What does a ship’s captain know about information security? A lot, apparently, if that Captain is Richard Phillips of Maersk Alabama fame. If you recall, this ship was the target of a failed hijacking attempt by four Somali pirates in April 2009. The ultimate failure of the hijackers, despite their early success in penetrating the perimeter of the ship, was in large part due to the leadership and strategic skills of Captain Phillips.
I recently had the opportunity to hear Captain Phillips speak at an event where the target audience was information security professionals. The lessons of the Captain’s experience were very relatable to that audience.
When Captain Phillips joined the crew of the Maersk, he took a couple of days to settle in and observe. He was concerned that security seemed a bit loose on board and decided to drill the crew. He did this repeatedly, each time learning from the failures of the previous drills. He and the crew, working together, improved things to a point where each member understood his role and responsibilities in case of an attack.
Sound familiar? Through iterative testing and analysis he helped his crew understand the policies and the actions that would increase their chances of repelling or surviving an attack by intruders. He made sure that any attack had to go through multiple layers of defenses. When the attack came, not everything worked as planned and practiced, but enough worked to ultimately assure the lives and safety of the crew.
From Captain Phillips’ experience, it reminds us of our need to have policies that make sense and procedures that can be followed, especially under the worst of circumstances. He reminds us to educate our teams and organizations on their roles in executing those procedures. We need to test, test and test again. Learn from failures and successes and you and your crew will survive to tell the tale.
Hopefully you won’t need the help of US Navy SEAL marksmen to repel your next attack.