Josh talks to David Bernstein about the world of crisis management and business continuity. David is a certified emergency manager and tell us about preparing for both digital and physical disruptions. Everything is IT now, so the way we think about disaster preparedness is changing. We talk about understanding risks, creating plans, and the role of practice in the world of crisis management. This is a super interesting universe and Dave was very patient and kind. I learned a lot and can’t wait for Dave to come back.
Episode Links
- David Bernstein
- David on Hacker History
- David’s Cyphercon talk
- Zombie Attack: Disaster Preparedness Simulation
This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Episode Transcript
Josh Bressers (00:00) Today, open source securities talking to Dave Bernstein. He’s a certified emergency manager and certified business continuity professional. Dave is here because I have another podcast I do called Hacker History and he was a guest on it. Not long ago. I’ll put a link in the show notes. It was it’s a great episode, but through the conversation and just kind of, know, the banter before and after I realized like Dave would be an amazing guest on the show.
because you have all this knowledge and experience in things like, you know, kind of disaster management and business continuity. And these are spaces that I feel like I certainly don’t have a very good grasp on. And I’m certain much of the audience doesn’t either. So David, why don’t you introduce yourself and kind of tell us a little bit about why you’re here and we’ll just take it from there.
David Bernstein (00:42) Sure. ⁓ Josh, again for having me on. My name is David Bernstein. Like you said, I’m a certified emergency manager and certified business continuity professional, and I have a few other certifications as well. ⁓ And I came back because we had this great discussion on the Hacker History podcast, and we brought up, and we kept saying, that would be a great thing to continue exploring, but we don’t really have the time. And it might be more applicable for this podcast anyway. So let’s find a time and get going. So that’s why we’re together again.
Josh Bressers (00:59) Yes.
David Bernstein (01:11) ⁓ And it’s just fun, just a fun conversation. So I’m really excited to be ⁓ back and looking forward to having a chat with you over the next 30 minutes or so.
Josh Bressers (01:23) Yeah, yeah, for sure. Okay, so David, let’s just kind of start out, like tell us what you do, because this is like just, this alone is fascinating. It could be like a complete show on its own, I think.
David Bernstein (01:34) Sure. ⁓ So what I do at its core is I help organizations try and understand what are the most likely risks and hazards that are going to impact them. It could be physical, could be digital, it could be anything else. ⁓ And when we identify them, we try and figure out what are we going to do to mitigate and prepare for them. So we’re writing plans, we’re doing drills and exercises, ⁓ we’re doing training for staff. And we try and think like really big and really small, right? So it can be
It can be all the really big things you see in the news, natural disasters like hurricanes ⁓ and active shooter events and all kinds of other stuff, or it can be really small, just like something is going to happen in your organization and it’s just going to disrupt your operations. It might not be big, it might not be newsworthy, but it’s going to have some disruption for you. So we need to figure out what that looks like and how we’re going to deal with it. ⁓ One of the things that I know Josh and I were of nerding out on ⁓ last time,
was not necessarily the planning around all of this, but this thought of crisis management and disaster management. besides the fact that those sound a lot cooler than what I was just describing, ⁓ crisis management is really just out what does that response look like? How are you leveraging all of your resources? How are you figuring out how you’re going to map out all of those plans and systems? Because I’m talking at a real top line here. ⁓
that ⁓ may not be doing justice for how cool I think this work is. But it’s really an exciting way to figure out, we know things are going to go wrong. How are we going to figure out how to plan and address them? ⁓ And so there’s ways that we can do it that are straightforward and accessible. But also, we can have fun with it. Florida, like 10, gosh, I’m dating myself, maybe 20 years ago at this point, they put out a zombie plan.
Josh Bressers (03:28) Yeah, yeah.
David Bernstein (03:31) The point is to get people to think about all of this. So let’s have fun with it. It doesn’t have to be necessarily something that is mundane. It can be something exciting. The point is just to get people prepared. Of course, for any listeners, for any other security or emergency management or any other people out there, we do at some point want to turn back and say, all right, but these are our most likely risks and hazards. We should prepare for those specifically as well.
