Lessons from a 90’s disaster flick on risk communication
By Rob Eslinger
Has anyone seen the movie Armageddon?
It’s a wonderful example of the big budget, big explosion movie craze of the 90’s and Michael Bay was king of this type of film making. However, I don’t think Mr. Bay (or the writers, Jonathan Hensleigh, J.J. Abrams, and Tony Gilroy) had the plight of Third Party Risk Management (TPRM) leaders in mind when creating this awesome movie. But the premise of Armageddon provides a very succinct encapsulation of what TPRM teams deal with every day.
Here’s how it goes: A giant asteroid has been spotted hurtling its way through space directly towards Earth. The whole world (and because this is an American-made 90’s action movie, I mean the US Government) is putting all their resources into figuring out how to stop this thing. I won’t spoil it for you but they decide that “roughneck” oil drillers (Bruce Willis, Ben Affleck, Owen Wilson, Steve Buscemi, Michael Clark Duncan – it really is a 90’s star-studded cast!) is the way to go.
Anyway, there’s a scene early on where the heads of the NASA space agency are briefing the President on the situation – very much in the way cyber risk management teams may brief the board or the CEO when a significant cyber event takes place.
The President (think non-technical stakeholder) asks, “How big is this thing?” and a NASA scientist (think risk analyst) stands up and spouts off the size of the asteroid, in meters, with 7 or 8 decimal points of precision before the head of NASA (Billy Bob Thornton) cuts him off and says, “It’s the size of Texas, Mr. President.”
This is a perfect example of knowing your audience and speaking at the right level. Most executives don’t want the nitty gritty details when faced with a potentially serious event – so we should never start there. Instead, start with the big picture and let them ask questions if they want to know more. I’ve seen many CRQ projects stall out because the analyst team is dead set on perfect input data when their stakeholders just want enough to know the big picture. Is the thing coming at us the size of Texas or more like “Volkswagens and basketballs?”
The President goes on to ask the head of NASA, in a rather surprised tone, “Dan… we didn’t see this thing coming?” The response from Billy Bob Thornton perfectly encapsulates what we are dealing with every day as risk leaders. He says, “Our object collection budget’s a million dollars. That enables us to track about 3% of the sky. And beggin’ your pardon sir, it’s a big ass sky.”
And that’s it right there. This is the reality for many TPRM programs. As risk leaders, we know there’s an asteroid out there. But we struggle every day to convey the significance of the risk and forecast where that impact is going to come from because, quite frankly, it’s a big ass sky.
I hear it almost daily from customers and prospects, “I have 3,000 vendors but I can only afford to monitor 100 of them.” If you’re in charge of one of these programs and one of these big, catastrophic supply chain outages hits your organization, you can either answer your surprised executives by quoting Billy Bob Thornton or you can come talk to Safe Security
The SAFE One platform will guide you to prioritize cyber risk management on the risks with the biggest, most probable impacts on your organization – and reveal the most effective remediations.
Learn more about SAFE One, the industry’s only unified cyber risk management platform and contact us for a demo.