Maksim Kabakou - Fotolia
Security Think Tank: Coronavirus crisis helps put security in context
In our globalised world, high-profile events such as Covid-19 have huge business impacts, some of which may be felt by CISOs. What responsibilities do security professionals have in such circumstances?
The information security function is not an island, or an ivory tower. Omdia (as Ovum) has long focused on the big picture of cyber security – technology as one of the triumvirate of people, process and technology that comprise security controls. Furthermore, the influencers on security – governance, risk and compliance – are crucial inputs to an organisation’s security posture.
The effects of the coronavirus – Covid-19 – are far-reaching in the business world. Supply chains are being disrupted, share prices are dropping and enterprises are frantically looking for new ways of working to maintain as much of a semblance as possible to “business as usual”.
The information security function is no exception to this disruption, and in this light business continuity and resilience have never been more important. Even before the outbreak of Covid-19 these topics were high up the agenda of chief information security officers (CISOs).
From the perspective of the information security function, dealing with the disruption caused by Covid-19 starts with the risk function and leads into security. This virus is clearly a risk to many organisations. The likelihood of an enterprise being affected by Covid-19 is increasing by the day, and the level of impact on the organisation can be very low to very high. Risk mitigation can be anything from increasing remote working to switching suppliers to reducing the working week – all real-world examples from the past few weeks.
Even while the risks are being assessed, the information security and IT functions should ensure that remote working plans are up to date, all affected employees (and contingent workers) have access to the tools, technology and equipment they need to be able to operate effectively outside the office environment.
The human factor should not be forgotten – security controls are about people, process and technology. As such, some of those new to remote working will need to be trained appropriately (and some others are likely to benefit from a reminder), so quickly rolling out updated remote worker training is likely to be beneficial. We have also seen a sharp rise in using coronavirus for phishing emails, so make everyone connected to organisational systems and data aware of this and remind them to report any suspicious emails.
Also, take advantage of technology champions throughout the business – those individuals who have good knowledge of business systems and technology, but who do not work for IT. Ensure that these people are engaged and empowered by IT with the information and tools they need to support their colleagues.
Enterprises should be testing their business continuity and resiliency plans in light of the coronavirus, and the information security function plays a key role in this. Resiliency objectives should be aligned with business objectives to minimise the impact of a variety of risks, including environmental ones such as Covid-19. The information security will work with business continuity and resilience specialists by providing assurance that security risks are being managed within acceptable levels.
Covid-19 knows no boundaries and the same should apply to the information security function, working across the enterprise to mitigate the risks appropriately.