the smoke clears and we’re all allowed to go to bars again, organizations will
be trying to answer a few questions. How well did we deal with this crisis?
What have we learned? What changes for us the next time we have a similar
crisis? Did what we just experience inform our approach to any other
security team has a particular responsibility in helping to answer these
questions. The mission of a security team is to protect a business from risk.
The risk of a pandemic eliminating supplies, services, and customers, as well
as forcing employees to stay home, etc., probably was not on the radar of most
businesses. It is now though.
management forces the business to do three things about where we are, right
now, in a heightened state of awareness:
- Anticipate risks. What things could impact our business’ operations? We
can brainstorm, we can look at history, we can look at what’s happening to
other businesses in our industry or region, we can look at our operations and
list the conditions that would be detrimental to their success. All of these
activities should be inputs to our
risk management effort. We won’t anticipate everything, but we should do our
best to be holistic.
- Prioritize risks. We need to answer the question, what risks would be the
most impactful to our operations? We make decisions about these, stack rank
them using a variety of criteria, and allow that to drive our efforts to deploy
countermeasures. Businesses that had a pandemic on their list of risks may not
have had it as a high priority before this year. Circumstances will change our
view of these things, which is why we also need to…
- Learn. After something adverse happens we examine it and
adjust our risk inventory and priorities. We add things that weren’t there
before, we knock things off the list or adjust priorities, we update our list
of controls when we know something’s very effective—or less effective—than we
expected. We’re constantly re-examining our risk and making sure we’re tracking
and preparing for the right things.
Every business—even the critical ones that remained open during the quarantine—was impacted in some way by this pandemic. It’s a good time for every business to reexamine their risk management program and get it on track when leadership buy-in is likely to be at an all-time high. Take advantage of the hyper-awareness of risk to move the maturity of your information security program forward.
Request to speak to an expert