If we can say nothing else about this crisis, it has been a paradigm shifting moment for most of us. Just about everything we thought we knew about what “normal” life is, has been disrupted and tested for strength. In many cases we have embraced the best and worked hard through the problems. Anything that is global happens slowly and looks different as it makes its way around the world, but no matter where in the world you are, some form of these questions are heard over and over: How in the 21st century is this still possible? How is it possible that our business and economic stability can be strained so intensely and our businesses have such a tough time responding?
In short, primarily it’s because we did not take the chance of this happening seriously in our business decision making and continuity planning. While many of us love a good virus outbreak or zombie attack movie, the majority didn’t believe it could actually happen. Often, we just classify it as a low probability, high impact event in our risk registers and say that we don’t have to prepare for it, or that it is the first program funding we cut in tough economic times.
In the 1980s and 90s, the security industry spent huge amounts of effort in trying to call out the need for better business continuity planning and pathogen prevention, but was generally rebuffed by business because of the cost and the lack of real definable risk data.
Those who did plan and built this type of preparation into their DNA seemed to have survived this pandemic quite well, and this has validated the benefits of business continuity planning and recovery.
So, what can we learn from this current situation that will help us to better plan for the future and into the next crisis? To answer that question, we must first embrace the idea that this is an undefendable risk! The global impact and financial catastrophe a global pandemic causes cannot be defended by one organization. What you can do is plan for and recover from the event at your optimal level.
1. Doing More With Less
While you can argue that some industries are harder hit than others, global economics will impact most industries harshly after the panic buying subsides; many CIOs already report large budget claw backs, hiring freezes, and wage rollbacks. The old mantra of doing more with less has raised its ugly head once gain and it’s not taking prisoners this time.
So, responding to this budget pressure positively will set you up for success the next time around. Outsourcing non-essential or non-strategic functions, measuring your existing tool sets and consulting services against your organization’s digital transformation imperative, and rationalizing un-needed tool sets and legacy applications, can all drive costs down.
By example, high-cost support contracts often exist because of a legacy application that requires specialized expertise to maintain or manage. Maybe it’s time to have that difficult business conversation and move to a new simplified tool in the cloud? It will be more resilient in the next crisis and save you a lot of money.
On the cost containment front, here is a simple list to consider
- Automate (wherever possible)
- Consolidate (vendors or products)
- Standardize (business process)
- Centralize (operations)
- Virtualize (software)
- Cloudify (infrastructure – private, public, hybrid)
So, whether it’s from looking to take advantage of volume discounts, consolidating to an Enterprise License Agreement, or rolling up agreements with fewer vendors for multiyear discounts, the name of the game is definitely cost control.
2. Remote Workforce Resilience
Three “protective or facilitative factors” (as psychologists call them) predict whether people will have resilience:
- high levels of confidence in their abilities,
- disciplined routines for their work, and
- social and family support.
Not all leaders are equally adept at managing in the remote environment. Using “normal” operating conditions to train leaders and managers to be skilled at managing during a crisis and while remote is a good strategy. Building capacity to spot signs an employee is not operating effectively or having difficulty is a great capability building effort.
Resilient teams will improvise better and will adapt to the changing or fluid environment.
Once teams are skilled and comfortable with both their ability to handle the work remotely, and their managers’ ability to manage them, then they can get back to performing in this new normal environment.
3. IT and Security Strategy
Good cyber security strategy should be lockstep with the IT strategy, just like good IT strategy is lockstep with the business strategy. If this crisis has taught us one thing it’s that the cyber security strategy needs to be ruthlessly aligned to the IT strategy, especially during a crisis. The ability to deliver on security objectives must be thought through for all eventualities because during a crisis is when the bad guys will attack; they are unconcerned about your problems and are hoping for your weaknesses.
In short, it’s time to develop and pressure test a new and more resilient security strategy!
4. Business Continuity Plans and Testing
Similar to security strategy, the business continuity and disaster recovery program has been tested. In some cases it bent, and in some cases it broke. There are several cases where companies were well prepared, but some of their assumptions were incorrect.