Josh Bressers (03:58) Yeah, yeah, for sure. Okay, so like give us an example of, I think when a lot of tech people think of disaster, we’re thinking of the computer crashes, data’s lost, things like that, but that’s not at all, it’s partially what you do, but like there’s a whole other like physical realm, like give us an example if you can of something maybe in the non-technical space that we still consider like something we need to think about and care about in this universe.
David Bernstein (04:12) partially,
Yeah.
Well, I actually do want to hit on this the cyber piece for a second because information technology underpins basically everything in any organization at this point. So what the people who are listening to this might consider is just that computer crashes, system goes down, server goes down, access, whatever it’s going to be goes down. They’re working on that specific issue. They may not see all the other rippling effects out throughout the rest of the organization. So let’s say we’re looking at like a hospital, right?
Josh Bressers (04:34) Yes.
David Bernstein (04:54) Down time for a hospital doesn’t necessarily mean that like an application is down that we have to get up. means that like nurses have to go and figure out how else they’re going to document everything. If depending on the outage, it means that like the medication dispensing technology needs to be reset and they have to go to a manual process for it. It means that, you know, some of the, you know, some of the tracking information that the, or, you know, tracking tools that they’re using for patients.
is going to go down. it turns everything into the super manual process. We need to figure out how we’re going to do all of those things. that’s the other part of my job, especially on the business continuity pieces. We can have this one kind of trigger event. We have to figure out where all of those other rippling impacts are. And a hospital is just an easy one because everyone understands how their body works. And everyone has been in a hospital at some point, presumably when they were born, I’m assuming.
So that might not be a good analogy because I don’t actually remember that. But if you’ve been to a hospital, you understand that you see the beeps and the alerts and everything else going off. All of that is tied into a system somewhere. If that system goes down, the rest of it is going to have a ripple effect as well.
Josh Bressers (06:04) Yeah. Yeah. Right. Right. So, okay. I’m going to keep pushing you. Give me an example of like, no, no, this is, this is really good though. So this is the point. This is why I wanted to talk to you because I exist in this weird little universe where I feel like I don’t have to worry about someone dying when I make a mistake. Right? Like I, I, my company sells a product that it runs on premises. Like if our email goes down,
David Bernstein (06:08) Yeah, I feel like I’m not actually giving you the answer you want.
Josh Bressers (06:33) Generally speaking, no one’s going to die. Whereas in a hospital, that’s an obviously completely different situation. but I want to, I want to also talk about some of the physics. Right? No, and that’s perfect. That, that’s why I wanted to talk to you because you have this experience and knowledge that I just literally, I don’t know what I don’t know, which is what makes this conversation awesome. But like, I want to, I want to think about physical. Like we, don’t feel like we think about physical things necessarily. Like where
David Bernstein (06:39) Yeah, I wanted to raise the stakes for you a little bit.
Josh Bressers (06:59) you know, there’s natural disasters or some sort of man-made event or something like, what does that mean, right? Like, can we, what can we even do for like, if there’s gonna be an earthquake or a hurricane or some horrible disaster, right?
David Bernstein (07:16) Yeah, well, a lot of it is just trying to figure out ⁓
With any disaster, we can talk about it the physical realm, but I think the principles kind of apply to a lot of different places. The key to figuring out how you’re going to start your plan is, what do we really think the impact is going to be? The better we understand the hazard, the better we can prepare for it. So what is the profile of these incidents look like? So we can take an earthquake, for example.
Are we in an area where we think an earthquake is more likely to happen? Is that a risk that we should be thinking about? And you can get this information from a lot of different places. understanding, is this something I should be concerned about, is kind of your first starting point. And then let’s figure out, all right, we need to figure out people, we need to figure out places, we need to figure out ⁓ capabilities. Because any one of those three things is going to make a huge difference.
if you don’t have the people to respond to it, then the rest of it almost doesn’t even matter. You have to coordinate the people, have to coordinate the resources and the space, and then you have to coordinate the capabilities. If you’re going to ask someone to, if you’re going to ask a totally non-medical person to go and respond to a medical event, what are you really doing? Or if you’re going to ask ⁓ a ⁓ person who’s not an engineer to go set up an ⁓ HVAC system ⁓ at a tent,
because you need an external shelter. What are you really doing? So you need to figure out these four pedestals for any incident. then figure out, all well, what do we think is realistic? So figuring out how we want to appropriate respond. And I feel like I’m kind getting off on a lot of different tangents because my mind is just kind of firing on a lot of stuff. So let me try and boil it down a little bit for you. When we’re writing any emergency plan,
Josh Bressers (09:09) this is good.
