Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Security Planning: Ask What Could Go Wrong

Are you asking the right questions about potential scenarios when thinking about disaster recovery and business continuity?

Dave Lewis, Global Advisory CISO, 1Password

January 10, 2023

3 Min Read
Tyrannosaurus Rex dinosaurs escaping the heat and fire of a big meteorite crash.
Source: Stocktrek Images, Inc. via Alamy Stock Photo

I wish I had a dollar for every time we as security practitioners have collectively had a conversation about a zero day — each and every time we've discussed the dangerous nature of the latest vulnerability. I would have a nice tidy sum squirreled away by this point.

We have developed a finely honed ability to run around in circles with our hair on fire. This may cause some of us to chuckle when we think back to incidents that we’ve had to manage or help bring to a conclusion. But it still stings a little to recall how things were managed in the past.

Far too often we learn our security lessons the hard way. Reactive security was, quite literally, the industry's default setting for many years. Even now, I have conversations with CISOs who share tales of incident response activities gone horribly awry. We listen in rapt attention, and yet we never seem to learn the lessons that are in plain view.

Rather than approach security from a reactive perspective, we should always be planning for the future by asking the question: What could go wrong?

What's in Your Disaster Recovery Plan?

For years, companies and countries — governments, rather — have been working hard to move operations to the cloud. This makes perfect sense ... until it doesn't. From reading the disaster recovery and business continuity documents for these organizations over the past couple of years, I;'ve noticed some pervasive themes.

For example, in the event of network failure, everyone would go to the local electronics shop and purchase replacement laptops.

I'm sure that would scale without issue. Oops, sarcasm dial set to 11.

Another scenario frequently listed in these documents was that of a meteor hitting the building. At no point did any of the planners take into account the fact that if said disaster had taken place, the local landscape would be desolation as far as the eye could see in any direction.

When Planning, Ask: What If?

But what if a country invaded yours? What if there was a completely unprovoked attack? How would you operate if your cloud instance was hosted in the aggressor's country? How would you be sure that your system would have the security resilience to survive such a scenario? Are these questions included in your disaster recovery and business continuity plans?

The war in Ukraine has served as an exemplar of worst-case scenarios for any country in the world today. There was a great deal of "what if" planning for various wartime situations long before the Russians ever crossed the border into Ukraine. The world needs to take note and start answering these questions.

Perhaps it is time to entertain a retreat from how we have approached globalization. We should look at how we can run our systems reliably if we had to sever connections with the rest of the world.

This line of thinking may seem extreme, but it's far more realistic than preparing for a meteor strike, let alone queuing up at the local electronics shop to buy laptops, along with hundreds of other companies.

If a cloud provider was cut off from the Internet for whatever reason, what would be your contingency plan to weather the storm? We have to be vigilant in the face of threats ranging from pickup trucks hitting power lines, to chip fabrication plants needing to move to other countries due to ever-shifting political issues.

Building out our strategies to reduce risk and increase our security resilience will go a long way to help address the clear and present dangers we face in this modern age.

About the Author

Dave Lewis

Global Advisory CISO, 1Password, 1Password

Dave is the Global Advisory CISO at 1Password. He brings over 30 years of industry experience, extensively in IT security operations and management, at companies such as Akamai, IBM, Duo Security, Cisco, and AMD. He is also the founder of the security site Liquidmatrix Security Digest as well as host of the Liquidmatrix, Plaintext, and Chasing Entropy podcasts. Dave currently serves on the board of directors for BSides Las Vegas and the advisory board for the Black Hat Sector Security Conference. He co-founded the BSides Toronto conference and was a goon on the speaker operations team for DEF CON for over 13 years. He previously held a board position at (ISC)². For fun, Dave loves playing bass guitar, grilling, and spending quality time with his kids. He’s also a part owner of a whisky distillery and a soccer team.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights