The security team has a particular responsibility in helping to answer these questions. The mission of a security team is to protect a business from risk. The risk of a pandemic eliminating supplies, services, and customers, as well as forcing employees to stay home, etc., probably was not on the radar of most businesses. It is now though.
Risk management forces the business to do three things about where we are, right now, in a heightened state of awareness:
- Anticipate risks. What things could impact our business’ operations? We can brainstorm, we can look at history, we can look at what’s happening to other businesses in our industry or region, we can look at our operations and list the conditions that would be detrimental to their success. All of these activities should be inputs to our risk management effort. We won’t anticipate everything, but we should do our best to be holistic.
- Prioritize risks. We need to answer the question, what risks would be the most impactful to our operations? We make decisions about these, stack rank them using a variety of criteria, and allow that to drive our efforts to deploy countermeasures. Businesses that had a pandemic on their list of risks may not have had it as a high priority before this year. Circumstances will change our view of these things, which is why we also need to…
- Learn. After something adverse happens we examine it and adjust our risk inventory and priorities. We add things that weren’t there before, we knock things off the list or adjust priorities, we update our list of controls when we know something’s very effective—or less effective—than we expected. We’re constantly re-examining our risk and making sure we’re tracking and preparing for the right things.
Every business—even the critical ones that remained open during the quarantine—was impacted in some way by this pandemic. It’s a good time for every business to reexamine their risk management program and get it on track when leadership buy-in is likely to be at an all-time high. Take advantage of the hyper-awareness of risk to move the maturity of your information security program forward.