- They assumed a shorter dwell time: Business continuity plans have generally considered a dwell time of days or a few weeks. It’s safe to say very few expected months or quarters.
- They assumed normal funding would be available: Because predicting a global economic slowdown and crash is difficult, it was not generally considered reasonable that you would not have access to your expected full budget. The economic situation that is driving significant cost cutting today is a direct result of the combined crisis and economic crash, and potentially a predictive event for future budget cycles.
- They assumed staff would be mostly available: Most business continuity plans assume for some staff reduction, but entire teams not showing up for work, being unable to replace workers with new hiring, and sudden staff retirements, were not always considered. In the aftermath of this crisis it’s time to revisit the assumptions of the business continuity plan and restart those tabletop exercises with the new world in mind.
It is important not to assume that just because this crisis is a pandemic, and predictions of future pandemic waves are common, that the next crisis wave will be the coming crisis; it could be financial depression, war, nationalistic trade restrictions, or anything else.
5. Remote Access Needs a Makeover
Remote access was truly the star of the show during this crisis. Legacy VPN, scaling problems, employee monitoring, and compliance requirements all added wrinkles to the issue. Whether traditional VPN or more modern Software Defined Networking, remote connectivity needs a makeover. As for remote meetings, the Zoom controversy kept us all entertained, but the question is, how do we work these issues back into a strategy, assess the risk, and prepare for the next crisis?
6. Understanding Executive Risk Tolerance
Getting executive input on risk tolerance has been challenging for some risk leaders as executives had few serious threats to pressure test their opinions against. This crisis has given the business a new appreciation for potential threats and how IT and security can enable the business to succeed during that crisis.
This is a great time to engage with executive leadership on their expectations around risk, in the context of business performance and funding for protections.
7. Effectiveness of Controls
Use this time to reassess what you already own in the technology space and either optimize it or euthanize it. It’s costing you money and may not be delivering the business value the business needs. Most businesses find, upon reflection, that the utilization ratio on available security tool features is very low, and that they have acquired multiple tools with the same capabilities.
8. Tracking Changes in Threats Against Remote Workers
We have seen significant numbers of attacks against remote workers during this crisis, and a series of attack changes. Monitoring for these attacks and the associated changes is important and will teach you how to better defend yourself for the next crisis. Further, given the myriad of end-user configurations now in use, including letting employees buy their own computers and connect directly to the company without a proxy or VPN (which is reactionary and high risk to say the least), it is critical to understand what is vulnerable in this new world. Ensuring you can understand how the attacks are changing will be difficult, but worthy of study to defend the next wave.
9. Vendor Management
Evaluate how your vendors served you during the crisis, and where needed, have that tough conversation about their continuity program enhancements, how they will improve, or how they will be replaced.
It’s highly likely that many businesses will not survive this crisis. That is the clear sentiment from all the major business analysts. In fact, whether you subscribe to Forbes, NY Times, WSJ or others, the alignment appears strong that somewhere in the 3rd or 4th quarter, a record number of business bankruptcies will begin to take place in the western world. With these bankruptcies, we will likely see the largest migration of business assets in history. Given this risk, the protection of Intellectual Property and the transfer of IT assets from these lost firms is an area of great concern. The risk of orphaned IT assets left in the cloud and forgotten is real. Through this crisis we have seen literally hundreds of databases forgotten and left exposed in random cloud environments. The opportunity for hyper-accurate asset management could be a deciding factor in keeping and maintaining the value of the assets that are transferred once an acquisition has occurred.
Now is the time to begin planning for crisis response improvement, leveraging the current lessons learned to drive improvements while the change freezes are on and the business is uncomfortably comfortable with crisis. The fundamentals of business, security strategy, cost control, efficiency, and vendor relationships with those who are true partners, are just some of the critical next steps for tuning your crisis management engine for the next wave of global crisis.
About the Author
Dave Tyson– MBA, CPP, CISSP
As President and CSO of Apollo, Dave Tyson leads CISO Insights, the cybersecurity advisory and professional services business unit of Apollo Information Systems. Dave partners with Apollo’s clients to provide …Read More