Entering the second week of National Preparedness Month, the lesson is clear: we’re not short on risk signals, we’re running short on our ability to connect them and address them timely, consistently, and accurately.
In case you missed the first blog in this series, we define preparedness as the proactive and continuous planning, coordination, organization and evaluation of response capabilities prior to a disaster or crisis. Preparedness demands collaboration across departments and sectors.
Historically, technical teams have focused on tools and dashboards while civic leaders focused on budgets and high-level mandates. These things are good but as a society, we must do more. Because for citizens what matters is that the water is safe, the power stays on and buses run on schedule.
Preparedness means seeing the signals before they’re red. It means seeing the signals across domains—technical, procedural, financial, and social—and assigning accountability levels so that we act accordingly, and in coordination with others. In a word, preparedness means integration.
Everyone Plays a Part in Preparedness
For city and county managers, the challenge is often orchestration. That’s true of any organization, private or public.
Regardless of sector, the biggest problem with risk is it doesn’t sit neatly in one department, assigned to one team, being treated by one set of tools:
If IT flags a ransomware event, what are the downstream consequences?
If utilities report deferred maintenance, what are the downstream consequences?
If finance reports thin reserves, what are the downstream consequences?
If public safety warns of response gaps, what are the downstream consequences?
Each is a signal, each compounding a potential consequence.
However, no signal tells us the full story. For the public sector, leadership means connecting the dots without citizens ever knowing there may have been a threat to service resilience.
Preparedness Begins with a Mission and Goals
Before embarking on a preparedness project, it’s important to consider some goals.
Goals flow from mission statements, giving shape to objectives, and lending direction to actions. A simple mission statement for a preparedness charter could be the following:
“The mission of this program is to build a strong and viable ‘preparedness fabric’ spanning departments, sectors, businesses, and communities at once assuring the quality, reliability, timeliness and resilience of critical services.”
A useful tool for goal development is the goal-question metric (GQM) approach. Its effectiveness is in its simplicity; for momentum, collaborate with other teams using a Kanban approach. This process can be virtual or physical—and it is engaging.
To illustrate how a GQM might shake out, consider the following example:
Goal: “Ensure all critical business processes (CBP) are documented in the knowledgebase before end of year.”
Question: “Are all CBPs identified and accounted for?”
Metric: “% of CBPs identified and recorded in knowledgebase”
For the sake of morale, it’s really important to begin with low-hanging fruit for high velocity, sustainable wins which prove value and compound over time. This yields confidence among teams.
The idea is not to bury teams with yet another metric system, it’s to prove that actual progress is being made that further illuminates the path forward.
Understanding Key Risk Indicators
Key risk indicators (KRIs) are datapoints which alert organizations and teams to pre-conditions and post-conditions of a system or process in relation to an event or circumstance. What’s more, KRIs benefit when they are enriched with context.
Conditions may be positive or negative. Preparedness requires first distinguishing between leading and lagging indicators:
Leading indicators are the early warning signs, signs of process strain, gaps in communication, and similar anomalies. These signal pre-conditions.
Lagging indicators are the evidence of impact, failures already being felt and realized by departments, teams, or the public. These signal post-conditions.
When leaders look only at lagging indicators—after outages, after lawsuits, after citizen backlash—they miss an opportunity to strengthen public trust.
Proactivity equals stewardship, and reactivity undermines it. For better preparedness, state and local government agencies must ensure transparency across the risk spectrum and across the RACI matrix.
Diving into Leading Risk Indicators
As mentioned above, leading KRIs are the things that alert us to pre-conditions or those things which, if left unchecked, could result in an incident. In the current context, these are the indicators with potential to trigger a preparedness event.
Examples of leading risk indicators could include the following:
Cyber domain: anomalous traffic into and out of SCADA networks
Physical domain: wildfire risk days and rising load forecasts (power)
Financial domain: declining reserve funds
Operational domain: overtime spikes among critical staff
In short, leading indicators are events.
If existing systems flag cyber events as indicators of compromise (IoC), then an incident could be imminent unless there are defenses in depth (DiD) within the service delivery chain designed to limit impact or reduce the potential blast radius..
Preparedness demands attention to leading indicators, or suffering lagging indicators and their myriad societal consequences.
Diving into Lagging Risk Indicators
Many have felt the sting of lagging indicators:
Cyber domain: after a personally identifiable information (PII) breach is disclosed
Physical domain: after pumps fail in a flood, because sensors couldn’t convey leading indicators
Financial domain: after emergency bonds are issued or bond ratings drop
Operational domain: after citizen deaths or major service failures
As is the case with leading indicators, lagging indicators tell us many things but by this time, discussions are about “never wasting a crisis”. Sadly, many crises are often avoidable.
Always Be Connecting Dots to Societal Outcomes (A.B.C.D.)
Preparedness isn’t about data collection alone, it’s about mapping signals to outcomes citizens care about and doing so reliably. This is where continuous monitoring (C-MON) helps teams and entire agencies to improve or sustain:
The theme here is risk telemetry, and this telemetry requires an operating system of risk information—creating a central nervous system or observability layer.
C-MON is the civic heartbeat of community resilience and if it flatlines, citizens pay an undue price—figuratively and literally. For C-MON to function, it’s important to always be connecting dots (A.B.C.D.) across teams, departments, sectors, and society.
Cross-mapping outcomes, critical services, and cyber-physical systems protection (CPSP) requires us to make connections continually.
The Claroty Platform helps with the connection process as well as with snagging low-hanging fruit. Similar to NIST CSF 2.0, the platform also aligns well with NIST’s interagency report “Using Business Impact Analysis to Inform Risk Prioritization and Response” (NIST IR 8286D ).
To quote the NIST IR 8286D directly:
"an asset’s value is directly dependent on the extent to which it helps achieve the organization’s objectives (or to support other asset’s ability to do so)."
With the Claroty Platform, the business impact assessment play is only a subset of an increasingly familiar playbook:
Asset Discovery (active, passive, both): Identification of mission-critical assets is easy with passive monitoring and greatly enriched using one the 5 discovery methods.
Device purpose configurations: Once assets are discovered and identified, you can assign a device purpose to each. This helps with assignment of risk prioritization and mission impact.
Business risk and impact configurations: Risk configurations are customizable, offering weighting, location sensitivity, likelihood, and utilizing asset metadata in risk calculations.
Integration within existing security stacks: With over 150 different integrations possible across ticketing system, SIEM, industry-leading firewall, and network access control providers, you can integrate CPS risk signals throughout your security investments, maximizing ROI and enhancing CPS-centered risk.
Regardless of the play, the Claroty Platform offers the same value proposition.
Risk Optimization: A Key Takeaway
For Preparedness Month and across society, preparedness is foresight, not hindsight. The question is this: do state, local, and county leaders feel they and their teams are well equipped and empowered enough to connect the dots early and often? Resilience begs it.
The cycle of reactivity to critical incidents must be broken. A great way to do this is to equip every public service worker and each department function across critical service domains with the tools and authority necessary to act on leading indicators when they’re first seen. This requires better C-MON discipline and comprehensive governance; a CPS protection platform is but one example of an arbiter of critical risk.
Risks can only be optimized if they’re discovered in a timely fashion. For cyber-physical systems protection, this means deploying continuous discovery and risk routing mechanisms closer to sources of cyber-physical risk across departments within state and local government. Protection of critical services is everyone’s responsibility.
To learn more about how adopting the Claroty Platform can help with the development of cyber risk management practices, schedule a demo with one of our experts.
