The initial response to the COVID-19 pandemic put cybersecurity programs to the test. While organizations quickly rolled out business continuity plans to transition workers from the office to the home and to migrate business online to keep customers and supply chains moving, cybersecurity leaders have worked to help keep the business protected from an onslaught of cyber threats designed to prey on the disruption and uncertainty caused by COVID-19.
For cybersecurity leaders, this event presented a rare real-world test of how well their cybersecurity programs—their people, processes, and technology—can withstand and flex during a severely disruptive business event. And, while many are already looking ahead to what happens next and contemplating what enduring effects COVID-19 will have on the business, it’s critical for cybersecurity teams to take time now to pause and reflect on what just happened.
Right now is the best time to assess your cyber response to COVID-19, to identify any gaps or failures in process or controls, and to take stock of any urgent changes that were made to your network or IT environment. While it’s not a simple task, taking time to conduct a thorough assessment can help you to understand where your cyber risk posture stands today and make incremental improvements towards a more resilient one.
If you haven’t yet conducted an assessment or retrospective in light of this event, here are some tips to consider in doing so:
Don’t put it off.
Having led a few retrospectives myself, I know how difficult (and sometimes, uncomfortable) it can be to pause and reflect on performance while the dust is still settling, more so if that performance was anything less than stellar. It can be tempting to immediately move to the next task, especially considering how much planned and routine work gets put on hold to deal with an event like COVID-19.
Don’t let the temptation to “get back to normal” eclipse the opportunity to learn from such a seismic event. Right now, while the experience is still fresh in the minds of your team, take the opportunity to evaluate the performance of your systems, policies, and processes, identify and document all of the inefficiencies and gotchas, and make a plan for improvement. Doing so now can help you work towards a more prepared and resilient “new normal.”
Start by identifying what went well.
(Borrowing this one from a retrospective format popular with the agile crowd,) it’s a good idea to start any review or assessment with the question of what worked well. Not only does this kick off your discussion with a positive vibe and an acknowledgement of the people involved, but also it can help you to identify areas of your cybersecurity program that are already performing well today and can withstand a business disruption event.
Make sure to communicate this information beyond the cybersecurity organization. Take the opportunity to let the rest of the business know how the prior investments made in your cybersecurity program—whether in technology, people, or services—have paid off by helping to keep the business protected and operational during a such a turbulent time.
Use a cyber risk framework as a yardstick.
It can be a big undertaking to conduct a review of your cybersecurity program. Rather than starting with a blank page and asking, “what isn’t working well?” or “where do we need to improve?” consider using an established cybersecurity framework such as the NIST Cybersecurity Framework (CSF) as a guide for your assessment. This can help you to conduct a holistic and thorough review of your program rather than focusing on only the most acute pain points. In particular, NIST CSF has some nice features and free resources that make it easy to adapt for organizations of varying size, industry, and risk appetite.
You might also consider reviewing any regulatory compliance requirements you might have, such as PCI DSS or HIPAA. This can help you to identify technical controls that may require attention before your next audit. For example, PCI DSS 11.2 specifies that organizations should, “run internal and external network vulnerability scans at least quarterly and after any significant change in the network.” Sudden and widespread shifts to remote workforces and other changes made in response to the pandemic could constitute “a significant change in the network.” It’s important to check with your assessor or advisor.
Additionally, you can use our cybersecurity risk mitigation maturity self-assessment tool to benchmark your cybersecurity posture relative to your industry peers. Take this free assessment to see where you stand.
Make it actionable.
To me, the worst kind of failure is the kind that repeats. The next time your organization faces a business disruption event (and it will), you’ll want to be able to point to all of the work you did between then and now to shore up your defenses and response plan. Thus, make sure that any review or assessment you conduct concludes with a prioritized action plan and a commitment by all stakeholders to follow through on it.
Your plan doesn’t have to necessarily move mountains. Focus on incremental gains by asking what small actions or changes you can make quickly with minimal effort that can help drive a potentially big impact. For example, did you conduct any employee cybersecurity awareness training during COVID-19 to help your workers identify and report on phishing attempts or to reinforce good security hygiene as workers transitioned from office to remote work?
In your action plan, make sure to consider any “debt” that you accrued during your response. Did you make any sudden or unplanned changes to your network, IT infrastructure, security policies, or other systems as part of your response? Did you bypass any due diligence or protocols that you would have normally followed? If so, identify any retroactive steps you’ll take to maintain a good cyber risk posture. You may want to also consider making a managed vulnerability assessment, penetration test, or red team exercise part of your near-term action plan.
Consider engaging a trusted advisor to lead your assessment.
If the idea of conducting an assessment right now seems a bit cumbersome, don’t worry; you don’t have to go it alone. Consider enlisting a third-party trusted advisor to lead the assessment for you. A trusted advisor who specializes in cyber risk management can bring the following advantages to your assessment:
- Efficiency – Help save time and resources by offloading the preparation, documentation, and reporting of your assessment. Instead, be an active participant along with your team.
- Rigor – A trusted advisor can offer deep expertise and experience in conducting cyber risk posture assessments aligned to widely adopted cyber risk frameworks.
- Validation – A trusted advisor can help you to underscore and validate your successes with your business leadership and create a sense of urgency for your improvement plan and any investment required.
- Objectivity – Help to avoid unintended bias and blame with a neutral, discerning third-party expert who can place your cybersecurity program in context of your business goals.
- Resources – A trusted advisor can help to prioritize your action plan and provide resources and recommendations to help you move faster towards your goals.
AT&T Cybersecurity can help. For over 25 years its consultants have provided trusted advisor services to help organizations of varying size and industry assess their cyber risk postures, recover from cyber incidents, and make strategic plans for creating a more resilient and sustainable cyber risk and compliance program.