David Bernstein (09:16) An emergency plan is, even a business continuity plan, is at its core a list of expectations. I don’t want to overcomplicate it. The expectations are, what should I expect from you and what should you expect from me? And we have to figure out, do I have a reasonable expectation from you? And is this something that we think we can prepare for? That’s the core question for any emergency plan, crisis management, disaster, anything else.
What are the expectations? Are they reasonable? And how do we implement it? So we look at something like we can say a coastal storm, like a hurricane. Or honestly, we can look at snow storms. There’s been a lot of snow storms in the last few months. So if someone’s living in a place where you’re getting lots of snow, I think there snow in Florida last week. It’s just crazy.
Josh Bressers (09:58) Yes.
And it’s going to so I’ve heard so we’re recording this at the end of January and supposedly this weekend North Carolina supposed to get eight inches of snow Which like I live in Wisconsin eight inches of snow is like whatever we don’t care at North Carolina That is like a doomsday scenario, right? Yeah
David Bernstein (10:22) my gosh, absolutely. Yes. Well,
and so this goes back to that infrastructure and how do we prepare for it. Because that’s a perfect, perfect example. So let’s talk about snowstorms and as we’re preparing for this.
And this is why snowstorms in Florida and North Carolina are way different than Wisconsin, right? Because there’s an expectation. You expect it. You’ve built the infrastructure out for it. You have the plows. You have the road salt machines. Florida and North Carolina don’t have any of that.
Josh Bressers (10:45) Yeah, North Carolina.
David Bernstein (11:01) But they’re way more prepared for a hurricane. Wisconsin would be out of their mind for a hurricane. They have no infrastructure whatsoever to support it. So this goes back to that likelihood and how we’re going to prepare for it and the prioritization that we’re going to take. And then we need to figure out, how are we going to prepare for that? What is our expectation and how are we going to make a plan for it? The plan that we might make for a snowstorm in
Josh Bressers (11:04) Yes. ⁓
David Bernstein (11:29) preparing to get our staff to respond, no matter the organization, ⁓ is what do we expect them to do? Right? I mean, if we’re just going to be in an office building, do we want to just go home, work from home? Like, that’s a fine plan. ⁓ But if they can’t go home or it’s a hospital, it’s some other critical infrastructure, we have to make a plan to keep them there. We have to make a plan to like, how are we going to make sure that they can get there or stay there safely? Because when a snowstorm comes in,
Roads may close, might be icy conditions outside, it’s going to be dangerous. So all of these things are the kinds of physical risks that we need to be considerate of when we’re making these kinds of plans. What are those external conditions that people, guarantee everyone who’s listening to this has thought about these things for themselves, they just may not think about it for the organization. But that same thing that you think about for yourself,
Josh Bressers (12:21) yeah.
David Bernstein (12:26) is the same thing we think about for the organization too. And that’s why I say I don’t wanna overcomplicate it ⁓ because I may go that extra step to say, here’s how we’re maintaining the organization, but you’re already doing part of the planning by saying, if this happens, like my plan is, I need to stay home because my kids are, schools are gonna be closed or something along those lines, right? Like, so you’re already making the plans yourself. My job is to plan, is to figure out how we plan around all of that.
if that makes sense.
Josh Bressers (12:55) Okay, that does. And here’s what you’ve put into my brain. And this is why I kind of wanted to start in a weird place is you’re talking about putting these plans together, understanding what the expectations are of the people maybe directly involved or maybe, you know, kind of on the outskirts of whatever incident is happening. And I feel like myself from a technology perspective, like I’ve been part of what I’ll call disaster recovery and business continuity planning in the past.
And we kind of suck at it, like, like in the tech world. I’m, you laugh because you know, it’s true, but like, I feel like every time, but I feel like every time I’ve kind of done this stuff, it’s been very focused on like, all right, what’s IT going to do to deal with this? And there’s like no consideration for the rest of the company necessarily. There’s often, you know, maybe you’ll call the lawyers if you get popped or something, but there’s, I feel like there’s
David Bernstein (13:31) I didn’t say anything.
