Some thoughts during COVID19 self isolation

Wayne Banks, CFO of Workday recently shared a McKinsey article covering the CFO's role and responsibilities during the #COVID19 pandemic.

McKinsey's article touched on some areas related to IT resilience, digital transformation, and the manner in which we are all now so much more reliant on digital systems as the working model for so many of us has shifted dramatically, and at scale to a remote model.

VMware's Pat Gelsinger announced a move to working from home for all employees early as the pandemic accelerated, so I'm week three into the working from home experience. During that time huge periods of every of my days have been back to back Zoom/WebEx/Teams/phone calls with VMware Carbon Black's existing customers, colleagues, business partners, and many cyber and IT leaders who are evaluating our solutions as a means to ensure that the cyber related risks of their new working arrangements can be effectively mitigated (example).

Three weeks in, here are some observations that link back to key points of McKinsey's take:

Productivity and resilience

McKinsey research identifies "a small subset of leading companies (we call them “resilients”) pursued productivity improvements more often and more frequently than others, creating the capacity for growth during recovery". An important aspect of resilience is business continuity planning that has been tested, and aligned to a cyber and holistic risk register. Arguably, the whole world going to pandemic lockdown would reasonably be considered to be an scenario so unlikely that planning for it was not financially sensible.

Oops.

Most organisations seem to have now got through the stage 1 & 2 massive ramp of 'do what you need to' IT all-hands-to-the-pump effort to get everyone WFH.

Turns out almost no-one had a BCP that covered this contingency 100%, and those that thought they did discovered their plan didn't cater for the disaster scenario applying to all of society as well as their own business functions and employees. McKinsey again; "Consider how business-process-outsourcing centers worldwide are reeling from lockdowns and limited bandwidth in their own countries (India and the Philippines, for instance), and think about the degree to which many of the critical processes they support have been disrupted."

A new cyber reality

It's one thing to plan for workers being off site, it's another to do that for 100% of your employees, many of whom don't have work supplied mobile compute devices, while at the same time the supply chain and stock availability of new devices is also impacted.

As a result workers are connecting in to corporate systems from a menagerie of home PCs, and quickly assembled, or relocated systems.

And they're connecting in via VPNs not scaled for the current needs, over private and public utility networks not scaled for almost every worker needing to work this way.

Security models that previously relied (to whatever degree) on the concept of secure perimeter has suddenly deperimeterised.

IT support models that previously relied on the ability for a support person to physically access end user compute devices suddenly flipped to needing to remotely diagnose and manage 100% of the time.

Security and support models that relied on standard builds of OS and tools suddenly faced bedlam.

Security, support, and software delivery tool architectures that assumed devices were connected back to a central management server within the LAN/WAN most of the time, with a subset over a handful of VPN tunnels suddenly didn't scale.

Measure, pivot, communicate, plan

McKinsey stresses the need to rapidly adapt the business to survive, thrive in the short term, grow in the future, and communicate clearly, accurately, and often.

Doing so places acute importance on the requirement for timely access to reliable and up to data. This is true not just for the business leadership team, but for all employees.

Digitisation and digital transformation of processes have accelerated tremendously over the last few weeks in order to enable not just the remote working model, but also as businesses execute latent or stalled projects aimed at budget trimming and new market needs.

This change will not be temporary. McKinsey agrees; "(But) the ... use of digitization to help the company manage the crisis should not be considered a onetime event."; "The CFO and finance team should take a leadership position in advocating for the use of digitization across the organization, long after the crisis has passed."

Business reliance on cyber, already heavy, just ratcheted up a whole lot and will continue to increase in to the future. That comes though with increased risk exposure to cyber failure and digital systems disruption. GRC programs must be adapted accordingly.

Changed cyber risk landscape

Remember; denying system or data availability, degrading data integrity, and gaining advantage through breaching data confidentiality are the triad goals of attackers.

With remote working critical data (and data within the scope of a myriad of data handling regulation and standards) is now being held on, and accessed from systems that are literally in people's bedrooms, dining rooms, or whatever other rooms and spaces they have carved out for home working.

The physical layers (doors, locks, guards, cameras etc) you may have relied upon previously to help secure your critical hard and soft assets has been replaced with a hardware bought, domestic front door lock.

Attackers thrive in chaos, unfortunately. In this new working model attackers are exploiting all our keen interest and concern around COVID19 news to scam.

They're also hitting hard in the knowledge that the technology mix we're using has suddenly shifted.

All those unmanaged and non-standard systems connecting remotely are an attacker's dream. All these new communications tools we're using are a whole new attack surface.

All the time cyber teams and IT support personnel are spending fire fighting means it's harder to detect and respond to attacks.

Cyber security must remain an elevated priority

With all that has happened and with all this is at stake now is not the time to deprioritise projects related to cyber. The need to renew legacy approaches and technologies that have been left in place beyond their best-before dates has now been demonstrated.

Both preventative and detective cyber controls must be in place at a balanced level. So too remediation abilities that work at scale, and remotely.

Cloud native cyber solutions have proven their worth compared to many legacy 'central management server' models. The latter continue to have their place in air-gapped type networks, but for end user compute, cloud based, and general datacentre use cases cloud native is the modern approach.

Cyber is not about technology though, it is about people and processes. Cyber leadership must be a coequal branch of the executive leadership team, with investment tied to risk analysis and what-if scenario planning. The time is now to communicate and elevate cyber risk awareness to all employees, and through them to their families and social networks.

In closing

A lot has changed in both our personal and working lives. Many are facing severe health, livelihood, emotional, and physical risks. These risks are not short term and we must ensure we support our colleagues, families, communities, and those most at risk.

Stay safe. Stay connected. Support each other.

Opinions expressed throughout are my own.