Building a Better Auditor: Lost in Bratislava

Recently, I was on a cruise ship docked in Bratislava, Slovakia, and I had decided to do some solo exploration before dinner. I dropped a pin to mark the ship’s docking location in my Maps application and headed out for a brisk walk in Old Town, mentally plotting the course to get back. But before I knew it, I had wandered well outside the tourist area with no idea how to get back to my ship. As I opened my Maps application, I realized that I had no cell signal and had not downloaded the city map while connected to the ship’s internet. Without cell service, I couldn’t call a friend or use a rideshare app, and I didn’t see any taxis. Asking strangers to point me in the direction of the Danube River was somehow getting me even more lost, and I didn’t even have an address for our docking location. Finally, after showing someone a photo I’d taken of a landmark, I was steered in the correct direction and made it back to the ship, out of breath and disheveled, before it left for the next port. While I ultimately wasn’t stranded in a foreign country, I could have avoided a lot of stress had I done some upfront scenario planning of how to navigate the city if I lost cell signal as part of a personal “business continuity” program. 

At our organizations, business continuity and disaster recovery programs must be both aligned and tested to meet stakeholder expectations in a disaster. While business continuity supports the continuation of critical business processes, and disaster recovery specifically addresses the restoration of IT systems (and data that support those processes), these programs must work together, including planning for the human elements that enable disaster relief plans to execute. Additionally, business continuity plans should not assume the infallibility of disaster recovery plans. Critical business processes should, where possible, have manual fail-safes that organizations can revert to if the systems cannot be restored within recovery time objectives. While many organizations are implementing redundant infrastructure and failover mechanisms as part of strong disaster recovery programs, they may fall prey to blindly trusting that the technology will always be available and fail to plan for continuity of critical operations during unplanned or extended downtimes.

The Float Trip and the Disaster Recovery Gap

Another challenge with organizational resilience is the ever-changing cyber threat landscape and the security measures we take in response. Strong security controls are essential to addressing cyber risks, but they may complicate disaster recovery plans.

When my friend chose a float trip for her bachelorette party, I made the ill-advised choice of bringing my phone on the raft to capture pictures. However, my phone became the newest resident of the murky Illinois River when we hit an unexpected bump. While I waited for my new phone to ship, I assumed I’d be able to access “critical” applications like email and social media through my laptop and tablet, both of which had my password vault installed. However, I ran into an unexpected obstacle — my security settings.

As an IT auditor concerned about cyber risk, I had configured virtually all my personal applications to require multi-factor authentication. While this is a great control to reduce the risk of accounts being compromised, I usually chose my phone number as the sole option for secondary authentication, thus preventing me from accessing my accounts when I couldn’t receive text messages. Where supported, a passkey stored in my password vault would have been a better option to promote continuity, while still preventing unauthorized users from accessing my account.

Thankfully, after five days that seemed like an eternity, I had a new phone and was reconnected to the world. Unfortunately, because my last full backup was taken the night before the float trip, I lost almost a week’s worth of messages when I restored my account, which wasn’t exactly the recovery point objective I’d expected. My biggest takeaway from five days without access to most of my applications was that strong security controls without proper disaster recovery planning can be a weakness. I also realized that relying on technical controls alone isn’t enough; we must consider the human aspects of resilience and build them into our business processes.

As auditors reviewing our organizations’ resilience programs, we should evaluate whether security controls were designed to promote continuity of critical operations or if security and disaster recovery programs are instead working in opposition. Also, when new security controls are implemented, is the impact to disaster recovery considered, and are the plans and the infrastructure updated accordingly?

My firsthand experiences in Bratislava and on the Illinois River instilled in me the importance of a resilience mindset and the value of scenario planning as part of a robust organizational resilience program. Effective business continuity and disaster recovery plans will often differ based on unique scenarios, and while we can’t capture every one, thinking through multiple disaster scenarios can help vet the plans and identify needed updates before a disaster occurs.

Like the quote often attributed to Benjamin Franklin says, “If we fail to plan, we are planning to fail.” Organizational resilience isn’t achieved solely through redundant technology or siloed continuity and recovery programs. Organizations and their employees must develop a true resilience mindset by integrating resilience objectives and a holistic assessment of associated risks into everything they do.