Josh Bressers (13:51) not a lot of attention paid to what maybe how it would affect others or what you expect other people to even do at the same time. And so this is like, this is such a fascinating conversation already. And I mean, I would love to hear kind of your thoughts and ideas around like, is the world of tech different or would you treat them very similar in regards to like a plan is a plan and that’s just how it works.
David Bernstein (14:12) Yeah.
Well, you something I’ve been dancing around that I don’t think I’ve actually said, I’ve said so specifically that I think might be helpful for the context of this conversation is it’s not that you guys are bad, but you let me rephrase that. I don’t think I’d see as bad as stuff. have, you have a specific role that you’re, that you’re, have to meet. have the, you have a problem that you know, you have to address and your responsibility is to address it from an emergency management and business continuity perspective.
Josh Bressers (14:27) It’s okay, it’s okay. I’ll take that bullet.
David Bernstein (14:41) My job is not to be like the last action hero for anyone who’s like a late 90s movie fan. My job is not to be last action hero to go in and solve all the problems. My job is to say, all right, everyone has all of these individual responsibilities. I’m bringing you all together. That’s my job is I’m the coordinator. I’m the coalition to pull all of these individual components together so that nothing’s happening in a silo.
That’s really the crux of my plan, ⁓ or the crux of the planning and the crux of my role. I think the titles sound a lot more cool, like, know, emergency manager sounds like I’m actually managing an incident. No, I’m not. I’m like making sure everyone sits around a table and says their piece and make sure that ⁓ everyone knows what’s happening so that when you say…
you know, we’re dealing with this IT thing that we think is a silo, someone else at the table could say, no, I actually have this impact from that and everyone has a better sense of what the ripple effects are, right? And so that’s why we do tabletop exercises. That’s why we do this planning process so that we can say, all right, in a test environment, we’re gonna start flipping switches and see what happens. And then we have a better understanding of where all of these issues are going to arise. And I get a little bit ⁓ on a…
Josh Bressers (15:43) Yeah.
David Bernstein (15:59) on a soapbox when I talk about this because these drills and exercises when we’re supposed to be figuring out how the organization works together, it’s not meant to be a demonstration. Like we shouldn’t be showing leadership, look how great we are at solving this thing. It’s like, no, we should be really stressing it so we understand, where are we most likely to fail? Where are the stress points?
And we’re not blaming people, right? Like we’re testing a process. This is not that Josh totally fell on his face in the exercise and so he’s got to go. We see that there’s a pain point because there wasn’t enough training or the training wasn’t correct or is outdated. Or Josh could have been a lot more successful if he had the right resources. Here are the resources he actually needs to do the job well or to fix the thing he needs to fix. Or people had a
crazy expectation that he’d be able to fix this in a minute. No, it’s going to take three hours to resolve this issue. Those are the kinds of things we’re going to figure out in an exercise. And the last piece I’ll say about that is that practice doesn’t make perfect. Practice makes permanent. So the biggest thing we need to do is figure out when we’re figuring out how to fix these issues, we’ve got to practice the right way because we don’t want to reinforce bad habits around it. ⁓
I say that as a statement. It may seem a little bit out of place, that’s a whole other discussion on how we do drills and exercises and training. ⁓ something that I am, I don’t know that I’m passionate about it, but it’s definitely something that sticks in my craw.
Josh Bressers (17:42) I mean, I agree. I
agree completely. I think so. There’s a lot to unpack in what you just said. And I want to start by saying, I think one of the attitudes I’ve seen historically, and I know this is changing a little bit in the world of tech, especially in security, is there’s this very much this attitude of, it’s okay everyone, security’s here. You can all go away, go back to work. Like it’ll be fine now, right? And that’s obviously, you’re talking about cooperating and understanding what everyone else is doing, which I don’t think is the way a lot of security teams have worked historically.
David Bernstein (18:11) Well, I was going
to say, I say that like, it’s an easy thing, right? I think the biggest thing that I’ve learned professionally in my role is just how to deal with people. People is the hardest part of my role, by a long, long margin. So yeah.
