As a parent, few scenarios create a greater sense of helplessness than answering your child's question with, "I don't know." This is especially true when the question relates to meaningful aspects of day-to-day life. Right now, I suspect many are finding themselves in this same scenario daily.
There is much we don't know in our current situation. The uncertainty is unsettling, but there is also much that we do know. And those certainties can act as anchors for those of us craving some mental foundations to lean upon.
Let's consider some of those certainties:
- We know urgent, emergency response and action are underway globally
- We know there are established methods and models for managing these immediate actions, the trade-offs and implications they trigger
- We know at some point, the emergency state of response will end, triggering a phase of reassessment of current state
- We know we are resilient and will adapt to a 'new normal' that will present challenges, but also opportunities to apply what we've learned through the crisis
These certainties suggest that crisis response for this current disruption includes phases. Consider the reality playing out today: emergency steps taken
These initial two phases will inevitably be characterized by degrees of chaos given the fluid nature of both the dynamics of the disruption and the variety of security and risk implications that arise from fast-moving measures taken to sustain a business.
Every conversation I've been a part of over the past few weeks has acknowledged that some security trade-offs will have to be made in order to keep businesses up and running and keep employees productive.
Managing these trade-offs in a way that is guided by true business risk is of course the basis of Business Continuity Management. As such, each phase of response is benefitted by following well-established standards, such as ISO 22301, which follows the Plan, Do, Check, Act (PDCA) cycle. By embedding PDCA cycles into phases of response, business, IT, security and risk, leaders can effectively close the gaps created by the trade-offs.
As part of the phase focused on sustaining business operations, a very fast "Plan" step can help identify some basic security measures that need to be put in place, such as multi-factor authentication (MFA). Implementing MFA for a largely (if not entirely) remote workforce becomes part of the "Do" step. In addition to those basic steps, monitoring for an array of threats that will target the expanded attack surface, and a myriad of new vulnerabilities, becomes essential as part of the "Check" step. In the past week, both the FBI and the FS-ISAC have issued warnings about increased cyber-attack activity, such as phishing attacks targeting remote users (e.g., IDS, IPS, mail filters). Typically, controls are in place to mitigate these types of risks when employees are on-premises.
Based on a variety of factors unique to the business, proactive or reactive steps are then taken during the "Act" phase to protect from or respond to these escalating threat vectors.
The first two phases will be cyclical themselves, as changes to the health situation may require additional steps related to containment. They are also uncertain in length, but we do know they will end. With their conclusion will come subsequent third and fourth phases: the third focused on assessing holistically the security and risk implications of each organization's crisis response.
Focus during this phase will likely include closing remaining gaps in network visibility, extending third party risk assessment beyond a supply chain focus to include any cybersecurity implications within the broader ecosystem. As with the earlier phases, PDCA plays a critical role in prioritizing what will be a long list of impacts to assess.
A final fourth phase will involve a transition of security and risk strategies, guided by changes to business strategy necessitated by the long tail of the disruption's impact. In many cases, these are impossible to predict now, although not entirely. If we consider the digital transformation effort many companies have in place to support a dynamic workforce, this objective has obviously been accelerated by today's requirements for remote working. This phase will likely involve significant assessments of the full business continuity and crisis response processes invoked through the first three phases, representing the "Act" component of PDCA.
Reflecting on the unknowns of how these "certainties" play out, I'm reminded of the words of Dr. Zulfikar Ramzan, Chief Technology Officer, RSA who during his RSA Conference 2017 keynote said, "Chaos creates amazing moments of truth and forces progress that can be painful."
At RSA, we've been spending a great deal of time working with customers to help them address the security and risk implications of these phases, and the current chaos they create. These discussions are helping us understand the immediate PDCA cycles happening for organizations, as well as those that will come with subsequent phases.
# # #
RSA recently launched a new webpage where you can keep up-to-date with a variety of topics and resources to help your organization navigate the current disruption. There, you'll find a growing number of webinars and pieces of content to help manage the business disruption facing all of us.