Right now, we are all dealing with uncertain times, given the COVID-19 pandemic. The organizations we work for are depending on us now more than ever to avoid cyber-intrusions as the work dynamic around us changes rapidly.
In this blog post, we will discuss some of the important areas a security leader can focus on right now and how best to make sure your company and your teams are prepared for whatever comes down the road. While this advice is good for any situation when large numbers of employees are working remotely, it is even more relevant during a high-profile crisis that attackers are likely to take advantage of.
Open up your business continuity and resumption plan (BCRP)
Whether you are opening up your BRCP plan because you need to use it or are just dusting it off to make sure it’s ready, now is the time to start thinking through how your company will operate in a work-from-home scenario, at a reduced operating level, or just with essential personnel. The BCRP for continued IT and security operations ensures your company is able to operate in various situations and determines what you would do in these operating modes should a cyber-incident occur.
One of the most important sections of a BCRP is the contact list. Make sure you and all of your teammates have this plan printed out at home, and that you have an updated list of both cell phone and landline numbers available.
If it has been a while and you are not opening this document to put it into immediate use, now is the time to test it out in a tabletop exercise (TTX), even if only with a small group of people. There is no better time than the present to ensure everyone knows what you are going to do and how people will stay connected to keep operations running.
Validate your security posture
Spend some time working with both your security and IT teams to ensure your critical systems are up-to-date and patched, such as your endpoint detection, intrusion detection systems, web content filters, VPN clients, and MFA/2FA token generators. Focusing time on making needed changes or updates now means you wont need to do these activities should remote work become mandatory for everyone.
If remote work has already become a necessity or a mandate, take inventory of what state your security infrastructure is in and have your team surface any issues or gaps with the current posture. You want to try to avoid performing a major, unplanned upgrade in uncertain times, and preparing and planning for it sooner rather than later will help ensure the change is a success.
Get a cybersecurity awareness communication out
Now is an excellent time to get an awareness communication out to your organization that focuses on the things your employees need to be thinking about while working from a location other than the office. Key messages to convey include ensuring your VPN can support the load, protecting corporate data by only using authorized storage systems (cloud or on-premises), and making employees aware of their digital surroundings.
Partners and vendors can help
Trusted partners and vendors are motivated to help you navigate this situation, and some are even allowing existing and new customers free temporary licensing to deal with the surge capacity created from a new model where everyone works from home. This approach, where your partners and vendors can really show the partnership and value of the relationship, will enable you to continue to deliver quality services to your employees and your customers.
Compliance posture concerns
As your company’s security leader, one of the many questions you may be receiving is, “Are we going to be able to maintain our compliance posture?” In a perfect world, compliance becomes a by-product of a well-run and finely tuned security program. However, in times of uncertainty, security controls may need to be partially relaxed to give way to immediate employee and customer needs.
Those trade-offs need to be carefully considered and documented. While the temporary risk tolerance adjustments may be appropriate given the current situation, they could come at a cost of impacting the organization’s compliance. After all, there's nothing quite so permanent as a temporary fix. Focus on the areas where the risks cut across the compliance, and make sure you are expressing those to your executive teams.
Revisiting your SLAs
One of the main things your entire organization is going to be focused on is service delivery, both to your customers as well as to your employees. Many businesses will struggle with this, and as the organization's security leader, your role is to help inform the areas where risks could be realized and impact the business.
Whenever there is an issue in the non-virtual world, the cyber-scammers and crooks launch campaigns aimed at taking advantage of uncertainty and people’s fears. These are things you need to anticipate and communicate as potential situations that could affect business operations. Within the security team, now is the time to have the conversation about how you will detect and respond to these attacks and what steps you need to take now in order to be prepared.
Is now the time to implement a change?
One question you will likely face is whether now is the right time to live with a big change or implementation project. That can be a tricky decision to make. Generally, now is probably not the right time to be making significant changes to business systems, but changes that can help support or enhance the security posture while enabling additional employee productivity are likely going to be a good thing.
Often in the security world, practitioners are viewed as paranoid obstructionists. In our mind, we are focused on providing a high level of support to our companies and ensuring that someone is thinking of all the bad things that could happen so the business can continue to operate. In times of unrest and uncertainty, it is our time to really make an impact, but in order to do so, we need to present our perspectives in a way that paints a continuity focus picture and not an obstructionist one. So, if you have been working on or need to make a change, now more than ever make sure you are looking at the benefit through the eyes of the executive leaders and ensure you can explain how your goals align to the company objectives.
What to communicate right now
Communication between security leaders and their executive leadership team should occur as they always do. During times of distress, communication becomes even broader and more visible. The things to focus on right now should be aligned to your business continuity, employee productivity, customer success, and operational reliability. Make sure to articulate how cyber can impact those areas as operating change occurs and what material impact the change has to your cyber-risk posture (where applicable). It will also be necessary to make adjustments in security controls and operational systems, and understanding how compensating controls can negate exposure will be critical. The message should be the same to your team. Make sure they understand that right now it is time to over-communicate to you and the other security leaders. Staying in close contact and virtual proximity will allow everyone to do your jobs, albeit using slightly different approaches.
As we are all impacted in different ways during this pandemic, know that we are all trying to accomplish a lot of the same things, and now is a time for finding new and creative ways to work together. If there have been silos in your organization in the past, focusing on how to break those down will serve you well now and when the world normalizes again. It is okay to feel stressed and uncertain—just know that you are part of a much broader community, and don't be afraid to reach out, share information, and definitely ask for help when you need it.