Josh Bressers (18:16) Right. ⁓
always.
Yeah,
man, I mean, when I was young, I was very much the, it’s okay everyone, security’s here, like we got this. And now that I’m older, I’m like people, the every problem is people. Like it doesn’t matter what it is, people are ⁓ the root of everything. And it’s usually not talking to the right people or the right people aren’t talking to each other. Like that is 99 % of all problems, regardless of tech or not. And.
David Bernstein (18:41) Yeah.
⁓ absolutely. it’s like, or
it’s my problem is like the, or my problem is the most important thing that has to be prioritized above everyone else’s. like, no, it doesn’t. We’re here to figure out like, we’re here to figure out which one is actually the biggest problem. And I guarantee it’s not yours. But you have to say that nicely.
Josh Bressers (19:03) Yes, yes.
my goodness. Yeah.
No, I, mean, we get this all the time, right? In tech where you get like your help desk or whatever and put it’s like, I need this right now. It’s like, no, you don’t. You’ll be fine. And then of course people get really mad and stuff and whatever. although now that I’m a little older too, it’s like nothing pleases me more than being like, you will wait. Like I don’t care who you are, but I’m also, I’m in a position I get to do that. Right. When you’re super young and new, it’s like, no, I better do this.
David Bernstein (19:15) totally.
Yes, right.
Yeah
Yeah.
Josh Bressers (19:37) But okay, I want to address another thing you just said a little while ago was talking about, what was it? Practice, not practice makes perfect, practice makes permanent. And I think this is ⁓ an amazing topic as well. So one of the things I’ve done badly in the past is have like tabletop exercises for disaster, like tech disasters, right? Like we’ve been hacked, the email server crashes, Google has stopped functioning, whatever. Like there’s a bunch of scenarios. And I will say,
David Bernstein (19:44) Practice makes permanent.
Mm-hmm.
Josh Bressers (20:08) It can feel silly sometimes doing some of these events, but it is amazing what you learn as you start to like, my favorite one is like, we started talking about, okay, so Google doesn’t work anymore. What happens? And like, I was talking to the team and finally we’re like, there’s nothing we could do. Like, we’re just going to have to sit there and wait. Like, cause Google is just like so pivotal to the core of society at this point. And I’m like, that is really scary actually, when you actually talk about it and think about it.
David Bernstein (20:13) Yes! Yeah!
Yeah. My
favorite thing is when someone says, that’ll never happen. There’s been at least two incidents that have been major, major, major incidents where they said, that’ll never happen. First was like, well, I won’t go into that one. But we’ll just say that the other one was, what was it?
Josh Bressers (20:38) Yeah
David Bernstein (20:58) I was saying you should think about how you’re going to manage your organization if Azure goes down. ⁓
And the person basically laughed in my face. And what happened three weeks later? Do you remember that huge outage, what was it, two years ago or something? Yeah.
Josh Bressers (21:11) Excellent.
There have been several that
I think the funniest is when they did an account for what is the leap second and like ever all their services just crashed, which is hilarious for so many reasons.
David Bernstein (21:25) Yeah. Yeah. But I mean, whenever someone says that’ll never happen, it terrifies me. Because I’m like, well, now it’s definitely going to happen. And we have to figure out how we’re going to deal with it. And going back to this practice makes permanent element around it is, if you’re not practicing sincerely, if you’re not exercising sincerely, ⁓ these are the repercussions of it. We have to be earnest in how we’re going to play and how we’re
Josh Bressers (21:32) Yes.
I know, right? Those are like famous last words.
David Bernstein (21:54) setting expectations for this exercise. If someone says that, ⁓ we’re going to spend a million dollars to pull this ⁓ resource in, or we’re going to call the National Guard for help, or we’re going to do something else, you don’t have any of those resources. You don’t have the capability to do any of that. So the fact that you’re making that assumption means we have to reset how you want to do that. And both of those things happened in exercises. They said, ⁓
I was in an exercise and they said, well, we’re going to call the National Guard. It’s like, you’re not the governor of this state. You can’t just call the National Guard. I know you think you’re pretty great, but that’s not going to happen. ⁓
Josh Bressers (22:36) Now is that because they were being silly or did they honestly think they could do that?
