Career Insights with Upasana Gupta

Lessons Learned from BP Oil Spill

Lessons Learned from BP Oil Spill

The BP fiasco is clearly one of the most devastating environmental incidents in history, and what scares me most is that the company clearly did not have adequate incident response or disaster recovery plans before the oil spill.

Let's look at a few glaring errors that have come to light re: BP's planning:

  • A professor is listed as a national wildlife expert for a Gulf of Mexico oil spill, when in fact he died in 2005.
  • The plan lists cold-water marine mammals including walruses, sea otters, sea lions and seals as "sensitive biological resources." None of those animals actually lives anywhere near the site of the spill.
  • According to the Associated Press, two congressmen reviewing oil spill response plans of the nation's five largest oil companies, including BP, ExxonMobil, Chevron, ConocoPhillips and Shell Oil, stated they are nearly identical. Henry Waxman, Committee Chairman of a House Energy panel, called them "cookie cutter plans," and said they are as unprepared as BP was to respond to a spill.

Louisiana Gov. Bobby Jindal, frustrated and angry, told AP: "Look, it's obvious to everybody in south Louisiana that they didn't have a plan; they didn't have an adequate plan to deal with this spill."

Needless to say, BP is learning tough lessons about incident response and disaster recovery.

But there are lessons here, too, for professionals charged with incident response and disaster recovery in other industries. Among them:

One Size Does Not Fit All: There's no cookie-cutter approach to disaster recovery planning. And yet we know that many organizations - even in financial services - give in to the urge to buy just such a plan from a service provider, vs. developing their own in-house. This "one size fits all" approach has got to go. Every business is different - even within the same industry - and each has unique requirements to maintain essential operations. How a business reacts to an extended power outage, for instance, will not be the same as its reaction to a natural or pandemic disaster. Senior leaders, therefore, should be sure to implement a unique business continuity/disaster recovery plan. And then test it by conducting regular, comprehensive recovery exercises to identify any areas of improvement, as well as any unforeseen variables. Training for the worst-case scenario always helps to identify potential hurdles and improves the organization's ability to handle such incidents.

Reputations are at Risk: Incidents happen - we know that. What matters is not that the incidents occur, but rather how we deal with our mistakes.

You remember the Tylenol tampering incidents of 1982. Johnson & Johnson conducted a massive recall and quickly established new tamper-proof packaging, setting a corporate standard for incident response. The case has gone down in business history as an example of what to do when disaster strikes. In fact, even in the wake of the Heartland Payment Systems data breach - the largest in history - senior leaders, including CIO Steven Elefant, emerged trying to make favorable comparisons between Heartland and Tylenol.

Contrast this with BP CEO Tony Hayward, whose response to the congressional hearing last week was that he was out of the loop on decisions at the well. He clearly could not point to what caused the disaster and failed the public opportunity to preserve the company's and his own reputation.

Within information security, reputation is key, and in a recent blog posting I clearly cite how crucial reputation is. Our professionals are supposed to be above reproach -- role models of character, ethics and service, as they protect data and mitigate risks within our organizations.

What other lessons can be learned from BP's mishandling of the oil spill? I'd love to hear your suggestions.

But here's hoping, too, that we don't have to experience another huge disaster to remind ourselves of the incident response and disaster recovery lessons we already should have learned.

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.