Darth Vader Needed a Business Continuity Program to Save the Death Star
As a huge Star Wars fan, I can’t wait to see The Force Awakens. In anticipation of the big event, I re-watched the three first Star Wars films from 30+ years ago. In the first film, A New Hope, the Galactic Empire built the Death Star to rule the galaxy. The size of a small planet, it was impenetrable. It could move, it could blow up planets, and it had a protective force field. The defining moment in the movie was when Luke Skywalker, piloting a small X-wing fighter, blew up the entire Death Star with one shot. If Darth Vader and the Imperial Army had performed the following business continuity steps, the Death Star would still be ruling the galaxy. Likewise, if you follow these steps, you can protect your company from any business disruption.
Understanding what could shut down/destroy the Death Star is an important first step in building a best-in-class business continuity program. A vulnerability assessment answers the question, “If someone wanted to shut us down, how could they do it?” Clearly, the Imperial Army did not conduct a vulnerability assessment. If they had, they would have determined that a single shot delivered down an air shaft could completely destroy the Death Star. They would have determined that someone (like Obi Wan Kenobi) could have turned off their tractor beam by simply sneaking in and pulling down a couple of levers. If Darth Vader had known these things were even possible, he would have implemented protective measures to prevent this risk. But, like a lot of leaders, Darth Vader believed “The Death Star can never be destroyed!” Or, put another way, “This will never happen to us.” Sound familiar?
Have a business continuity plan
A business continuity plan documents availability objectives, requirements, strategies, resource requirements, and procedures necessary to recover critical business and technology operations. Darth Vader was clearly calling the shots from the hip during the rebel attack. If he had well thought out, easily accessible plans in his body computer (or iPhone), he could have pulled them up quickly and scrolled through checklists in real time on how to recover from the event. The Death Star’s business continuity plan should have covered things like clear roles and responsibilities, recovery requirements by time period for each business function, alternative work space, and documented the key technologies and suppliers required for restoring operations.
Conduct a table top exercise
Vader should have conducted a table top exercise with leadership to practice responding to different crisis events based on the plans created. A table top exercise brings leadership together to run through a mock disaster and forces them to make decisions quickly based on how the incident unfolds. For example, how many TIE fighters would we need to respond to an attack? What are the roles and responsibilities for leadership and what alternate locations could everyone go to if the Death Star became inoperable or incapacitated? Table tops create muscle memory – “We’ve been here before, we’ve practiced, and we know exactly what to do.”
Perform a Security Assessment & Penetration Test
Back to what Obi Wan Kenobi pulled off. He snuck into the Death Star and was able to disable the tractor beam technology by pulling down a couple of levers. There were no locks, no two-factor authentications, and no biometrics. By disabling the tractor beam, the plans for the Death Star made it into rebel hands, and well, you know what happened next. Think about your organization’s sensitive information and what a hacker or outsider could do if they had it. A security assessment and penetration test will find operational security weaknesses and vulnerabilities within external and internal computer systems. Vader also should have performed a social engineering test by sending a phishing email to determine who would respond to emails with malicious links or requests for information. I’ll bet even Grand Moff Tarkin would have clicked an email link with the subject line, “Spring Break Pics From Tatooine.”
The Death Star, like most businesses, must recognize that a disruption can occur at a moment’s notice and without any warning. For organizations to quickly mobilize and take action, it must be ingrained into the culture with updated plans, roles, practicing, and vulnerabilities known in advance. Let employees (or Storm Troopers) know regularly about the things you have in place to protect their lives and their business. While total galactic domination or simply hitting your organization sales numbers may be core to your mission, so too should be resiliency in the face of completely unexpected events.
Whether you favor The Dark Side or The Rebellion, Darth Vader clearly could have done much more as a leader to keep the Death Star operational.
If you implement these five things, the force will be with you always.