David Bernstein (22:40) No, they honestly thought they could do it. Yeah. But if you’re being silly, it’s one thing. Because then you could be like, all right, yeah, that’s funny. That’s great. Godzilla’s coming down the track. Whatever. It’s fine. But seriously, let’s have a conversation. You can always pivot and reorient from that. If they’re serious, then you have to say, all right, well, we need plan B. And then you try and justify it, which doesn’t always work because you’re still kind of letting credence to the idea. But you can say, all right, well,
Josh Bressers (22:42) wow, okay, okay.
David Bernstein (23:09) National Guard is not going to be on our doorstep. need something for the next few hours, couple of days, because they still need to mobilize into all kinds of other stuff. So that’s usually how I pivot around those kinds of discussions. But that’s why I try and do it earnest, because ⁓ if you create incorrect assumptions, if you create bad expectations, you’re just setting yourself up for failure.
Josh Bressers (23:35) Well, and the thing that just popped in my brain as you describe this is there are people who maybe don’t understand how certain things work, how like maybe law enforcement works, how that like the FBI might work, how computer security works. And so they don’t like I’ve had this discussion in the past where, you know, someone was talking about, we’ll just call the FBI for that. like, FBI doesn’t do that. Like this is we need to talk about what’s going to happen, you know, in the event of a breach. Like we are not instantly calling the FBI. That’s not step one.
David Bernstein (23:56) Yeah.
Josh Bressers (24:03) And so, you know, things like that, but okay. man, wild. Okay. So here’s how I want to steer this kind of as we try to maybe land this plane in a little while is so you’ve just described kind of all these events, all this stuff. And I want to tie it all back in with like tech and open source and kind of all of the, all the things we do. And I feel like we are rapidly appro, I think we’re probably already there. We’re like, you mentioned everything is tech, right? And I think.
David Bernstein (24:21) Yeah.
Josh Bressers (24:33) We’ve historically had this attitude of like, when technology breaks, it doesn’t really matter. We don’t have to worry about involving, you know, safety people. don’t have to worry about local governments. We don’t have to worry about a lot of stuff. But I think like health and human safety and technology are very similar, if not almost the same thing now, I think in many instances. And so if I’m in a position where this is something I need to start thinking about or something I need to start caring about, like how do we even begin? Cause this feels
Like just, it’s a thousand foot cliff I have to try to get up. And I, there’s nothing to hold onto. Like I don’t even know what to do. Right?
David Bernstein (25:11) Yeah,
I totally agree, Especially if you think you’ve found an issue that you think is going to be critical to your organization, it can feel overwhelming to even think like, my, how are we even going to deal with this? And I had a colleague that kept repeating when we were talking about continuity plans, like how do you eat an elephant? One bite at a time, right? Like baby steps. First thing you can do is if you have someone whose role, whose job expectation it is to
do these kinds of plans, talk to them. ⁓ If they are worth their salt, they will want to help you. They might not be able to do it all for you, but they can at least give you the tools and resources to get started or at least start getting some of those coordinating things together. And plans don’t always start with a big coordination effort, getting everyone in a room and of time hashing it all out. The first step is really just trying to identify and articulate the problem.
Right, so step one when you’re trying to start your planning process is what’s the problem I’m trying to solve? That’s step one.
Josh Bressers (26:22) It’s, I laugh because I feel like every meeting I’m in, I have to ask that question. And more often than not, no one can answer it appropriately.
David Bernstein (26:31) Yeah.
Yeah. Right? Because at some point, from an emergency planning perspective, if you’re trying to boil the ocean, if you’re trying to get, if you’re trying to solve all the problems at once, you’re going to get nowhere. So if someone thinks they want to start writing, thinks they want to start writing a plan, they want to get involved in this, or they think there’s a problem they want to solve, articulate the problem. Specifically, what’s the thing you’re trying to solve? The next thing is figure out who are the right people to start.
helping you figure out how to resolve that problem. It doesn’t mean everyone. At some point, everyone’s going to need to be involved because they’re going to be impacts to other parts of the organization, but they don’t need to be in yet. Who are the three people that you need to start talking to who are going to either have the right technical knowledge, the executive support, or just time to help you go through this, or
or if the problem you’re trying to resolve is between a couple of, is going to be a couple of different departments. Like, you know, you talked about, we talked about this being an IT focused thing. Like do you need the security team there and someone from like another part of the IT group, right? Like, you know, pull in your stakeholders and start articulating the problem, start figuring out like who owns which parts of the process that you think you want to start resolving and then start planning from there. That’s like, that’s your core planning group.
