsewhere? How is your family?" ... Gradually in a piecemeal fashion we got the picture together that most people were thankfully unharmed and they didn't have any family members in the towers, and that sort of settled us down a bit.
Lessons LearnedFIELD: So much has passed since that time. There have been new regulations, certainly advances in technology. As a profession, what would you say that security leaders learned from the lessons of Sept. 11?
ROESSING: Firstly, I would think that security leaders have learned to think the unthinkable, as in the black swan that may be coming once in a hundred years. It was so entirely unexpected and no one had accounted for this to happen. Basically, I think security leaders are very humble and they have learned to accept the unthinkable as an event that might actually happen in our lifetime. Professionally speaking, what used to be before 9/11 very much was an exercise in probabilities and your loss expectancy and that sort of thing. It changed quite dramatically in that people are now thinking about the big one. Will it happen again? And since 2001 they've obviously been attacked and there have been terrorist incidents and that has served to reinforce the notion of being in danger ... It's no longer a splendid isolation type of thing in the U.S. and Europe as it used to be before. We've come to realize that these things can be brought to our doorstep, and we've learned to defend against them.
The Global PerspectiveFIELD: We tend to be very U.S.-centric in the United States. It revolves around us has been the attitude but certainly these have been events of global impact. What lessons would you say that security leaders globally have drawn from what happened in the United States ten years ago?
ROESSING: In respect to terrorist events, incidents and attacks, I don't think the world outside the U.S. is that much different from America. In actual fact, if there is a threat to the U.S. there's usually a threat to the whole western world and you can't sort of escape that truth. In the sense of people in Austria, Germany, France, Switzerland and those places in continental Europe, I believe, as I said before, there was a feeling of deep sympathy and that was expressed by politicians globally outside the U.S. I think everyone certainly realized that here is a super power, the last remaining one after the Soviet Union had gone out, and suddenly the U.S. is attacked in the heart of Manhattan. It could be in the heart of Berlin, Vienna, Zurich, anywhere.
In terms of lessons learned, I think it was a wake-up call for all of us to basically accept the reality of terrorism, accept the reality of having to do more for security, accept the reality of having more forward intelligence and generally having to be much more diligent than before. That goes for all European countries regardless of nationality, religion and that sort of thing. I don't think that any country in Europe, or indeed world-wide, would condone such an attack or that sort of planning. There may be extremists doing that, but generally as nations people would say, "What's the use of killing thousands of people in that way?" Globally, I think the lessons are pretty much the same. You don't have to be U.S.-centric to realize that something major - a game changer - just occurred and you have to come to terms with that.
Areas For ImprovementFIELD: What work do you see that we still have to do in the areas of security, risk management, business continuity and other areas that are part of our profession?
ROESSING: I think we've advanced quite a bit in these past ten years. But still we see that when it comes to culture, when it comes to attitudes, the feeling of risk rather than the real risk, in terms of spending on security, business continuity and all these other things that make organizations and even nations resilient, I think that's still a learning area in that people may to an extent have become somewhat complacent. Ten years have passed, nothing has happened. The Twin Towers have not been repeated, thankfully, but it tends to lull your sense of vigilance and you'll say, "Well we've had a quiet ten years." Yes, there has been the occasional incident but nothing of that order of magnitude. I think we have to keep that spirit awake. We have to continue down the road of making things more secure, maintaining business resilience and thinking about protecting our own environment from hostile forces. In a nutshell we have reached a much higher maturity level of security than ten years ago, but there is a ways to go to really make things safe and secure.
Advice for NewcomersFIELD: We've got people that are in the profession today that weren't in the workforce ten years ago, and they don't know firsthand the lessons of Sept. 11. For people that are entering the profession today, what lessons should they be drawing from the experiences that we shared?
ROESSING: For younger security professionals I would say that lesson number one is think outside of the box. Make sure that you let your imagination run to a certain extent and that you anticipate events that other people in their sort of culture and environment don't think about. Don't be an alarmist. Don't panic. But generally be aware of the fact that surprising things do happen and that these things generally happen at the most inopportune moments. The second thing is that in an entrenched culture where you may have a lot of groupthink, where you may have a lot of do's and don'ts and the rope skip, it's probably a good thing in your own circle of security professionals to make sure you talk to your people, make sure you see threats before they actually occur and even if you have to stand up to senior management and discharge your duty as security officer, make sure you think about protecting people first and protecting office second.