Lessons Learned from BP Oil Spill

Let's look at a few glaring errors that have come to light re: BP's planning:
- A professor is listed as a national wildlife expert for a Gulf of Mexico oil spill, when in fact he died in 2005.
- The plan lists cold-water marine mammals including walruses, sea otters, sea lions and seals as "sensitive biological resources." None of those animals actually lives anywhere near the site of the spill.
- According to the Associated Press, two congressmen reviewing oil spill response plans of the nation's five largest oil companies, including BP, ExxonMobil, Chevron, ConocoPhillips and Shell Oil, stated they are nearly identical. Henry Waxman, Committee Chairman of a House Energy panel, called them "cookie cutter plans," and said they are as unprepared as BP was to respond to a spill.
There's no cookie-cutter approach to disaster recovery planning.
Louisiana Gov. Bobby Jindal, frustrated and angry, told AP: "Look, it's obvious to everybody in south Louisiana that they didn't have a plan; they didn't have an adequate plan to deal with this spill."
Needless to say, BP is learning tough lessons about incident response and disaster recovery.
But there are lessons here, too, for professionals charged with incident response and disaster recovery in other industries. Among them:
One Size Does Not Fit All: There's no cookie-cutter approach to disaster recovery planning. And yet we know that many organizations - even in financial services - give in to the urge to buy just such a plan from a service provider, vs. developing their own in-house. This "one size fits all" approach has got to go. Every business is different - even within the same industry - and each has unique requirements to maintain essential operations. How a business reacts to an extended power outage, for instance, will not be the same as its reaction to a natural or pandemic disaster. Senior leaders, therefore, should be sure to implement a unique business continuity/disaster recovery plan. And then test it by conducting regular, comprehensive recovery exercises to identify any areas of improvement, as well as any unforeseen variables. Training for the worst-case scenario always helps to identify potential hurdles and improves the organization's ability to handle such incidents.
Reputations are at Risk: Incidents happen - we know that. What matters is not that the incidents occur, but rather how we deal with our mistakes.
You remember the Tylenol tampering incidents of 1982. Johnson & Johnson conducted a massive recall and quickly established new tamper-proof packaging, setting a corporate standard for incident response. The case has gone down in business history as an example of what to do when disaster strikes. In fact, even in the wake of the Heartland Payment Systems data breach - the largest in history - senior leaders, including CIO Steven Elefant, emerged trying to make favorable comparisons between Heartland and Tylenol.
Contrast this with BP CEO Tony Hayward, whose response to the congressional hearing last week was that he was out of the loop on decisions at the well. He clearly could not point to what caused the disaster and failed the public opportunity to preserve the company's and his own reputation.
Within information security, reputation is key, and in a recent blog posting I clearly cite how crucial reputation is. Our professionals are supposed to be above reproach -- role models of character, ethics and service, as they protect data and mitigate risks within our organizations.
What other lessons can be learned from BP's mishandling of the oil spill? I'd love to hear your suggestions.
But here's hoping, too, that we don't have to experience another huge disaster to remind ourselves of the incident response and disaster recovery lessons we already should have learned.