Josh Bressers (27:28) Yeah.
David Bernstein (27:57) is those three to five people. Once you start having a construct of what your plan is, right, what are the basic expectations we have for the people in this room, then you can start expanding it out and saying, all right, we have our planning group, we started pulling in this other stuff, we know there’s gonna be ripple effects to everyone else, we wanna start getting your input. We can’t resolve all of your problems for you with this plan, but we want you to know what we’re gonna be doing, right? And then,
And this is the difference between like a department oriented plan and organization wide plan. This is where we’re going to start hitting that diversions. Because the department oriented plan is going to be, here’s how we’re resolving this stuff in the department. Like there are a lot of different stakeholders. If we need to make investments, get our executive sponsor on board. Here’s how we’re going to be working with some of the other people across the organization just to make sure they know how we’re going to be doing this.
the organization-wide plan is going to say, all right, everyone has their plan for how they’re going to resolve this incident, or they’re going to work towards this incident. How are we coming together so that we can share resources, so that we can make sure a process starts from point A to point B? Because IT is going to have steps one, two, and three. Leadership will have six, seven, eight, and emergency management will have,
9, 10, and 11. Everyone has those process steps. The organization-wide plan is, all right, how are bringing all that together? I mean, I kind of expanded quickly from all of that. But that’s how I would get started, is just figure out, how are we going to, how are you, articulate the problem, find your immediate stakeholders, figure out the expectations of their stakeholders, and then make sure you have a, that you’ve
start bringing it up ⁓ to an organization-wide plan if you think that’s needed.
Josh Bressers (29:56) Yeah. Wow. I mean, so this also makes me think there, you’re talking about organization wide plan where I suppose there’s going to be like departmental problems you might have to deal with, right? That maybe don’t necessarily affect the entire organization, but affect your space. And then there’s going to be like large organization level problems that you have to plan for. And so, man, there’s like, there’s multiple levels for this stuff, isn’t there?
David Bernstein (30:23) There is, and the way we deal with and resolve all of that goes back to incident command structures and how we organize ourselves to respond to the incident, ⁓ dealing with as well, right? Because even in a traditional incident command structure where you have like the leadership for the incident trying to work towards the resolution or work on the incident and then the recovery following. ⁓
They’re not there to solve every problem. The goal is still to have department teams resolving department level problems. When you get up to that really broad scale response, ⁓ this command team, they’re the escalation point, or for something that’s going to impact everyone. So I yeah, I think I of glossed over some of it, because everything we’ve talked about can be its own course.
Josh Bressers (30:54) Sure, sure.
Well, yeah, yeah.
I’m sure I have no doubt. man, like I could ask you questions all day. I won’t, but I mean, and like the other thing I have in my head is like, I could see situations where you might think you have a department level emergency that turns into an organization wide emergency because you screwed it up or there was something else going on. like, there’s just, there’s so many threads to this, isn’t there?
David Bernstein (31:20) Hahaha
There
are, and I can’t tell you how many times I’ve been in a situation where an incident is actively taking place and I’m looking at it and saying, oh man, this is going south real fast. Like this is getting way worse before it’s going to get better. But ultimately, the point is there are
Josh Bressers (31:49) I’m sure, I’m sure.
David Bernstein (31:56) Departmental level initiatives. Let me take a step back.
any problem that you leave alone long enough will become a bigger problem. A lot of these things rarely resolve themselves. And so any department level plan should have an escalation point because someone did something wrong. And I wouldn’t even necessarily put the blame on someone. If someone did something wrong, it’s probably less the person and more just that the situation is moving more rapidly than you would expect. Or there was an unanticipated problem. We talk about these plans, they’re going to resolve everything.
Josh Bressers (32:09) Yeah. Yup.
Yeah. Yeah.
