Comments from Simona Rollinson, Chief Technology Officer, ISACA:
No matter an organization’s size or level of sophistication, its level of maturity in business continuity and disaster recovery will vary. However, one thing that applies to all organizations is that the best time for sound planning is before a crisis develops. I can never stress enough the importance of planning for a pandemic, cybersecurity breach or any other major incident.
Technology can be a great equalizer and provide enterprises with the ability to conduct business remotely. This is the good news. The bad news is that this is not the time to start setting up the remote access infrastructure or test new processes. Planning for disaster recovery/business continuity is hard when the waters are calm, let alone when they are choppy. We tend to swim in ambiguity and conflate many processes/procedures that may be left half-baked. So, when in crisis, this is not ideally the time to ask for sophisticated or long-term disaster recovery/business continuity plans.
An organization’s focus should be on the immediate needs – within the constraints of the current work environment. My top four areas of focus, in order of priority, and key questions to ask for each are:
- Put safety first! Are our people safe at work? Should we do anything to provide for additional measures?
- Establish a crisis team. Who is on the team? Exact roles/responsibilities? How do they communicate with each other?
- Assess remote work policy and technology. Can we work remotely, have the technology to do so, and has the organization been designed architecturally to support all staff operating at a remote capacity? Which functions are able to work remotely? What services require access to a network? In addition to answering these questions, it will be important to reiterate security best practices for those who work remotely in their own private spaces but also those who decide to conduct work while at a library, coffee shop, hotel or other setting.
- Model scenarios and establish priorities based on up to date information. Can we continue conducting business with 25% absenteeism? With 50%? What are the critical functions? What are the critical roles? Are people cross-trained as backups – two-three deep in each role? Do we have a way to communicate with third-party vendors, like managed service providers and supply chain to have up to date information on their constraints and its impact on our business?
In addition, establishing communications protocols is wildly important. Consistent message is key from the top so that line managers do not create more confusion and ambiguity, and the crisper and clearer the instructions, the better. You’ll want to be able to answer to the following questions:
- Who do employees and customers call/email/IM? How do they hear back from someone?
- How do we communicate to our customers if there is a degradation of service? Who does this?
- Who speaks in the voice of the crisis team/CEO/Board?