Harvard Business Review recently published an article by Angela Wilkinson and Roland Kupers called “Living in the Futures.” In it, Wilkinson and Kupers discuss the function of scenario planning at Shell—a practice that has been going on in earnest since the 1960s at the company. There are a number of great nuggets that we can use here in information security to help us plan for inevitable security events. The main goal of scenario planning at Shell is to open up the minds of managers and executives to the possibilities of events in the future. It’s designed to buck the trend of thinking that the future will be much like the present, such that when things happen they are well poised to make adjustments to weather the storm (or capitalize on the opportunity). In fact, a former head of this program is quoted in the article describing this as a technique to “manipulate people into being open-minded.”

Spoon, by felixtsao

Spoon, by felixtsao

Shell’s scenario planning team builds alternate realities for executives to work through to prepare them to sense change and be prepared to address it. Through this, Shell says they have found ways to be more sensitive to weak indicators that change may be coming.

We need to do the same thing in information security. My formula for scenario planning centers on some kind of security incident (duh). It should be run at least quarterly, and the scenarios should vary such that you can rotate executives in and out of the planning (maybe the COO is in two of the four yearly tabletop exercises) and practice dealing with different kinds of problems. Practicing the same problem over and over will make you good at that, but Murphy will make sure that something else happens instead.

Jimmy Davidson, scenario planning lead in the 60s and 70s, says that scenarios should be more plausible than probable. He says, “(…) you can never identify all the forces at play. If you could, and see their interactions, then real prediction of the future would be simple.” For example, when we build our scenarios for information security we might do a scenario where a contractor for our firm goes rogue and steals a laptop containing IP even if we don’t have any contractors today or plan on them in the future. It’s certainly plausible, and will prepare you for dealing with a number of variations of that same scenario.

Scenarios should be updated as needed and follow current market trends. If we were doing this ten years ago we probably wouldn’t practice falling victim to an advanced threat by a nation state; but we should be doing this today. How do you do scenario planning today? Four IT/IS guys and a box of donuts around a conference table without executive presence? Or full fledged mock chaos?


This post originally appeared on BrandenWilliams.com.