David Bernstein (32:32) But the plan is more than anything a framework to say, here’s how we’re going to address the nonsense that’s going to come up, because no incident is the same. I talk about this from the physical perspective, and I’m sure it’s the same in your world as well, but no incident is exactly the same. You can have the same hazard, the same risks. The incident itself will not be the same every time. You have to give yourself the flexibility to respond to all of that.
Josh Bressers (32:40) Right. Right.
Yep, yep, right.
Well, and that’s, I mean, that’s always been the trick, I think, with like tech and security and all of that is that nothing like you might think the same bug can create two different kinds of problems, right? It just depends on who did what in what order. it can, it’s so hard sometimes. And there’s, it’s infuriating just thinking back to like, like some, some times I’ve been involved where like, you want to yell at someone cause they made a mistake, but at the same time it’s like,
David Bernstein (33:14) Mm-hmm.
Josh Bressers (33:29) This is super high stress. Like I’m not going to chew them out. You know, I probably would have done the same thing if I was the one sitting at that keyboard. And it’s just, this is such a fascinating, crazy space, man.
David Bernstein (33:36) Yeah.
Well, and also, I understand stress and anger, because you want things to get better and they’re getting worse. But also, it’s both counterproductive and more than that. It’s a distraction to get angry and start yelling at people. You need them. And also, everyone’s making the best decision they can with the information they have. Now, some people make better decisions than others when they’re under that stress. That’s a totally fair criticism. But also, like,
Josh Bressers (33:54) Yeah, yeah, yeah.
Yeah.
David Bernstein (34:10) Gotta look forward. Exactly.
Josh Bressers (34:11) Well, you have to practice it. mean, one thing I will say
is so I have been in the middle of many security events over my career. mean, I’m an old man now. And when I was young, I’ll never forget, like one of the first times I was dealing with an outage, I had one of the geezers was like, sit in that chair and stop talking. I’m like, no, no, we have to, we have to do this and this. He’s like, sit down and shut up. And I just sat down and I’m sitting there like, what are you doing? He’s like, I’m checking my email. I’m like, no, we have to use like shut up.
And I sat there for like five minutes. He’s like, okay, are you calm enough to talk to you now? I’m like, what do you mean? He’s like, Nope. I was so mad, but he’s like, 20 minutes isn’t going to matter, but you being excited and angry and on the edge, you’re going to make it worse. And I was like, my goodness. You’re so right. Like you totally knew what you’re doing.
David Bernstein (34:56) Well, you
totally reminded me of two things also. The first is at the CypherCon presentation last year, whenever I was there, we had this whole discussion around crisis management and someone in the audience made this really apt discovery. And they were like, sometimes your role in an emergency is to get out of the way. Don’t underestimate how important it is that if that’s your role, don’t underestimate the importance of that. And the other one is exactly as your old boss had said,
Josh Bressers (35:14) Yes, yes.
David Bernstein (35:25) any emergency, even like the life safety emergencies that I’ve been involved in, taking five seconds to take a deep breath and like.
calm yourself for a quick second so you can start making better decisions, has always worked way better than just trying to go and make decisions and run. And people don’t always see that because they can say, they’ll see that you’re trying to take a minute, and they may misunderstand what you’re trying to do. ⁓ taking five minutes to just collect yourself so that you can
perform way better for the next hour is going to have far better dividends than jumping in stressed and never being able to collect yourself and determine how you want to proceed.
Josh Bressers (36:19) Yep, exactly. All right, Dave, I think we’re gonna end it there. That’s awesome ending advice. This has been so much fun. Like I’ll have to have you back to talk about some of this some more, because this is just such an awesome and crazy, just, it’s fun and horrifying at the same time, if that makes sense. Like, you know what I mean?
David Bernstein (36:28) Yeah.
It’s
a job with all kinds of perverse incentives. It’s terrible seeing people on the worst days of their lives and being like, yes, this is great. I can’t wait to prove myself and do the plan. But yeah, it’s fun. If it’s nothing else, it’s fun.
Josh Bressers (36:41) Yeah.
Yeah, yeah, for sure. All right, Dave, thank you so much. This has been awesome.
David Bernstein (37:00) Thanks, Josh. Yeah, this was fun.